International minimum security guidelines for mobile device banking applications

Produced by the ATM Industry Association

Contributors
G EO B R I DG E CON S ULT IN G

Executive Summary
1. Mobile phone banking is in a high-growth phase with at least 90 companies emerging in recent years offering banking and payment applications for mobile phones. 2. It is estimated that as much as half of the worlds population may now own a mobile phone. This is roughly twice the number of credit card holders. About 80% of the US population is thought to own a mobile phone. 3. The World Bank estimates that more than two-thirds of the world's population live within range of a mobile phone network. 4. It is expected that around 2.3 trillion SMSs will be sent in 2008. 5. The mobile phone product market is very complex with some 1,500 different kinds of handsets available around the world, with over 450 different configurations, from different screen sizes to a variety of operating systems (Symbian, Windows Mobile, Linux, Palm) and functionalities. 6. Mobile phones tend to be replaced every 18 months, compared to PCs being replaced on average every 42 months. 7. The following are examples of mobile phone banking applications: Balance enquiry/update Paying bills Purchase transaction (Point of Sale) Assisting cash withdrawals at an ATM Making changes to PINs over the mobile phone

8. Today, there is a significant and real threat to all financial services delivery channels, including mobile phones, from organized criminal activity and insider fraud. There is also a marked increase in identity fraud, fraud in financial transactions and theft of customer data. 9. The rate of loss of mobile phones averages one every minute in the world. 10. Security best practices recommend measures to protect the business lifecycle of the mobile phone as a new self-service banking device while striving to balance security and convenience. It is imperative to protect the whole mobile channel.

11. The essence of security is maintaining the trust of customers through continued safe usage to create a Trusted Environment for use. 12. The mobile phone has been very successfully used as authentication tool for online banking, through a confirming SMS sent by the bank to the customer during online transactions. 13. On-going risk assessments and hardening the chosen targets of criminal action remain universal principles of security, as does collaboration of the industry and law enforcement in crime reduction exercises. 14. The terms of reference for drafting these best practices were to cover the following topics: Enrollment, registration, and customer access to banking on mobile devices Security and privacy of customer details/data Customer education on the mobile phone as an instrument of value Dealing with lost or stolen mobile phones/devices Security of software and transmission to financial services device (e.g. ATM) Defining security lifecycle for mobile phone banking Linking in to card fraud prevention for chipped SIM cards Defining strengths and vulnerabilities of each mobile phone channel/protocol Voice Text Messaging (SMS) USSD Messaging IP Data Services

15. There are four channels on the mobile phone:

It is important from the outset to use the right channels for the right kind of financial transaction. For example, text should only be used for payment purposes if there is encryption. 16. The security lifecycle of the mobile phone as a banking device includes the following phases: end-user security, the physical security of the phone, the security of the account, the security of the phones software and its SIM card, security of customer authentication, transaction security and the security of wireless connectivity to the banking network systems. 17. Customer education on mobile phone banking should focus on two levels: Level of customer understanding Level of customer confidence, including perception of device security.

18. Customers can take three basic steps to increase mobile phone security: The owner of the SIM can prevent unauthorized usage of the SIM, by using a PIN to manage access to it when the device is switched on Key-pad lock most devices can be setup to automatically lock the keypad after a predefined time so that the user will need to enter a PIN to unlock the keypad PIN management: (a) customers should be taught never to store confidential information (i.e. PIN) on the device and never to divulge their PIN to anyone and (b) customers should be taught to change their PIN regularly

19. When customers register for mobile phone banking or open an account for this purpose, everything needed for further registration and authentication should be captured. In addition, the customer should be educated there and then about the solution and its security. 20. It is essential to take privacy laws into account when using location based services (LBS) on the mobile phone. Customers must consent during registration processes to permit the bank or card issuer to use the customers location information as a security feature (for example, in red-flagging a transaction initiated in one place where it would not be possible for the customer to be in given his/her position during recent previous transactions). 21. The transactional options and functionality provided to the mobile phone banking customer should be matched with the appropriate level of secure authentication in a tiered approach. 22. Unique information about the customers handset (IMEI) and SIM card (IMSI) may be used as a second factor authentication mechanism. This will create confidence that the customer is using his/her device/SIM (something they have), and their PIN (something they know). 23. The ideal is for the banking application to be deployed on the mobile phone as browser- based, secure, HTTPS enabled application or an encrypted channel application (PPTP Point to Point Tunneling Protocol, equivalent or higher). 24. Voice biometrics offers the potential for secure, non-threatening authentication of mobile phone banking and payment transactions. 25. Most regulatory guidance requires financial institutions to manage their service providers in accordance with these regulations. Both financial institutions and the providers of mobile phone banking services must comply with the regulations. 26. There are currently no defining international regulatory standards for mobile banking, but a range of guideline documents have been issued by various international associations or groups.

27. Compliance with these types of regulations as well as adopting best practices for protecting non-public personal information should be integrated into daily operations. In addition to policy and procedures, an organization needs to develop compliance monitoring and oversight processes including the ability to report compliance for each of the requirements. 28. Banks offering mobile banking generally view delivery of banking services over a mobile phone as an alternate delivery channel for existing banking customers. This model is used within the existing regulatory framework covering banking transactions. However, if a bank offers mobile banking using an agent network and not just utilizing the existing bank branch infrastructure, different regulations will apply. 29. Know your customer (KYC) requirements form an essential part of a properly regulated mobile banking environment. Governments have placed increasing attention on anti-money laundering and combating the financing of terrorism (AML/CFT) initiatives. 30. In the case of non-banks offering mobile banking, customers do not deal with a bank or have a bank account; instead, customers deal with either mobile network operators or prepaid card issuers. Generally, regulations to govern non-banks have not yet been created, especially in developing countries where no set regulations for e-money and stored value instruments have been created. 31. Mobile Banking overlaps with several regulatory domains; these include banking, telecommunications, payment systems and antimoney laundering agencies. Banking regulations cover multiple categories of risk that the regulators seek to mitigate; these categories include credit risk, operational risk, legal risk, liquidity risk and reputational risk. 32. The first step in adopting regulations and best practices is to perform an organization risk assessment for each requirement focused on the processes surrounding the mobile phone activity. 33. Once a risk assessment is completed, any gaps related to high risks items need to be closed first. Then gaps for lesser risk items need to be closed until each one is adequately addressed, based on the business risk appetite. Specifically, companies need to focus their efforts in a number of areas, including: AssessmentMeasure the current risk. Procedures must be implemented to assess and monitor the applicable regulation and guidance. Strengthen GovernanceCreate policies. Information Technology must confer with business management to understand what regulations apply to particular mobile phone banking processes and data.

Strengthen ControlsDevelop procedures. At a minimum, procedures should include a breach incident response program, protection of non-public personal information at all times, and security of the information technology network. EnforcementAssign ownership/accountability for compliance programs. Having policies and procedures in place are effective only if they are followed. Ownership and accountability for the various compliance programs (policy and procedures) should be clearly defined and in a position of authority to implement/enforce the rules throughout the organization. Continuous MonitoringContinuously monitor and assess risk. Ensure the proper management oversight structure is established with ongoing reporting of the program effectiveness to the risk. In some cases, the risk/reward identified may require re-evaluation of various business activities and the effectiveness of this program allows for modification of such activities while minimizing unnecessary disruption of business.

34. Finally, it is recommended that these best practices be read in conjunction with ANSI X9.49 which sets out security standards for portable financial services devices. Please note that this Executive Summary cannot replace reading the whole manual. The summary is merely a guide as to the content and main principles of mobile device banking best practices.