19 Security controls in Mobile Banking

In complex global network today, technology plays vital role in banking sector. Banking is one of the largest financial institutions constantly explores the opportunity of technology enabled services to provide better customer experience and convenience. Mobile phone is a common technology device that became part of every individual in the information era. Mobile Banking is an emerging alternate channel for providing banking services. India being the second largest telecom market in the world, having high potential for expanding banking services using mobile. However, mobile banking has not become the choice of millions of people due to high possibilities of security challenges. The main objective of this article is to identify the challenges and recommend security controls in Mobile banking among the banking customers globally.

Recommendations

  1. The security controls/guidelines should be applied in a way that is appropriate to the risk associated with services provided by the bank through the mobile platform, the devices used, the delivery channels used (SMS, USSD, WAP, WEB, SIM tool kit based, Smart phone application based, IVR, IRDA, RFID, NFC, voice, etc) and the system which processes the mobile transactions and enables the interaction between the customers, merchants and banks.
     
  2. The mobile payments could get offered through various mobile network operator based channels (SMS, USSD, WAP, WEB, SIM tool kit, Smart phone application based, IVR, voice, etc) and non MNO based proximity or contactless channels (IRDA, RFID, Optical, NFC, etc) and these various mobile channels offer various degrees of security and interaction capability. While the objective of the Country based regulator is to have a fully functional digital certificate based inquiry/transaction capabilities to ensure the authenticity and non-repudiability,  given the complexities involved in getting this through all the channels and given the need for enabling mobile payments to facilitate financial inclusion objectives, it is suggested that the banks evaluate each of these channels in terms of security and risks involved and offer appropriate services and transactions. Banks are also advised to provide appropriate risk mitigation measures like transaction limit (per transaction, daily, weekly, monthly), transaction velocity limit, fraud checks, AML checks etc. per channel depending on the nature of the security features, risk perception by the bank offering the services and interaction capabilities.
     
  3. It is suggested that the banks issue a new mobile pin (mPIN). To facilitate the mobile payments mPIN may be issued and authenticated by the bank or by a mobile payment application service provider appointed by the bank. Banks and the various service providers involved in the m-banking should comply with the following security principles and practices with respect to mPIN:
    • Implement a minimum of 4 digit customer mPIN (6 digit mPIN may be the desirable goal)
    • Protect the mPIN using end to end encryption
    • Do not allow the mPIN to be in clear text anywhere in the network or the system
    • Authenticate the mPIN in tamper-resistant hardware such as HSM (hardware security modules)
    • Store the PIN in a secure environment
    • In case of offline authentication, the banks should ensure that a proper process is put in place to positively identify the customer the first time when the service is being enabled. An offline PIN may be used as the authentication parameter with security levels being as strong as in the case of online authentication. The bank may choose to issue its own offline PIN or adopt a customer-defined PIN.
    • A second factor of authentication may be built-in for additional security and as such the second factor can be of the choosing of the bank
       
  4. All transactions that affect an account (those that result in to an account being debited or credited, including scheduling of such activity, stop payments, etc) should be allowed only after authentication of the mobile number and the mPIN associated with it in case of MNO based payment service. In case of Non-MNO based mobile proximity payment, specific static or dynamic identifier should be used as second factor authentication along with mPIN. Two factor authentication may be adopted even for transactions of information nature such as balance enquiry, mini statements and registered payee details.
     
  5. Proper system of verification of the mobile phone number should be implemented, wherever possible. This is to guard against spoofing of the phone numbers as mobile phones would be used as the second factor authentication. It may also be suggested but not mandatory, that either card number or OTP (one time passwords) be used as the second factor authentication rather than the phone number.
     
