1 / 26

Wireless Banking April 1, 2003

Wireless Banking April 1, 2003. Clifford A. Wilke Director of Bank Technology Office of the Comptroller of the Currency Washington, DC.

carla-schultz
Télécharger la présentation

Wireless Banking April 1, 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Banking April 1, 2003 Clifford A. Wilke Director of Bank Technology Office of the Comptroller of the Currency Washington, DC

  2. The views and opinions expressed in this presentation do not necessarily represent the views and directives of the Office of the Comptroller of the Currency or the Office of the Director of the Bank Technology Division.

  3. Wireless Banking Motivations • Banks and financial service companies are offering wireless account access • Extension of internet applications • Delivery to highly portable cell phones & personal digital assistants • More people getting devices • Features improving as technologies advance • Improve customer retention rates, especially technology oriented customer

  4. Wireless Banking Methods • Retail Delivery • PCs relying on non-bank owned wireless LANs or cell phone dial-in to access internet banking products • Mobile devices (e.g., cell phones, PDAs) accessing banking products customized to smaller form factors • Application support outsourced • Services range from full internet banking services to limited balance inquiry, funds transfer, bill pay & brokerage

  5. Wireless Link • Retail Delivery • Wireless LANs rely on unlicensed radio frequencies and IEEE 802.11 standards • Cell phone delivery rely on licensed radio frequencies and evolving voice to data focused delivery standards

  6. Challenges • Security • Systems Development and Life Cycle Management • Performance • Return on investment

  7. Reported DataSecurity Incidents Source: CERT/CC -- statistics are not limited to the banking industory and include all reported incidents

  8. Identity Theft • 86,200 identity theft incidents last year, up from 31,000 the prior year • The cost to consumers averaged $1,200 per crime • Some incidences required victims to spend up to three years communicating with lenders and credit bureaus to straighten out records. Source - Issue 771, Sept. 2002, of The Nilson Report, p.9 – FTC Data

  9. Banking Risks • Same inherent risk and issues as Internet Banking, primary risks affected • Strategic • Transaction • Reputation • Compliance

  10. Strategic Risk • Determining wireless banking role in delivering products and services • Defining risk versus reward goals and objectives • Is the reward added revenue, saving lost revenues, and/or increased efficiency? • Are capital expenditures (at purchase and retirement), maintenance and operating costs less than the reward (i.e., income)?

  11. Strategic Risk • Implementing emerging e-banking strategies • First Mover (“bleeding edge”) vs. wait and see (permanently lose market share) • Ease of implementing outsourced solution to keep up with the competition • Financial stability of vendors • Uncertain customer acceptance • Using standards not designed for secure banking environment needs • Rapidly changing technology standards • Expertise

  12. Transaction Risk Security Issues • Wireless transmission encryption • Standards retro-fitted once security became an issue • Designed to protect transmitted data from unauthorized access/use • Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities • Potential need to upgrade equipment as standards change

  13. Transaction Risk Security Issues • Access codes stored on device may allow account access if device lost or accessed • User names and passwords may be entered in clear view on the screen • Customer acceptance of alphanumeric PINs • Mobile phones require pressing a number key multiple times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****)

  14. Transaction Risk Security – Lessons Reinforced • Unproven standards can have security weaknesses • Risk of external attacks increases as services expand to allow greater access to systems • Companies need to maintain knowledge of attack techniques, known and newly identified • End-to-end security is key • Do not rely on wireless transport layer security for banking application security • Need effective change management processes • Encourage customers to use good PIN/Password management practices

  15. Transaction and Reputation Risk Outsourcing • Access to expertise • Knowledge of wireless communication standards and encryption methods • Developing and converting existing products and services for wireless transmission and use • Effect of device characteristics • Smaller screens • Button or stylus commands

  16. Reputation Risk • Reliability of delivery network • Customer acceptance of no-service due to telecommunications issues when they are in areas they expect service - Consumer Expectations • Processing and handling of interrupted transactions • Integration of wireless applications with existing products and services

  17. Compliance Issues • Disclosures • Wireless banking devices are easier to lose and may increase potential of unauthorized usage • Types of services offered affects level of risk (e.g., P2P payments increase risk) • Privacy concerns from location based services

  18. GLBA Compliance • Primary Elements of Information Security Program • Involve Board of Directors • Assess Risk • Manage and Control Risk (including testing) • Oversee Service Providers • Adjust Program

  19. Characteristics of Good Risk Management • Sound definitions of acceptable risk • Ownership of the risk assessment • Explicitly accept risks • Identify key controls • Create a test plan and follow up of results • Ongoing Board involvement • Active Vendor Management • Sufficient Technical Expertise • Appropriate Business Continuity Planning

  20. Industry Initiatives • Many companies have strong policies in place to maintain their position of trust • The reputational risk of the company and loss of market share is at stake • Financial exposure is real

  21. Best Practices • Secure architecture • Vulnerability management • Intrusion detection • Information sharing • Training and awareness • Regular testing, reporting, improving

  22. What’s Next - We Need to Focus On • Security • Authentication and Verification • Proper Due Diligence and Complete Understanding of the Issues • Prepare now for what is ahead • New Entrants into the Marketplace • International Perspective in the New World

  23. OCC Technology Issuances • FFIEC Information Security Booklet (February 2003) • Electronic Banking Final Rule (May 2002) • Bank Use of Foreign-Based Service Providers (May 2002) • ACH Transactions Involving the Internet (January 2002) • Authentication in an E-Banking Environment (July 2001) • Weblinking - (July 2001) • Alert - Network Security (April 2001) • GLBA Guidelines to Safeguard Customer Information (Feb 2001) • Risk Management of Outsourced Technology Services (Nov 2000) • Infrastructure Threats--Intrusion Detection (May 2000) • Alert - Distributed Denial of Service (February 2000) • Alert - Internet Domain Names (July 2000) • Infrastructure Threats from Cyber-Terrorists (99-9) • Technology Risk Management: PC Banking (98-38) • Technology Risk Management (98-3)

  24. Summary Safety, Soundness and Responsibility will remain the primary driver

More Related