One of the most significant trends in international business over the past few years has been the rapid deployment of mobile banking technologies which facilitate cross-channel banking services and add convenience for customers. This article outlines some of the key considerations in designing a secure system for mobile banking.
The mobile ecosystem for this sector includes:
Financial institutions include banks, brokerages, credit unions, trust companies, insurance companies, mortgage loan companies, underwriters and investment funds. Wireless operators include carriers such as Verizon Wireless, AT&T Mobile, Sprint, Nextel and many others.
In the U.S., technology enablers for enterprise-level institutions include FIS global, Fiserv, and BSQUARE among others. These companies provide a full range of mobile banking services and also work strategically with SaaS-based mBanking providers like mFoundry, and technology appliance manufacturers of card readers.
A wide range of technical standards characterize this industry. For example, mobile network operators use a variety of technologies including:
Similarly, the information technologies used by the enablers vary, depending on the specific needs of the financial institutions. To date, many of the applications have been built using:
In the rush to take advantage of the rapidly growing market, the issues of market dominance have, in some ways, outweighed the considerations of application and network security. This is especially significant in the developing world where telecom technologies are being rapidly deployed.
In this essay I will propose a framework for analyzing some of the key issues that should be considered in business continuity planning for the emerging mobile banking sector. This will be a technology/platform and company agnostic framework that seeks to surface the key issues that public officials should be aware of in formulating public policy for this sector, and business planners should use to guide their own business continuity planning.
As part of this analysis I will develop a Model Enterprise Security Architecture (MESA) that accommodates the key proven technologies that have emerged and align that with a policy approach to ensure consistency with key global banking, accounting, and technology norms and standards. The research framework is presented in Figure 1, below:
For the analysis of vulnerabilities I will classify various types of exploits according to the open systems interchange (OSI) network layer model and the TCP/IP model. Figure 2 illustrates the basic framework I will use to catalogue exploits.
In parallel with my characterization of exploits I will conduct case studies using peer-reviewed literature and personal interviews to gain an understanding of some of the key issues facing security officers in companies today. I will examine both the security issues faced by the telecommunications operators and by the mobile technologies enablers to ensure complete coverage.
Within the financial services sector some of the current issues include:
These issues, as well as the vulnerabilities that stem from social networking will be addressed.
Figure 3 illustrates my framework for this analysis.
Key to the development of the MESA will be a systematic study of the national and international norms and standards that impinge on this financial services sector.
Some of the key regulatory agencies within the U.S. include:
Figure 4 illustrates the convergence of some of the other key standards that I will be examining as part of my analysis.
This approach expands beyond the use of the Zachman Framework or the SABSA model as outlined by Shon Harris in the 2010 CISSP Exam Guide (5th ed). It incorporates not only the business environmental factors, but also the national and international policy frameworks that can impinge upon a company’s national and international operations.
Traditionally the Internet has been an unregulated medium of exchange with technical standards groups such as the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) emerging from corporate interests in advancing interoperability and standardization. With the growing threats from nation-sponsored cyber attacks, such as those identified by the Office of the National Counter-Intelligence Executive in its October, 2011 report entitled Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, there is likely to be a drive to “regulate” certain features of the Internet. If regulation, either at the national level or at the international level is in our future, it is imperative that frameworks be established that both reduce the potential for criminal activity that would impair our civilian and military networks, while at the same time, continue to allow for entrepreneurial innovation.
These, apparently contradictory objectives must be reconciled in the public policy landscape to allow for the Internet, and its security ecosystem to flourish.
That is what the proposed MESA is intended to do.