  6. Proper level of encryption should be implemented for communicating from the mobile handset to the bank’s server or the server of the mobile payments service provider, if any. Proper security levels should be maintained for transmission of information between the bank and the mobile payments service provider. The following guidelines with respect to network and system security should be adhered to:
    • Use strong encryption for protecting the sensitive and confidential information of bank and customers in transit
    • Implement application level encryption over network and transport layer encryption wherever possible.
    • Establish proper firewalls, intruder detection systems (IDS), data file and system integrity checking, surveillance and incident response procedures and containment procedures.
    • Conduct periodic risk management analysis, security vulnerability assessment of the application and network etc. at least once in a year.
    • Maintain proper and full documentation of security practices, guidelines, methods and procedures used in mobile payments and payment systems and keep them up to date based on the periodic risk management, analysis and vulnerability assessment carried out.
    • Implement appropriate physical security measures to protect the system gateways, network equipment, servers, host computers, and other hardware/software used from unauthorized access and tampering. The Data Centre of the Bank and Service Providers should have proper wired and wireless data network protection mechanisms.
  7. The dependence of banks on mobile payments service providers may place knowledge of bank systems and customers in a public domain. Mobile payment system may also make the banks dependent on small firms (i.e. mobile payment service providers) with high employee turnover. It is therefore imperative that sensitive customer data, and security and integrity of transactions are protected. It is necessary that the mobile payments servers at the bank’s end or at the mobile payments service provider’s end, if any, should be certified appropriately, say through a PCI DSS certification or in compliance with each participant banks security guidelines. In addition, banks should conduct regular information security audits on the mobile payments systems to ensure complete security. Further, if a mobile payments service provider aggregates and processes transaction, including verification of mPINs, additional security measures such as a Hardware Security Module (HSM) must be deployed over and above link encryption to ensure that mPIN data is protected adequately.

  8. It is recommended that for channels such as WAP and WEB which do not contain the phone number as identity, a separate login ID and password be provided as distinct from the internet banking either by bank or the payment service provider. It is recommended that Internet Banking login IDs and passwords may not be allowed to be used through the mobile phones. Allowing Internet banking login ID and password usage on the mobile phone may compromise their usage on the Internet banking channel. This restriction may be communicated to the customers while offering mobile payments service. However, Internet Banking login IDs and passwords can allowed to be used through the mobile phones provided:

    • Https connectivity through GPRS is used.

    • End to end encryption of the password and customer sensitive information happens.

  9. Plain text SMS is the simplest form of communication through mobile phones, but is vulnerable to tampering. As long as there is a second level of check on the details of the transaction so as to guard against data tampering this mode of communication can be used for financial messages of micro payment transactions (say about rupees One thousand five hundred) and repetitive utility bill payment transactions (say not exceeding rupees two thousand five hundred).

  10. From a legal perspective, security procedure adopted by banks for authenticating users’ needs to be recognized by law as a substitute for signature. Any other method used by banks for authentication should be recognized as a source of legal risk. Customers must be made aware of the said legal risk prior to sign up.

  11. Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customers’ accounts. In the mobile payments scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks.

  12. As in an Internet banking scenario, in the mobile payments scenario too, there is very limited or no stop-payment privileges for mobile payments transactions since it becomes impossible for the banks to stop payment in spite of receipt of stop payment instruction as the transactions are completely instantaneous and are incapable of being reversed. Hence, banks offering mobile payments should clearly notify the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.

  13. The Consumer Protection Act, defines the rights of consumers and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of mobile payments services are being determined by bilateral agreements between the banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks’ liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. needs to be assessed and banks providing Mobile payments should consider insuring themselves against such risks, as is the case with Internet Banking.

  14. Bilateral contracts between the payee and payee’s bank, the participating banks and service provider and the banks themselves will form the legal basis for mobile transactions. The rights and obligations of each party must be clearly defined and should be valid in a court of law. It is likely that there will be two sets of contracts; one would be a commercial contract between service providers and the second, a contract between the customer and the bank, to provide a particular service/ s. At all time, legal obligations of each party must be made clear through these contracts.

  15. Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Mobile phone, through a disclosure template on their websites and/or through printed material.

  16. The existing mechanism for handling customer complaints / grievances may be used for mobile payment transactions as well. However, the technology is relatively new, banks offering mobile payment service should set up a help desk and make the details of the help desk and escalation procedure for lodging the complaints, if any public on their websites. Such details should also be made available to the customer at the time of sign up.

  17. In cases where the customer files a complaint with the bank disputing a transaction, it would be the responsibility of the service providing bank, to address the customer grievance. Banks may formulate chargeback procedures for addressing such customer grievances.

  18. Banks may also consider covering the risks arising out of fraudulent/disputed transactions through appropriate insurance schemes.

  19. The jurisdiction of legal settlement would be within country regulator.

Authored by Anil Kumar Dubey
TCS Enterprise Security and Risk Management

Rate this article: 
Average: 1 (1 vote)
Article category: