Mobile Phone Product Data Management

Document Sample
Mobile Phone Product Data Management Powered By Docstoc
					     International minimum security guidelines
       for mobile device banking applications




               Produced by the ATM Industry Association

                                 Contributors

G EO B R I DG E CON S ULT IN G
                        Executive Summary
1. Mobile phone banking is in a high-growth phase with at least 90
   companies emerging in recent years offering banking and payment
   applications for mobile phones.
2. It is estimated that as much as half of the world’s population may
   now own a mobile phone. This is roughly twice the number of
   credit card holders. About 80% of the US population is thought to
   own a mobile phone.
3. The World Bank estimates that more than two-thirds of the world's
   population live within range of a mobile phone network.
4. It is expected that around 2.3 trillion SMSs will be sent in 2008.
5. The mobile phone product market is very complex with some 1,500
   different kinds of handsets available around the world, with over
   450 different configurations, from different screen sizes to a variety
   of operating systems (Symbian, Windows Mobile, Linux, Palm) and
   functionalities.
6. Mobile phones tend to be replaced every 18 months, compared to
   PCs being replaced on average every 42 months.
7. The following are examples of mobile phone banking applications:
   −   Balance enquiry/update
   −   Paying bills
   −   Purchase transaction (Point of Sale)
   −   Assisting cash withdrawals at an ATM
   −   Making changes to PINs over the mobile phone
8. Today, there is a significant and real threat to all financial services
   delivery channels, including mobile phones, from organized
   criminal activity and insider fraud. There is also a marked increase
   in identity fraud, fraud in financial transactions and theft of
   customer data.
9. The rate of loss of mobile phones averages one every minute in the
   world.
10. Security best practices recommend measures to protect the
    business lifecycle of the mobile phone as a new self-service banking
    device while striving to balance security and convenience. It is
    imperative to protect the whole mobile channel.
11. The essence of security is maintaining the trust of customers
    through continued safe usage to create a Trusted Environment for
    use.
12. The mobile phone has been very successfully used as
    authentication tool for online banking, through a confirming SMS
    sent by the bank to the customer during online transactions.
13. On-going risk assessments and hardening the chosen targets of
    criminal action remain universal principles of security, as does
    collaboration of the industry and law enforcement in crime
    reduction exercises.
14. The terms of reference for drafting these best practices were to
    cover the following topics:
   −   Enrollment, registration, and customer access to banking on
       mobile devices
   −   Security and privacy of customer details/data
   −   Customer education on the mobile phone as an instrument of
       value
   −   Dealing with lost or stolen mobile phones/devices
   −   Security of software and transmission to financial services
       device (e.g. ATM)
   −   Defining security lifecycle for mobile phone banking
   −   Linking in to card fraud prevention for chipped SIM cards
   −   Defining strengths and vulnerabilities of each mobile phone
       channel/protocol
15. There are four channels on the mobile phone:
   −   Voice
   −   Text Messaging (SMS)
   −   USSD Messaging
   −   IP Data Services
   It is important from the outset to use the right channels for the
   right kind of financial transaction. For example, text should only
   be used for payment purposes if there is encryption.
16. The security lifecycle of the mobile phone as a banking device
    includes the following phases: end-user security, the physical
    security of the phone, the security of the account, the security of
    the phone’s software and its SIM card, security of customer
    authentication, transaction security and the security of wireless
    connectivity to the banking network systems.
17. Customer education on mobile phone banking should focus on two
    levels:
   −   Level of customer understanding
   −   Level of customer confidence, including perception of device
       security.
18. Customers can take three basic steps to increase mobile phone
    security:
   −   The owner of the SIM can prevent unauthorized usage of the
       SIM, by using a PIN to manage access to it when the device is
       switched on
   −   Key-pad lock – most devices can be setup to automatically lock
       the keypad after a predefined time so that the user will need to
       enter a PIN to unlock the keypad
   −   PIN management: (a) customers should be taught never to
       store confidential information (i.e. PIN) on the device and never
       to divulge their PIN to anyone and (b) customers should be
       taught to change their PIN regularly
19. When customers register for mobile phone banking or open an
    account for this purpose, everything needed for further registration
    and authentication should be captured. In addition, the customer
    should be educated there and then about the solution and its
    security.
20. It is essential to take privacy laws into account when using
    location based services (LBS) on the mobile phone. Customers
    must consent during registration processes to permit the bank or
    card issuer to use the customer’s location information as a security
    feature (for example, in red-flagging a transaction initiated in one
    place where it would not be possible for the customer to be in given
