clifford wilke
Post on 18-Nov-2014
492 Views
Preview:
DESCRIPTION
TRANSCRIPT
Comptroller of the CurrencyAdministrator of National Banks
Wireless BankingApril 1, 2003
Clifford A. Wilke Director of Bank TechnologyOffice of the Comptroller of the CurrencyWashington, DC
Comptroller of the CurrencyAdministrator of National Banks
The views and opinions expressed in this presentation do not necessarily represent the views and directives of
the Office of the Comptroller of the Currency or the Office of the Director of the Bank
Technology Division.
Comptroller of the CurrencyAdministrator of National Banks
Wireless Banking Motivations
Banks and financial service companies are offering wireless account access Extension of internet applications Delivery to highly portable cell phones &
personal digital assistants More people getting devices Features improving as technologies advance
Improve customer retention rates, especially technology oriented customer
Comptroller of the CurrencyAdministrator of National Banks
Retail Delivery PCs relying on non-bank owned wireless
LANs or cell phone dial-in to access internet banking products
Mobile devices (e.g., cell phones, PDAs) accessing banking products customized to smaller form factors Application support outsourced
Services range from full internet banking services to limited balance inquiry, funds transfer, bill pay & brokerage
Wireless Banking Methods
Comptroller of the CurrencyAdministrator of National Banks
Retail Delivery Wireless LANs rely on unlicensed
radio frequencies and IEEE 802.11 standards
Cell phone delivery rely on licensed radio frequencies and evolving voice to data focused delivery standards
Wireless Link
Comptroller of the CurrencyAdministrator of National Banks
Security Systems Development and
Life Cycle Management Performance Return on investment
Challenges
Comptroller of the CurrencyAdministrator of National Banks
Reported DataSecurity Incidents
Source: CERT/CC -- statistics are not limited to the banking industory and include all reported incidents
Unauthorized Activity Incidents Increasing82,094
2,412 2,573 2,134 3,734
9,85921,756
52,658
010,00020,00030,00040,00050,00060,00070,00080,00090,000
1995 1996 1997 1998 1999 2000 2001 2002
Comptroller of the CurrencyAdministrator of National Banks
Identity Theft 86,200 identity theft incidents last
year, up from 31,000 the prior year The cost to consumers averaged
$1,200 per crime Some incidences required victims
to spend up to three years communicating with lenders and credit bureaus to straighten out records.
Source - Issue 771, Sept. 2002, of The Nilson Report, p.9 – FTC Data
Comptroller of the CurrencyAdministrator of National Banks Banking Risks
Same inherent risk and issues as Internet Banking, primary risks affected Strategic Transaction Reputation Compliance
Comptroller of the CurrencyAdministrator of National Banks Strategic Risk
Determining wireless banking role in delivering products and services
Defining risk versus reward goals and objectives Is the reward added revenue, saving lost
revenues, and/or increased efficiency? Are capital expenditures (at purchase and
retirement), maintenance and operating costs less than the reward (i.e., income)?
Comptroller of the CurrencyAdministrator of National Banks Strategic Risk
Implementing emerging e-banking strategies First Mover (“bleeding edge”) vs. wait and see
(permanently lose market share) Ease of implementing outsourced solution to
keep up with the competition Financial stability of vendors
Uncertain customer acceptance Using standards not designed for
secure banking environment needs Rapidly changing technology
standards Expertise
Comptroller of the CurrencyAdministrator of National Banks Transaction Risk
Security Issues Wireless transmission encryption
Standards retro-fitted once security became an issue
Designed to protect transmitted data from unauthorized access/use
Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities
Potential need to upgrade equipment as standards change
Comptroller of the CurrencyAdministrator of National Banks Transaction Risk
Security Issues Access codes stored on device may
allow account access if device lost or accessed
User names and passwords may be entered in clear view on the screen
Customer acceptance of alphanumeric PINs Mobile phones require pressing a number key multiple
times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****)
Comptroller of the CurrencyAdministrator of National Banks Transaction Risk
Security – Lessons Reinforced Unproven standards can have security
weaknesses Risk of external attacks increases as services expand
to allow greater access to systems Companies need to maintain knowledge of attack
techniques, known and newly identified End-to-end security is key
Do not rely on wireless transport layer security for banking application security
Need effective change management processes Encourage customers to use good PIN/Password
management practices
Comptroller of the CurrencyAdministrator of National Banks
Transaction and Reputation Risk
Outsourcing Access to expertise
Knowledge of wireless communication standards and encryption methods
Developing and converting existing products and services for wireless transmission and use
Effect of device characteristics Smaller screens Button or stylus commands
Comptroller of the CurrencyAdministrator of National Banks Reputation Risk
Reliability of delivery network Customer acceptance of no-service
due to telecommunications issues when they are in areas they expect service - Consumer Expectations
Processing and handling of interrupted transactions
Integration of wireless applications with existing products and services
Comptroller of the CurrencyAdministrator of National Banks Compliance Issues
Disclosures Wireless banking devices are easier
to lose and may increase potential of unauthorized usage Types of services offered affects level of risk (e.g.,
P2P payments increase risk)
Privacy concerns from location based services
Comptroller of the CurrencyAdministrator of National Banks
GLBA Compliance
Primary Elements of Information Security Program Involve Board of Directors Assess Risk Manage and Control Risk
(including testing) Oversee Service Providers Adjust Program
Comptroller of the CurrencyAdministrator of National Banks
Characteristics of Good Risk Management
Sound definitions of acceptable risk
Ownership of the risk assessment Explicitly accept risks Identify key controls Create a test plan and follow up of
results Ongoing Board involvement Active Vendor Management Sufficient Technical Expertise Appropriate Business Continuity
Planning
Comptroller of the CurrencyAdministrator of National Banks Industry Initiatives
Many companies have strong policies in place to maintain their position of trust
The reputational risk of the company and loss of market share is at stake
Financial exposure is real
Comptroller of the CurrencyAdministrator of National Banks
Best Practices
Secure architecture Vulnerability management Intrusion detection Information sharing Training and awareness Regular testing, reporting,
improving
Comptroller of the CurrencyAdministrator of National Banks
What’s Next - We Need to Focus On
Security Authentication and Verification Proper Due Diligence and Complete
Understanding of the Issues Prepare now for what is ahead New Entrants into the Marketplace International Perspective in the
New World
Comptroller of the CurrencyAdministrator of National Banks
FFIEC Information Security Booklet (February 2003) Electronic Banking Final Rule (May 2002) Bank Use of Foreign-Based Service Providers (May 2002) ACH Transactions Involving the Internet (January 2002) Authentication in an E-Banking Environment (July 2001) Weblinking - (July 2001) Alert - Network Security (April 2001) GLBA Guidelines to Safeguard Customer Information (Feb 2001) Risk Management of Outsourced Technology Services (Nov
2000) Infrastructure Threats--Intrusion Detection (May 2000) Alert - Distributed Denial of Service (February 2000) Alert - Internet Domain Names (July 2000) Infrastructure Threats from Cyber-Terrorists (99-9) Technology Risk Management: PC Banking (98-38) Technology Risk Management (98-3)
OCC Technology Issuances
Comptroller of the CurrencyAdministrator of National Banks
Comptroller of the CurrencyAdministrator of National Banks
Summary
Safety, Soundness and Responsibility will remain
the primary driver
top related