Friday, 16 November 2012

Is mobile banking the most secure way of banking yet?

In the world of security there is often a tendency to accentuate the negative. This can often be justified. Malware can lead to data/identity theft and financial fraud and a DDoS attack can create havoc by denying access to a web site or service etc.

However, security can also be a positive factor – an enabler. For financial services, each time we use our debit or credit cards in an ATM or POS terminal in a retail store or use them on an eCommerce website we have a fair level of assurance that all parties are protected from fraud - where would eCommerce and financial transaction integrity be without cryptography?

Security technology coupled with sound risk management has been at the heart of the financial services industry for many years. This combination of security technology and risk management must be applied to new methods of providing financial services to bank customers including one of the hottest channels for providing financial services – Mobile.

Mobile devices, from feature to smart phones and from tablets to phablets, have become a vital endpoint for accessing banking services. The mobile banking channel is viewed as one of the most important channels for delivering financial services to bank customers. These are the same bank customers that are rapidly adopting these ‘smart mobile devices’ and are using them as their primary digital device – the first screen for consuming work/leisure digital content.

With the rush to mobile by financial institutions for banking and payment services there have been serious questions asked on whether mobile is secure enough? There is no denying that smart mobile devices are increasingly being attacked for financial fraud and identity theft. A combination of platform vulnerabilities and an increased desire from hackers and fraudsters to attack has led to a situation where mobile devices are under threat. Mobile malware is on the rise, especially affecting Android, and banking services, including some mobile-based Two-Factor-authentication (2FA) services, are under targeted attack.

Much has been commented on mobile vulnerabilities and whether security vendors are creating scare stories to make mobile users install their products but my experience tells me that much of this is not FUD but FACT. As money moves onto mobile devices than it is inevitable that the criminals will follow.

This has to be one of my favourite quotes (although the quote may in fact be an urban legend) and I apologise for repeating it again here but it is such an important message and provides context for this blog. One of the US’s most prolific bank robbers from the 1920s to the 1950s was a man named Willie Sutton (AKA “Slick Willie”). In his 40-year ‘career’ he robbed over one hundred banks and stole an estimated $2 million (a big number in old money). When asked why he robbed banks he replied “because that’s where the money is”. Why is this important to today’s ever mobile world? Well I think it is pretty obvious. Soon there will be more mobile phones than people on this planet and every one of these devices has the capability of banking (including full transactional banking). From the streets of Nairobi, Kenya, to the avenues of New York, USA, people are accessing their bank accounts and transferring money using mobile devices – be it an old Ericsson ‘brick’ or the latest Apple iPhone; using SMS or a mobile App. Its where the money is…

So, is mobile banking a secure method for banking and is it the most secure yet? I believe that mobile banking has the ‘potential’ to be more secure than traditional online banking and comparable with other banking channels. Whether current deployments of mobile banking are secure enough at the moment is another question. The key word is ‘potential’. Mobile phones and smart mobile devices have the capability to offer very good levels of security for banking purposes. Whether it is leveraging the hardware security capabilities and trusted environment that the Secure Element (SE) offers or adopting strong mobile-based Multi-Factor Verification (MFV), mobile devices can play an important part in ensuring trust between the bank customer and their bank.

In a recently published report from Goode Intelligence written by Ron Condon, Senior Analyst, “Mobile Banking Security Insight Report”, we investigate the risks to mobile banking, how banks are securing the mobile banking and analyse the state of security for this channel.

We have interviewed some of the leading lights in the world of banking security and have asked them to recommend ways in which mobile banking can be a trusted channel for financial institutions – actionable steps that banks can adopt to ensure that their customers are secure when banking on their mobile devices.

I can share some of this advice here. When designing and deploying mobile banking solutions financial institutions should, at a minimum:
  1. Use the power of the mobile phone to create an encrypted communication channel between user and bank
  2. The phone’s “fingerprint” should provide one factor in authenticating the users (the PIN provides another)
  3. Consider using the other facilities on the phone for stronger authentication (biometrics, geolocation)
  4. Monitor apps stores for any rogue apps that purport to represent your company – and kill them quickly
  5. Introduce a plan for updating mobile banking apps
  6. Ensure that mobile banking apps are security tested
  7. Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others
  8.  Educate users about system hygiene when upgrading their handset, and disposing of an old one

I hope this blog has been useful for you? Please feel free to contact me to find out more about mobile banking security and our research. You can follow us on twitter @goodeintel.

