international standard for application-layer network communications in a wireless-communication environment. Most use of WAP involves accessing the mobile web from a mobile phone or from a PDA. WHAT IS WAP? What is the purpose of WAP? To enable easy, fast delivery of relevant information and services to mobile users. What type of devices will use WAP? Handheld digital wireless devices such as mobile phones, pagers, two-way radios, smartphones, and communicators -- from low-end to high-end. Banking Risks Same inherent risk and issues as Internet Banking, primary risks affected
->Strategic
->Transaction
->Reputation
->Compliance Strategic Risk Determining wireless banking role in delivering products and services Defining risk versus reward goals and objectives
->Is the reward added revenue, saving lost revenues, and/or increased efficiency?
->Are capital expenditures (at purchase and retirement), maintenance and operating costs less than the reward (i.e., income)? Strategic Risk Implementing emerging e-banking strategies First Mover (bleeding edge) vs. wait and see (permanently lose market share) Ease of implementing outsourced solution to keep up with the competition Financial stability of vendors Uncertain customer acceptance Using standards not designed for secure banking environment needs Rapidly changing technology standards Expertise Transaction Risk Security Issues Wireless transmission encryption Standards retro-fitted once security became an issue
Designed to protect transmitted data from unauthorized access/use
Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities Potential need to upgrade equipment as standards change Transaction Risk Security Issues
Access codes stored on device may allow account access if device lost or accessed
User names and passwords may be entered in clear view on the screen
Customer acceptance of alphanumeric PINs Mobile phones require pressing a number key multiple times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****) Transaction Risk Security Lessons Reinforced
Unproven standards can have security weaknesses Risk of external attacks increases as services expand to allow greater access to systems Companies need to maintain knowledge of attack techniques, known and newly identified
End-to-end security is key Do not rely on wireless transport layer security for banking application security
Need effective change management processes
Encourage customers to use good PIN/Password management practices Transaction and Reputation Risk Outsourcing Access to expertise Knowledge of wireless communication standards and encryption methods
Developing and converting existing products and services for wireless transmission and use
Effect of device characteristics Smaller screens Button or stylus commands Reputation Risk Reliability of delivery network
Customer acceptance of no-service due to telecommunications issues when they are in areas they expect service - Consumer Expectations
Processing and handling of interrupted transactions
Integration of wireless applications with existing products and services Compliance Issues Disclosures
Wireless banking devices are easier to lose and may increase potential of unauthorized usage Types of services offered affects level of risk (e.g., P2P payments increase risk)
Privacy concerns from location based services GLBA Compliance Primary Elements of Information Security Program
Involve Board of Directors
Assess Risk
Manage and Control Risk (including testing)
Oversee Service Providers
Adjust Program Characteristics of Good Risk Management Sound definitions of acceptable risk Ownership of the risk assessment Explicitly accept risks Identify key controls Create a test plan and follow up of results Ongoing Board involvement Active Vendor Management Sufficient Technical Expertise Appropriate Business Continuity Planning Industry Initiatives Many companies have strong policies in place to maintain their position of trust
The reputational risk of the company and loss of market share is at stake
Financial exposure is real Best Practices Secure architecture
Vulnerability management
Intrusion detection
Information sharing
Training and awareness
Regular testing, reporting, improving Whats Next - We Need to Focus On Security
Authentication and Verification
Proper Due Diligence and Complete Understanding of the Issues
Prepare now for what is ahead
New Entrants into the Marketplace
International Perspective in the New World THANK YOU