Home » CyberSecurity » CyberLaw » Global Mobile Security: Financial Services

Global Mobile Security: Financial Services

One of the most significant trends in international business over the past few years has been the rapid deployment of mobile banking technologies which facilitate cross-channel banking services and add convenience for customers. This article outlines some of the key considerations in designing a secure system for mobile banking.

The mobile ecosystem for this sector includes:

  • Financial institutions;
  • Wireless operators; and
  • Technology enablers.

Financial institutions include banks, brokerages, credit unions, trust companies, insurance companies, mortgage loan companies, underwriters and investment funds. Wireless operators include carriers such as Verizon Wireless, AT&T Mobile, Sprint, Nextel and many others.

Woman Browsing on Smart PhoneIn the U.S., technology enablers for enterprise-level institutions include FIS global, Fiserv, and BSQUARE among others. These companies provide a full range of mobile banking services and also work strategically with SaaS-based mBanking providers like mFoundry, and technology appliance manufacturers of card readers.

A wide range of technical standards characterize this industry. For example, mobile network operators use a variety of technologies including:

  • Code Division Multiple Access (CDMA) ;
  • Global System for Mobile Communications (GSM) for 2G networks;
  • Universal Mobile Telecommunications System (UMTS) for 3G networks; and
  • WiMAX for 4G networks.

Similarly, the information technologies used by the enablers vary, depending on the specific needs of the financial institutions. To date, many of the applications have been built using:

  • Short Message Service (SMS) and its secure counterpart;
  • Mobile web applications using XHTML and WAP; and
  • Mobile client applications using JavaScript, AJAX and other languages built on a variety of managed platforms and virtual machines including:
    • J2ME;
    • BREW;
    • Flash Lite; and
    • Silverlight.

In the rush to take advantage of the rapidly growing market, the issues of market dominance have, in some ways, outweighed the considerations of application and network security. This is especially significant in the developing world where telecom technologies are being rapidly deployed.

In this essay I will propose a framework for analyzing some of the key issues that should be considered in business continuity planning for the emerging mobile banking sector. This will be a technology/platform and company agnostic framework that seeks to surface the key issues that public officials should be aware of in formulating public policy for this sector, and business planners should use to guide their own business continuity planning.

As part of this analysis I will develop a Model Enterprise Security Architecture (MESA) that accommodates the key proven technologies that have emerged and align that with a policy approach to ensure consistency with key global banking, accounting, and technology norms and standards. The research framework is presented in Figure 1, below:

Research Framework

Click on image to enlarge

For the analysis of vulnerabilities I will classify various types of exploits according to the open systems interchange (OSI) network layer model and the TCP/IP model. Figure 2 illustrates the basic framework I will use to catalogue exploits.

 

OSI-frame

Click on image to enlarge

 

 

In parallel with my characterization of exploits I will conduct case studies using peer-reviewed literature and personal interviews to gain an understanding of some of the key issues facing security officers in companies today. I will examine both the security issues faced by the telecommunications operators and by the mobile technologies enablers to ensure complete coverage.

Within the financial services sector some of the current issues include:

  • eMail delivery of time sensitive documents;
  • check scanning; and
  • paying bills via eMail.

These issues, as well as the vulnerabilities that stem from social networking will be addressed.

Figure 3 illustrates my framework for this analysis.

Click on image to enlarge

Key to the development of the MESA will be a systematic study of the national and international norms and standards that impinge on this financial services sector.

Some of the key regulatory agencies within the U.S. include:

  • Federal Financial Institutions Examinations Council (FFIEC);
  • U.S. Department of Treasury, Office of Thrift Supervision (OTS); and the
  • National Credit Union Administration (NCUA).

 

Figure 4 illustrates the convergence of some of the other key standards that I will be examining as part of my analysis.

Standards Frame

Click on image to enlarge

This approach expands beyond the use of the Zachman Framework or the SABSA model as outlined by Shon Harris in the 2010 CISSP Exam Guide (5th ed). It incorporates not only the business environmental factors, but also the national and international policy frameworks that can impinge upon a company’s national and international operations.

Traditionally the Internet has been an unregulated medium of exchange with technical standards groups such as the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) emerging from corporate interests in advancing interoperability and standardization. With the growing threats from nation-sponsored cyber attacks, such as those identified by the Office of the National Counter-Intelligence Executive in its October, 2011 report entitled Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, there is likely to be a drive to “regulate” certain features of the Internet. If regulation, either at the national level or at the international level is in our future, it is imperative that frameworks be established that both reduce the potential for criminal activity that would impair our civilian and military networks, while at the same time, continue to allow for entrepreneurial innovation.

These, apparently contradictory objectives must be reconciled in the public policy landscape to allow for the Internet, and its security ecosystem to flourish.

That is what the proposed MESA is intended to do.

  • http://SedonaCyberLink.com Jane Ginn

    Here is an addendum to my original article as of January 31, 2012. There is a new product out that provides a private WiFi service from HotSpots. It is called Private WiFi. It provides users with a VPN. See their site here. http://scl.tv/wRJRm6