Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Transcription

1 Mobile Banking Secure Banking on the Go Matt Hillary, Director of Information Security, MX

2

3 Mobile Banking Channels SMS / Texting

4 Mobile Banking Channels Mobile Web Browser

5 Mobile Banking Channels Mobile Applications

6 Mobile Banking Channels 1. SMS / Texting 2. Mobile Web Browser 3. Mobile Applications 19 of the 54 largest banks use all 3 channels 17 of the 54 largest banks use 2 of the 3 channels *See First Annapolis Consulting, supra note 1, at 17.

7 Mobile Banking Functionality Check balances Transfer funds Deposit checks Pay bills Setup automatic or recurring transfers Personal finance management Spending trends and analysis Mobile pay

8 I have a bad feeling about this

9 Mobile Banking General Threats Mobile phone OS, browser, application vulnerabilities and malware Social engineering Hackers foreign and domestic Phishing Personal information and data leakage and theft Denial of service attacks

10 Mobile Banking Risks Texting / SMS Risks: Messages are NOT encypted in transit Social engineering can be used to capture bank info and credentials Phone number spoofing Suggestions: Use more secure method apps or browser Beware of misc texts asking for information See if your bank allows you to receive alerts

11 Mobile Banking Risks Mobile Web Browser Risks: Hard to see / pick out the HTTPS vs HTTP in the browser bar Out of date mobile browser Secure web coding Suggestions: Double check for the Keep your phones and phone browsers up-to-date Have secure web coding processes (protect against SQL injection, XSS, etc)

12 Mobile Banking Risks Mobile Application Risks: Insecure mobile application development practices Pressure to release the application quickly w/o any security considerations Vulnerable mobile development platform Suggestions: Use secure coding practices and allow time to code securely Run application code scans on your code to detect common security mistakes

13 Mobile Banking Other Security Considerations Secure and Strong Authentication Multifactor Authentication Something you know (password, PIN) Something you are (biometrics, fingerprint) Something you have (one-time password, cryptographic device)

14 Mobile Banking Other Security Considerations Secure communications Over TLS-secured channels Cert-based authentication between mobile / server endpoints

15 Mobile Banking Securing Phone-to-Bank Transmissions Bank Deposit Server Internet Bank Transaction Server Bank PFM Servier

16 Mobile Banking Securing Phone-to-Bank Transmissions Bank Aggregation Server Internet Bank Transaction Server Bank PFM Servier

17 Mobile Banking Other Security Considerations Malware and Viruses Only download mobile applications that are trusted Update mobile applications and mobile browsers

18 Mobile Banking Vendor Risk Management Assess vendors periodically against the following security domains (ISC 2 ): Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity) Asset Security (Protecting Security of Assets) Security Engineering (Engineering and Management of Security) Communication and Network Security (Designing and Protecting Network Security) Identity and Access Management (Controlling Access and Managing Identity) Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing) Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery) Software Development Security (Understanding, Applying, and Enforcing Software Security)

19 Mobile Banking Compliance Risks Many of the existing regulations that apply to traditional web-based banking interactions apply to the mobile device applications. Gramm Leach Bliley Act Privacy Rule + Safeguards Rule in a mobile environment

20 Mobile Banking Applicable Compliance / Regulations FFIEC IT Examination Handbooks on Development and Acquisition, Outsourcing Technology Service Providers, E-Banking, and Information Security Interagency Information Security Standards Interagency Regulations and Guidelines on Identity Theft Red Flags FFIEC Guidance on Risk Management of Remote Deposit Capture Guidance on Electronic Financial Services and Consumer Compliance Guidance for Managing Third-Party Risk FFIEC IT Examination Handbook on Management