Professional Documents
Culture Documents
Wireless Banking
April 1, 2003
Clifford A. Wilke Director of Bank Technology Office of the Comptroller of the Currency Washington, DC
The views and opinions expressed in this presentation do not necessarily represent the views and directives of the Office of the Comptroller of the Currency or the Office of the Director of the Bank Technology Division.
Retail Delivery
LANs or cell phone dial-in to access internet banking products Mobile devices (e.g., cell phones, PDAs) accessing banking products customized to smaller form factors Application support outsourced Services range from full internet banking services to limited balance inquiry, funds transfer, bill pay & brokerage
Wireless Link
Retail Delivery
radio frequencies and IEEE 802.11 standards Cell phone delivery rely on licensed radio frequencies and evolving voice to data focused delivery standards
Challenges
1997
1998
1999
2000
2001
2002
Source: CERT/CC -- statistics are not limited to the banking industory and include all reported incidents
Identity Theft
year, up from 31,000 the prior year The cost to consumers averaged $1,200 per crime Some incidences required victims to spend up to three years communicating with lenders and credit bureaus to straighten out records.
Source - Issue 771, Sept. 2002, of The Nilson Report, p.9 FTC Data
Banking Risks
Strategic Risk
delivering products and services Defining risk versus reward goals and objectives
Is the reward added revenue, saving lost revenues,
and/or increased efficiency? Are capital expenditures (at purchase and retirement), maintenance and operating costs less than the reward (i.e., income)?
Strategic Risk
Transaction Risk
became an issue Designed to protect transmitted data from unauthorized access/use Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities Potential need to upgrade equipment as standards change
Transaction Risk
allow account access if device lost or accessed User names and passwords may be entered in clear view on the screen Customer acceptance of alphanumeric PINs
Mobile phones require pressing a number key
multiple times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****)
Transaction Risk
Outsourcing
Access to expertise
Reputation Risk
due to telecommunications issues when they are in areas they expect service - Consumer Expectations Processing and handling of interrupted transactions
Compliance Issues
GLBA Compliance
Security Program Involve Board of Directors Assess Risk Manage and Control Risk (including
testing) Oversee Service Providers Adjust Program
Sound definitions of acceptable risk Ownership of the risk assessment Explicitly accept risks Identify key controls Create a test plan and follow up of results Ongoing Board involvement Active Vendor Management Sufficient Technical Expertise Appropriate Business Continuity Planning
Industry Initiatives
policies in place to maintain their position of trust The reputational risk of the company and loss of market share is at stake Financial exposure is real
Best Practices
Secure architecture Vulnerability management Intrusion detection Information sharing Training and awareness Regular testing, reporting,
improving
Understanding of the Issues Prepare now for what is ahead New Entrants into the Marketplace International Perspective in the New World
FFIEC Information Security Booklet (February 2003) Electronic Banking Final Rule (May 2002) Bank Use of Foreign-Based Service Providers (May 2002) ACH Transactions Involving the Internet (January 2002) Authentication in an E-Banking Environment (July 2001) Weblinking - (July 2001) Alert - Network Security (April 2001) GLBA Guidelines to Safeguard Customer Information (Feb 2001) Risk Management of Outsourced Technology Services (Nov 2000) Infrastructure Threats--Intrusion Detection (May 2000) Alert - Distributed Denial of Service (February 2000) Alert - Internet Domain Names (July 2000) Infrastructure Threats from Cyber-Terrorists (99-9) Technology Risk Management: PC Banking (98-38) Technology Risk Management (98-3)
Summary