Friday, 9 November 2012

A Smart Mobile Identity for our smart mobile lifestyle

I must admit that I didn’t come up with the term Smart Mobile Identity. For that I have to thank Joey Pritikin at AOptix who I was lucky enough to meet at the recent Biometrics exhibition and conference in London during the last week of October 2012. I first came across the term in a presentation that Joey gave at last year’s Biometrics conference where he discussed how standard smart phones can be leveraged for biometric purposes, including user authentication and  identity verification [Presentation: Smart Mobile Identity – Beyond Single Purpose Handheld Biometric Devices].

In my opinion, the term Smart Mobile Identity really sums up the next generation of mobile-based authentication and identity verification solutions – something that I have been involved in for the best part of ten years through various roles including my current one as Managing Director of Goode Intelligence.

To me, Smart Mobile Identity is about leveraging the capabilities of a modern smart mobile device (SMD) to ensure that our identities are proven or verified when identity proof (authentication if you like) is required. Not only for proving identity when accessing digital services through a desktop computer but also for mobile initiated access and even when we present ourselves in the physical world; at a country border or when accessing health or social security services. I also include proving our identity when accessing digital services using other connected devices, such as gaming consoles, automobiles, smart TVs etc; adaptive and agile authentication and identity verification to support the Internet of things. As someone who owns an Xbox 360 Kinect device, the idea of using a voiceprint or a facial scan to access Xbox LIVE is a realistic possibility.

For mobile device-based authentication and identity verification solutions, the simplest scenario is being sent a one-time-password (OTP) via SMS when authenticating ourselves into a network-based service, e.g. Google’s Authenticator or 2-step verification process. However, this is changing rapidly and we are in the midst of an evolution in mobile-based authentication and identity verification solutions; moving away from porting existing, non-mobile centric, services to the mobile to designing solutions specifically for mobile. Using the microphone for voice biometrics, a GPS sensor for Geo-location, a combination of the accelerometer and touchscreen for continuous behavioural assessment, securely storing digital certificates in the SIM or Secure Element (SE) and the camera for facial and eye vein biometrics (take a look at start-up EyeVerify for this). All these examples work with standard SMDs now; no need for any specialist equipment.

In addition to these examples, new opportunities are being presented with the next generation of SMDs that contain new types of embedded sensors, including NFC, embedded fingerprint and voice recognition sensors. You can also adapt existing SMDs with add-on sleeves that enable fingerprint recognition (Precise Biometrics Tactivo sleeve) and can support smart cards and NFC. The need for single-purpose devices to capture and verify biometrics in the field may become obsolete as a result of these developments.

Smart mobile devices offer so many opportunities for authentication and identity verification and this blog can only scratch at the surface of what can and will be offered – some of the solutions even encroach into the realms of science fiction. I was fascinated to come across the iTravel patent from Apple detailing what the Cupertino tech giant believes to be the possibility of using a mobile wallet for travel purposes. Managing the end-to-end travel process from reservation, to ticket receipt/validation, check-in and baggage claim through to identification at border control. I think all but the last scenario achievable now but I believe that we are far off from using our mobile devices as virtual passports.

That said, perhaps we are seeing pieces of the jigsaw that tell us how Apple will integrate the recently acquired fingerprint sensor technology from AuthenTec – an agile, and very personal, way to protect our wallets or in Apple’s case our Passbook. Swiping a finger to lock and unlock our digital wallets.

Every discussion that I have with technology companies involved in this space, and this includes many of the major authentication and biometric vendors, involves how best to utilise the smart mobile device for authentication and identity verification purposes. My recent attendance at the RSA Europe conference and Biometrics Conference, both held in London, was largely occupied with meetings with clients and tech vendors that were investing serious R&D resources into this area of technology.

A number of forward looking organisations and technology vendors are already leveraging the capabilities of the smart mobile device for authentication and identity verification purposes. Through my work at Goode Intelligence I have been exploring the capabilities of mobile devices for authentication and identity verification and this includes the recent publication of two free-to-download white papers; Two-Factor Authentication Goes Mobile and The Case for Mobile MFV.

Goode Intelligence will continue to track this market and you can expect some new publications covering smart mobile identity in the coming months.

Please get in touch if you want to discuss this further or are a technology innovator working in this exciting field.