Risk Management in Mobile Banking

Risk Management in Mobile Banking

Dr. K V D Kiran

Department of Computer Science and Engineering KLUniversity, Guntur, Andhra Pradesh, India

M V R Srivatsava, K Gayathri Devi Department of Computer Science and Engineering KLUniversity, Guntur, Andhra Pradesh, India

Abstract In the current era of competition, the use of computers and allied technologies has become inevitable and it has been well recognized that Information Systems plays different roles in different industries. This paper makes an attempt to explore empirically the difference in the role of Information Systems in the banking sector. The study indicates that the future impact of Information Systems does not vary significantly with the banking groups. Today information security plays a vital role in different fields. Information security compresses of risk management and risk assessment, which plays a vital role in identifying risks, threats and vulnerabilities. Different tools like OCTAVE, MAGERIT, MEHARI, RA2 e.t.c.., which provide risk management and risk assessment for different information systems like banking, medical e.t.c. In this aspect we consider the scenario of mobile banking in banking sector.

Keywordsinformation security, risk management, risk assement, technologies, risk mitigation, mobile banking

1. INTRODUCTION

   The banking industry has never seen such a fundamental change as mobile banking. Globally, millions of consumers are already using a wide array of mobile devices to conduct banking – and millions more are expected to go mobile in the coming future. But with that growth come a whole new set of threats: mobile malware, third-party apps, unsecured Wi-Fi networks, risky consumer behavior. And it does not matter whether an institution uses a proprietary or third-party mobile banking application – the bank owns the risks.

2. KEY SECURITY RISKS

   A major challenge for the adoption of mobile banking technology and services is the perception of insecurity. In the survey conducted by the Federal Reserve, 48% of respondents cited their main reason for not using mobile banking was Im concerned about the security of mobile banking. In the same study, respondents were asked to rate the security of mobile banking for protecting their personal information and 32% rated it as somewhat unsafe and very unsafe, while 34% were not sure of the security. These statistics represent a significant barrier to the use of mobile banking products and services. (Consumer and Mobile Financial Services, 2012)

   When the security risks of the mobile space are analyzed, many of these feelings are not necessarily irrational. The lack of maturity of the mobile banking space brings many risks in the areas of new technologies, new inexperienced entrants in the ecosystem and a complex supply chain with risks in secure integration of the complex ecosystem. Many of these new entrants are innovative and dynamic with minimal experience

   or attention to security as a discipline. These risks are most evident in the mobile application development and mobile hosting areas. New privacy risks are brought to light with personal data collected by the applications and information about the customers physical location. Finally, customers are largely uneducated or have a high risk tolerance and unfortunately may opt into services that put their security and privacy in jeopardy.

   The security risks associated with mobile devices are very similar to any other computing device with a few key exceptions:

   • Mobile devices have a smaller form factor and therefore are more susceptible to loss or theft

   • Mobile devices are more personal and there will be a tendency for users to use devices in a more personal and confidential way

   • Security controls and tools available have not matured to accommodate the constraints of limited processing power and limited battery life

     The key risks to the mobile device include:

   • Malware

   • Malicious applications

   • Privacy violations relative to application collection and distribution of data

   • Wireless carrier infrastructure

   • Payments infrastructure/ecosystem

   • SMS vulnerabilities

   • Hardware and Operating System vulnerabilities

   • Complex supply chain and new entrants into the mobile ecosystem

   • Lack of maturity of Fraud tools and controls

   1. Mobile Device and application vulnerabilities

      Malware is becoming a growing challenge with mobile devices ninety nine percent of the malware growth was in two categories: spyware and SMS Trojans. The integrity of applications is key risk relative to mobile devices. There are various malicious applications posing as legitimate applications that users download and then become infected. The warranties of the device may be nullified when a device is jail broken. Despite these risks, the efforts to overcome the manufacturers impediments to jail break persist. Short Message Service (SMS) is susceptible to misuse including redirection, hijacking and spoofing. The SMS channel can also be compromised by malware as was the case with a malicious application posing as a free well known Android application.

   2. Privacy

      Privacy of user information is a particularly challenging issue as mobile devices are much more personalized and tied to the users identity than a traditional computer. Risks related to legitimate applications passing user data to other applications or 3rd parties in an unauthorized manner is gaining more attention in the public arena.

      user permission to use their location data; unfortunately it is not clear all the ways that application may use the data.

   3. Wireless Carrier

      In addition to the internet, mobile devices have another key network involved in the processing of mobile communications. The wireless carrier is the primary interface to the mobile device. The radio component of the mobile device communicates to the cell sites. The cell sites then communicate through dedicated circuit or microwave to the mobile switching center (data center) which contains both the voice processing and data processing equipment and systems. The switching center contains the gateway to the Internet and other carrier networks. If there is a security weakness in any part of this network, it can put the customers data at risk.

   4. Payments Technology

   The payments infrastructure can also have vulnerabilities that lead to security risk. The keys stored on the secure element can be vulnerable to exposure if the keys are not protected properly from unauthorized access and use. Mobile payment applications employ a pin or password that is required to unlock the data in the secure element.

3. RISK MITIGATION

   RISKS	MITIGATION
   Mobile more susceptible for loss or theft
   Users are more likely to store personal and sensitive information on mobile device
   Malware
   Malicious
   Applications

   • Customer Education

   • Implementation of remote wipe,passcode and automatic lockout

   • Customer Education

   • Device encryption

   • Ensure applications dont store customer sensitive data locally

   • Mobile malware protection

   • Dont jailbreak your device

4. Customer Education

• Use only reputed sites to download apps

• Ensure that apps are tested for security

Privacy Violations	applications and data handling
Wireless carrier infrastructure
Payment system infrastructure
SMS vulnerabilities	risk transactions
Hardware and OS vulnerabilities
Complex supply chain and new entrants in the mobile ecosystem
Lack of maturity in fraud tools and controls

• Customer Education

• Security testing of

• Vet the security of the carrier infrastructure and services through targeted questions

• Ensure the point of sale device vulnerabilities are addressed

• Utilize EMV where possible

• SMS should not be used as channel for money movement and other high

• Ensure that software updates are being pushed to devices

• Implement a third party vendor security program

• Current online tools and controls are extended to the mobile challenge

• Secure provisioning/de- provisioning

5. CONCLUSION