You are on page 1of 26

Comptroller of the Currency Administrator of National Banks

Wireless Banking
April 1, 2003

Clifford A. Wilke Director of Bank Technology Office of the Comptroller of the Currency Washington, DC

Comptroller of the Currency Administrator of National Banks

The views and opinions expressed in this presentation do not necessarily represent the views and directives of the Office of the Comptroller of the Currency or the Office of the Director of the Bank Technology Division.

Comptroller of the Currency Administrator of National Banks

Wireless Banking Motivations

Banks and financial service

companies are offering wireless account access

Extension of internet applications Delivery to highly portable cell phones &


personal digital assistants More people getting devices Features improving as technologies advance Improve customer retention rates, especially technology oriented customer

Comptroller of the Currency Administrator of National Banks

Wireless Banking Methods

Retail Delivery

PCs relying on non-bank owned wireless

LANs or cell phone dial-in to access internet banking products Mobile devices (e.g., cell phones, PDAs) accessing banking products customized to smaller form factors Application support outsourced Services range from full internet banking services to limited balance inquiry, funds transfer, bill pay & brokerage

Comptroller of the Currency Administrator of National Banks

Wireless Link

Retail Delivery

Wireless LANs rely on unlicensed

radio frequencies and IEEE 802.11 standards Cell phone delivery rely on licensed radio frequencies and evolving voice to data focused delivery standards

Comptroller of the Currency Administrator of National Banks

Challenges

Security Systems Development and Life


Cycle Management Performance Return on investment

Comptroller of the Currency Administrator of National Banks

Reported Data Security Incidents

Unauthorized Activity Incidents Increasing


90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 2,412 2,573 10,000 0 1995 1996 82,094 52,658 21,756 9,859 2,134 3,734

1997

1998

1999

2000

2001

2002

Source: CERT/CC -- statistics are not limited to the banking industory and include all reported incidents

Comptroller of the Currency Administrator of National Banks

Identity Theft

86,200 identity theft incidents last

year, up from 31,000 the prior year The cost to consumers averaged $1,200 per crime Some incidences required victims to spend up to three years communicating with lenders and credit bureaus to straighten out records.
Source - Issue 771, Sept. 2002, of The Nilson Report, p.9 FTC Data

Comptroller of the Currency Administrator of National Banks

Banking Risks

Same inherent risk and issues as


Internet Banking, primary risks affected

Strategic Transaction Reputation Compliance

Comptroller of the Currency Administrator of National Banks

Strategic Risk

Determining wireless banking role in

delivering products and services Defining risk versus reward goals and objectives
Is the reward added revenue, saving lost revenues,
and/or increased efficiency? Are capital expenditures (at purchase and retirement), maintenance and operating costs less than the reward (i.e., income)?

Comptroller of the Currency Administrator of National Banks

Strategic Risk

Implementing emerging e-banking


strategies
First Mover (bleeding edge) vs. wait and see
(permanently lose market share) Ease of implementing outsourced solution to keep up with the competition

Using standards not designed for secure


banking environment needs Rapidly changing technology standards Expertise

Uncertain customer acceptance

Financial stability of vendors

Comptroller of the Currency Administrator of National Banks

Transaction Risk

Security Issues Wireless transmission encryption

Standards retro-fitted once security

became an issue Designed to protect transmitted data from unauthorized access/use Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities Potential need to upgrade equipment as standards change

Comptroller of the Currency Administrator of National Banks

Transaction Risk

Security Issues Access codes stored on device may

allow account access if device lost or accessed User names and passwords may be entered in clear view on the screen Customer acceptance of alphanumeric PINs
Mobile phones require pressing a number key
multiple times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****)

Comptroller of the Currency Administrator of National Banks

Transaction Risk

Security Lessons Reinforced

Unproven standards can have security

weaknesses Risk of external attacks increases as services expand


to allow greater access to systems Companies need to maintain knowledge of attack techniques, known and newly identified

End-to-end security is key

Do not rely on wireless transport layer security for


banking application security

Need effective change management processes Encourage customers to use good


PIN/Password management practices

Comptroller of the Currency Administrator of National Banks

Transaction and Reputation Risk

Outsourcing

Access to expertise

Knowledge of wireless communication


standards and encryption methods Developing and converting existing products and services for wireless transmission and use Effect of device characteristics
Smaller screens Button or stylus commands

Comptroller of the Currency Administrator of National Banks

Reputation Risk

Reliability of delivery network

Customer acceptance of no-service

Integration of wireless applications

due to telecommunications issues when they are in areas they expect service - Consumer Expectations Processing and handling of interrupted transactions

with existing products and services

Comptroller of the Currency Administrator of National Banks

Compliance Issues

Disclosures Wireless banking devices are easier to


lose and may increase potential of unauthorized usage
Types of services offered affects level of risk (e.g., P2P
payments increase risk)

Privacy concerns from location based


services

Comptroller of the Currency Administrator of National Banks

GLBA Compliance

Primary Elements of Information

Security Program Involve Board of Directors Assess Risk Manage and Control Risk (including
testing) Oversee Service Providers Adjust Program

Comptroller of the Currency Administrator of National Banks

Characteristics of Good Risk Management

Sound definitions of acceptable risk Ownership of the risk assessment Explicitly accept risks Identify key controls Create a test plan and follow up of results Ongoing Board involvement Active Vendor Management Sufficient Technical Expertise Appropriate Business Continuity Planning

Comptroller of the Currency Administrator of National Banks

Industry Initiatives

Many companies have strong

policies in place to maintain their position of trust The reputational risk of the company and loss of market share is at stake Financial exposure is real

Comptroller of the Currency Administrator of National Banks

Best Practices

Secure architecture Vulnerability management Intrusion detection Information sharing Training and awareness Regular testing, reporting,
improving

Comptroller of the Currency Administrator of National Banks

Whats Next - We Need to Focus On

Security Authentication and Verification Proper Due Diligence and Complete


Understanding of the Issues Prepare now for what is ahead New Entrants into the Marketplace International Perspective in the New World

Comptroller of the Currency Administrator of National Banks

OCC Technology Issuances

FFIEC Information Security Booklet (February 2003) Electronic Banking Final Rule (May 2002) Bank Use of Foreign-Based Service Providers (May 2002) ACH Transactions Involving the Internet (January 2002) Authentication in an E-Banking Environment (July 2001) Weblinking - (July 2001) Alert - Network Security (April 2001) GLBA Guidelines to Safeguard Customer Information (Feb 2001) Risk Management of Outsourced Technology Services (Nov 2000) Infrastructure Threats--Intrusion Detection (May 2000) Alert - Distributed Denial of Service (February 2000) Alert - Internet Domain Names (July 2000) Infrastructure Threats from Cyber-Terrorists (99-9) Technology Risk Management: PC Banking (98-38) Technology Risk Management (98-3)

Comptroller of the Currency Administrator of National Banks

Comptroller of the Currency Administrator of National Banks

Summary

Safety, Soundness and Responsibility will remain the primary driver

You might also like