Learning Center
Plans & pricing Sign in
Sign Out



									                        Mobile Phone Banking Security Committee

                                 Notes of Teleconference 4

                                        7 May 2008


Giff Gfroerer, I2MS

Gary Samoluk, Voice Certain

Ruby Steppe, ATM Services/Cash Plus ATMs

Charles Street, Standard Bank

Mike Lee, ATMIA

Scott Housely, Monitise

Susan Kohl, ThoughtKey

Wes Dunn, Tranax

Laurie Douglas, Stonesoft

Peter Cranstone, 5o9

Julie Shaw, Pulse EFT

Andrew Morris, Morris Advisors

Vahid Sedghi, Cell Trust


Mike Cowart, RBS-Lynk

Steven Atkinson, Monitise

Sharon Lane, ATMIA

Terry Dooley, Shazam Network

Lana Harmelink, ATMIA

   1. Welcome and introduction

   Mike welcomed all participants to the 4th teleconference for this committee. The notes of
   the 3rd teleconference of 9th April 2008 were accepted without changes.
   He reminded committee members they were welcome to send their logos and weblinks
   for the Mobile Phone security portal on These could be sent to

   The log in for committee members is:

   Go to

   On the top right hand corner below the MiG member log on, you will see the Mobile
   Phone Security link. Click on it.

    username is: Mobilesecurity

   password is: phonesec

   2. Security Best Practices for Mobile Phone Banking & Payment Applications –
      Panel Discussion at Payments Fraud conference with EFTA in Houston 8-11
      September 2008

Peter Cranstone of 5o9 agreed to lead the panel discussion on mobile phone security at the
above conference. Mike said the best practices would be finished well before the conference
begins to be a reference text for the discussions. He thanked Peter for agreeing to speak on
this topic which was still in its infancy.

Mike invited committee members who wanted to be on the panel to contact him or Lana at

   3. Group Discussion, Introduced by Charles Street, Standard Bank

       How the mobile device can be used as a security/authentication tool, to compliment
       other channels?

Charles shared some case studies of how mobile phones were being used as authentication
devices adding an additional layer of security to other banking channels such as internet
banking, ATM banking and online shopping.

Andrew pointed out that there were 4 channels on the mobile phone:
    Voice
    Text
    Browser
    Downloadable apps

Peter agreed with him that voice biometrics had great potential for secure non-threatening
authentication of mobile phone banking and payment transactions. The committee was
invited to check out the websites of Voice Certain - and Trade
Harbor -

Peter commented that the key question for mobile banking security was: how do we know it
is me at the other end initiating the transaction? Mechanisms and protocols had to confirm
and identify that the person using the mobile phone was the actual owner and not a fraudster
impersonating the legitimate owner. Three factor authentication would do that.

Peter further pointed out that customers wanted:
     Convenience (frictionless transactions)
     Privacy
     Control (ability to retain choice)
from their mobile device.

Security boils down to trust of the customer in the device.

After much discussion, the committee agreed that :
     The industry is asking how mobile phone banking security can be improved now
       during a transition period of moving towards future higher levels of security provided
       by biometrics.
     It was still to be determined when the mobile phone industry would be ready to
       receive voice biometrics on a mass scale.
     Privacy laws were essential to take into account when using location based services
       (LBS) on the mobile phone – customers must consent during registration processes
       to permit the bank or card issuer to use the customer’s location information as a
       security feature (for example, in red-flagging a transaction initiated in one place
       where it would not be possible for the customer to be in given his/her position during
       recent previous transactions).
     It needs to be taken into account if the LBS feature can be switched off and on or not
       on an application.
     As levels of risk go up in a transaction (such as in withdrawing large amounts), so
       should the level of security be commensurate with the risk.
     Susan suggested the manual should draw up an Options Table which clearly sets out
       the limits, challenges, risks and benefits of the different security options for mobile
       phone banking applications, so that the advice we give is honest and holistic.
     The best practices need to address all the relevant audiences in the mobile phone

   4. Progress on writing of draft chapters of Best Practices

   The deadline for receiving the 1st draft of each chapter was the end of June so that the
   manual can be published and launched by the time of the Payments Fraud conference in
   Houston on 9-11 September. Mike said he was pleased to get feedback from the authors
   of each chapter that the draft chapters would be ready in time.

   However, he was worried about Chapter 9 - Security of Software and Chipped SIM cards
   in Mobile Phones, which was still without an author. He appealed to committee members
   to help him find an author. Scott said he would investigate within Monitise for a possible
   author or a lead as to someone who would be suitable to cover that topic. Scott also said
   he would check with Steven that he will cover the PCI implications for mobile phones in
   chapter 5.

   Julie Shaw kindly volunteered to look technically at the first draft in addition to the editing
   provided by Cyndi Spencer.

   Susan asked if the remit of the best practice manual could be extended to include
   portable point of sale (POS) devices. Peter agreed with this proposal to broaden our
   scope. Mike suggested we stick to our focus and look into other portable devices after
   the manual is complete. He said he would check the committee consensus via email.

       Chapter One            Objectives, Scope and Terms of Reference – MIKE LEE
       Chapter Two            The Evolution of the Mobile Phone – CHARLES STREET,
                              STEVEN ATKINSON & GIFF GFROERER

       Chapter Three          Defining the Security Lifecycle for Mobile Phone Banking -
                              MIKE LEE

       Chapter Four           Customer Education Tips for the Mobile Phone - CHARLES

       Chapter Five           Security of Transmission from Mobile Phone to Financial
                              Services Device (e.g. ATM) - STEVEN ATKINSON

       Chapter Six            Enrolment, Registration and Customer Access to Mobile
                              Phone Banking, Including Best Practices for Authentication -

       Chapter Seven          Security of Authorization of Mobile Phone Banking
                              Transactions – Ruby Steppe – ATM Services & Vahid
                              Sedghi, Cell Trust

       Chapter Eight          Protecting the Privacy of Customer Data, Including Dealing
                              with Lost or Stolen Mobile Phones – KRISHNAN

       Chapter Nine           Security of Software and Chipped SIM cards in Mobile Phones
       Chapter Ten            Regulatory Environment for Mobile Phone Banking SUSAN
                              KOHL (with Susan Orr)

       Chapter Eleven         References and Research Sources and Tools - MIKE LEE

   5. Next teleconference: Thursday 12th June 2008 at 10 am EST

Respectfully submitted,

Mike Lee, CEO, ATMIA


To top