8/12/2019 Eh Mobile Baking_final

1/19

8/12/2019 Eh Mobile Baking_final

2/19

Wireless Access Protocol (WAP) is an open

international standard for application-layer networkcommunications in a wireless-communicationenvironment. Most use of WAP involves accessing themobile web from a mobile phone or from a PDA.

WHAT IS WAP?

8/12/2019 Eh Mobile Baking_final

3/19

What is the purpose of WAP?

To enable easy, fast delivery of relevant

information and services to mobile users.

8/12/2019 Eh Mobile Baking_final

4/19

What type of devices will use WAP?

Handheld digital wireless devices such as

mobile phones, pagers, two-way radios,smartphones, and communicators -- from

low-end to high-end.

8/12/2019 Eh Mobile Baking_final

5/19

Banking RisksSame inherent risk and issues as InternetBanking, primary risks affected

->Strategic

->Transaction

->Reputation

->Compliance

8/12/2019 Eh Mobile Baking_final

6/19

Strategic Risk

Determining wireless banking role in deliveringproducts and services

Defining risk versus reward goals and objectives

->Is the reward added revenue, saving lostrevenues, and/or increased efficiency?

->Are capital expenditures (at purchase andretirement), maintenance and operating costs lessthan the reward (i.e., income)?

8/12/2019 Eh Mobile Baking_final

7/19

Strategic Risk

Implementing emerging e-bankingstrategies

First Mover (bleeding edge) vs. wait and see(permanently lose market share)Ease of implementing outsourced solution to keep up withthe competition

Financial stability of vendorsUncertain customer acceptance

Using standards not designed for secure

banking environment needsRapidly changing technology standardsExpertise

8/12/2019 Eh Mobile Baking_final

8/19

Transaction Risk

Security IssuesWireless transmission encryption

Standards retro-fitted once security became

an issue

Designed to protect transmitted data fromunauthorized access/use

Early standards 802.11 and Wireless AccessProtocols (i.e., WAP) have knownvulnerabilitiesPotential need to upgrade equipment as

standards change

8/12/2019 Eh Mobile Baking_final

9/19

Transaction Risk

Security Issues

Access codes stored on device may allowaccount access if device lost or accessed

User names and passwords may be entered

in clear view on the screen

Customer acceptance of alphanumeric PINsMobile phones require pressing a number key multiple times forcertain letters, which may be challenging even if display is not

asterisked out (i,.e., ****)

8/12/2019 Eh Mobile Baking_final

10/19

Transaction RiskSecurity Lessons Reinforced

Unproven standards can have security weaknessesRisk of external attacks increases as services expand to allow

greater access to systemsCompanies need to maintain knowledge of attack techniques,known and newly identified

End-to-end security is keyDo not rely on wireless transport layer security for banking

application security

Need effective change management processes

Encourage customers to use good PIN/Password

management practices

8/12/2019 Eh Mobile Baking_final

11/19

Transaction and ReputationRiskOutsourcingAccess to expertise

Knowledge of wireless communication standards

and encryption methods

Developing and converting existing products andservices for wireless transmission and use

Effect of device characteristicsSmaller screensButton or stylus commands

8/12/2019 Eh Mobile Baking_final

12/19

Reputation Risk

Reliability of delivery network

Customer acceptance of no-service due totelecommunications issues when they are in areasthey expect service - Consumer Expectations

Processing and handling of interrupted transactions

Integration of wireless applications with existingproducts and services

8/12/2019 Eh Mobile Baking_final

13/19

Compliance Issues

Disclosures

Wireless banking devices are easier to loseand may increase potential of unauthorized

usageTypes of services offered affects level of risk (e.g., P2P payments

increase risk)

Privacy concerns from location based

services

8/12/2019 Eh Mobile Baking_final

14/19

GLBA Compliance

Primary Elements of Information SecurityProgram

Involve Board of Directors

Assess Risk

Manage and Control Risk (including testing)

Oversee Service Providers

Adjust Program

8/12/2019 Eh Mobile Baking_final

15/19

Characteristics of Good Risk

Management

Sound definitions of acceptable riskOwnership of the risk assessmentExplicitly accept risksIdentify key controlsCreate a test plan and follow up of resultsOngoing Board involvement

Active Vendor ManagementSufficient Technical ExpertiseAppropriate Business Continuity Planning

8/12/2019 Eh Mobile Baking_final

16/19

Industry Initiatives

Many companies have strong policies in place tomaintain their position of trust

The reputational risk of the company and loss ofmarket share is at stake

Financial exposure is real

8/12/2019 Eh Mobile Baking_final

17/19

Best Practices

Secure architecture

Vulnerability management

Intrusion detection

Information sharing

Training and awareness

Regular testing, reporting, improving

8/12/2019 Eh Mobile Baking_final

18/19

Whats Next - We Need to Focus On

Security

Authentication and Verification

Proper Due Diligence and Complete Understandingof the Issues

Prepare now for what is ahead

New Entrants into the Marketplace

International Perspective in the New World

8/12/2019 Eh Mobile Baking_final

19/19

THANK YOU