    his/her position during recent previous transactions).
21. The transactional options and functionality provided to the mobile
    phone banking customer should be matched with the appropriate
    level of secure authentication in a “tiered” approach.
22. Unique information about the customer’s handset (IMEI) and SIM
    card (IMSI) may be used as a second factor authentication
    mechanism. This will create confidence that the customer is using
    his/her device/SIM (something they have), and their PIN
    (something they know).
23. The ideal is for the banking application to be deployed on the
    mobile phone as browser- based, secure, HTTPS enabled
    application or an encrypted channel application (PPTP – Point to
    Point Tunneling Protocol, equivalent or higher).
24. Voice biometrics offers the potential for secure, non-threatening
    authentication of mobile phone banking and payment transactions.
25. Most regulatory guidance requires financial institutions to manage
    their service providers in accordance with these regulations. Both
    financial institutions and the providers of mobile phone banking
    services must comply with the regulations.
26. There are currently no defining international regulatory standards
    for mobile banking, but a range of guideline documents have been
    issued by various international associations or groups.
27. Compliance with these types of regulations as well as adopting best
    practices for protecting non-public personal information should be
    integrated into daily operations. In addition to policy and
    procedures, an organization needs to develop compliance
    monitoring and oversight processes including the ability to report
    compliance for each of the requirements.
28. Banks offering mobile banking generally view delivery of banking
    services over a mobile phone as an alternate delivery channel for
    existing banking customers. This model is used within the existing
    regulatory framework covering banking transactions. However, if a
    bank offers mobile banking using an agent network and not just
    utilizing the existing bank branch infrastructure, different
    regulations will apply.
29. Know your customer (KYC) requirements form an essential part of
    a properly regulated mobile banking environment. Governments
    have placed increasing attention on anti-money laundering and
    combating the financing of terrorism (AML/CFT) initiatives.
30. In the case of non-banks offering mobile banking, customers do not
    deal with a bank or have a bank account; instead, customers deal
    with either mobile network operators or prepaid card issuers.
    Generally, regulations to govern non-banks have not yet been
    created, especially in developing countries where no set regulations
    for e-money and stored value instruments have been created.
31. Mobile Banking overlaps with several regulatory domains; these
    include banking, telecommunications, payment systems and anti-
    money laundering agencies. Banking regulations cover multiple
    categories of risk that the regulators seek to mitigate; these
    categories include credit risk, operational risk, legal risk, liquidity
    risk and reputational risk.
32. The first step in adopting regulations and best practices is to
    perform an organization risk assessment for each requirement
    focused on the processes surrounding the mobile phone activity.
33. Once a risk assessment is completed, any gaps related to high risks
    items need to be closed first. Then gaps for lesser risk items need
    to be closed until each one is adequately addressed, based on the
    business risk appetite. Specifically, companies need to focus their
    efforts in a number of areas, including:
   −   Assessment—Measure the current risk. Procedures must be
       implemented to assess and monitor the applicable regulation
       and guidance.
   −   Strengthen Governance—Create policies. Information
       Technology must confer with business management to
       understand what regulations apply to particular mobile phone
       banking processes and data.
      −   Strengthen Controls—Develop procedures. At a minimum,
          procedures should include a breach incident response program,
          protection of non-public personal information at all times, and
          security of the information technology network.
      −   Enforcement—Assign ownership/accountability for
          compliance programs. Having policies and procedures in place
          are effective only if they are followed. Ownership and
          accountability for the various compliance programs (policy and
          procedures) should be clearly defined and in a position of
          authority to implement/enforce the rules throughout the
          organization.
      −   Continuous Monitoring—Continuously monitor and assess
          risk. Ensure the proper management oversight structure is
          established with ongoing reporting of the program effectiveness
          to the risk. In some cases, the risk/reward identified may
          require re-evaluation of various business activities and the
          effectiveness of this program allows for modification of such
          activities while minimizing unnecessary disruption of business.
   34. Finally, it is recommended that these best practices be read in
       conjunction with ANSI X9.49 which sets out security standards for
       portable financial services devices.


Please note that this Executive Summary cannot replace reading the whole
manual. The summary is merely a guide as to the content and main
principles of mobile device banking best practices.

				
DOCUMENT INFO
Description: Mobile Phone Product Data Management document sample