Recently, the FFIEC released an expected and overdue update to its IT Examination Handbook. Retail Payment Systems Booklet Appendix E: Mobile Financial Services was written to encompass the often-used mobile banking product and service line for financial institutions, which has not been explicitly recognized in the IT Exam Handbook until now.
According to the guidance, Appendix E: Mobile Financial Services (MFS) “focuses on risks associated with MFS and emphasizes an enterprise-wide risk management approach to the effective management and mitigation of those risks.” Appendix E: MFS discusses the different types of mobile financial services that institutions are currently implementing and provides an updated work program to help examiners review and provide recommendations regarding MFS.
Mobile Financial Services Technologies
Appendix E: MFS identifies four (4) current MFS technologies being employed by financial institutions:
- Short Message Service (SMS) mobile banking (text banking)
- Mobile-enabled Web sites and browsers
- Mobile Applications
- Wireless (mobile) payment technologies
SMS Mobile Banking
SMS mobile banking utilizes text messaging to allow a customer to provide financial transaction instructions to their financial institution. Typical SMS mobile banking transactions include information gathering (balance checking), transfer of funds between accounts, account alerts or updates, or one-time passwords for website authentication.
Mobile-enabled Web Sites/Browsers
Mobile-enabled Web sites and browsers allow a customer to access the same Internet banking products and services offered by the financial institution to a desktop computer user, only the website or the browser is optimized for a mobile device (tablet, laptop, or smartphone). Mobile-enabled Web sites or browsers aim to enhance the customer experience by ensuring Internet banking products and services are in the best format for viewing on a mobile device.
Mobile applications are downloadable software applications developed specifically for use on mobile devices. Mobile banking applications are typically customized for a specific financial institution (branding, products, services, look-and-feel) and allow a customer to perform the same services (information gathering, initiate transfers, pay bills, etc.) as offered via traditional Internet banking. Mobile applications offer a faster, more user-friendly interface the SMS-based or Web-based mobile banking.
Wireless (Mobile) Payment Technologies
Wireless Payment Technologies (Mobile Payments) come in a variety of applications, including wireless payments at Point-of-Sale (POS) terminals (Apple Pay, Android Pay, or Samsung Pay), Peer-to-Peer Payments (Fiserv Popmoney, PayPal, Venmo), or other types of wireless payments (mobile wallets). Most Mobile Payment technologies allow the user to make a payment without the need for a physical card (or check) during the transaction.
Four (4) different types of Mobile Payment technologies are identified in Appendix E: MFS:
- Near field communication (NFC). NFC is a wireless protocol that allows for the exchange of payment credentials (or other information) stored on the mobile device only while the payment terminal and the device are within direct proximity of one another (“tapping” a device on an NFC terminal is often used to initiate the transaction).
- Image-based. Coded images similar to barcodes (called quick-response or “QR” codes) used to initiate payments. Credentials may be encoded within a QR code image or stored in the cloud. For example, specific retailers might use quick response (QR) codes to identify customers in a closed-loop mobile payment system.
- Carrier-based. Carrier-based transactions are billed directly to a customer’s mobile carrier (cellular) invoice. Merchants are paid directly by the mobile carrier, bypassing traditional payment networks. For example, a carrier-based payment may occur when mobile users donate money to charity through SMS messages or purchase an “add-on” in a mobile gaming application.
- Mobile P2P. Peer-to-Peer Payments (P2P) are most often initiated on a mobile device using the recipient’s mobile phone number, e-mail address, or another identifier. Payment is through established retail payment technologies. P2P Payments may be made via text message (SMS) or mobile application (Fiserv Popmoney). P2P allows a customer to send money via their mobile device to other users enrolled in the institution’s system.
While MFS continues to gain market share, as far as payment platforms are concerned, established retail payment channels (ACH, credit/debit card networks, EFT, etc.) are still the backbone of transferring money between financial institutions. The traditional retail payments channels allow financial institutions to leverage existing banking relationships to verify identities, satisfy federal anti-money laundering requirements, and fund accounts despite the new technologies and risks regarding mobile-based transactions.
What are the Risks associated with MFS?
The Institution’s risk management process should incorporate the risk of using Mobile Financial Services. Also, the risk of using MFS is dependent on the types of functionality offered by the institution, the type of information being stored, transmitted, and processed through the MFS, and the rate of adoption. Appendix E: MFS should identify four (4) different types of Mobile Financial Services:
- Strategic Risk: The institution must determine if utilizing MFS aligns with the existing Strategic vision, goals, and risk appetite. If implementing MFS does not align with these strategic planning items, strategic risk increases.
- Operational Risk: Operational Risks of MFS include the risks around transaction initiation, authentication and authorization, and the MFS hardware and software itself. Specific MFS Operational Risks identified in this guidance include:
o Rogue Malicious Applications – applications that impersonate mobile financial services applications or compromise the code of an MFS app and inject malicious software into the app
o SMS Phishing/Spoofing – impersonating a text message (SMS) to obtain customer information. Similar to standard phishing emails, except via text messages. Also called “smishing.”
o SMS Eavesdropping – intercepting and stealing information from text messages
o Mobile-Enabled Web Application Vulnerabilities – mobile-enabled websites are subject to the same vulnerabilities as a standard website, including Cross-site Scripting, SQL injections, malicious software, and URL redirects
o Unauthorized Mobile Applications – mobile applications that are not authorized by the manufacturer or listed out in a mobile application store pose higher risk to the institution
o Device Rooting/Jailbreaking – removing or bypassing manufacturer controls to gain root access to the device, providing additional access to the device’s operating system and files, which increases risk
o Plain-text Data Storage – storing data on the mobile device (including usernames, passwords, account numbers, purchases, location information, etc.) in plaintext, e.g. without utilizing encryption
o Insecure Application Development – since mobile applications reside or operate over numerous levels of cellular carriers, networks, operating systems, device types, and app stores, this decentralized mobile ecosystems can lead to different vulnerabilities that require patches and updates at different levels, increasing risk to the institution and the user
o Lost/Stolen Device – a mobile device is much easier to lose or have stolen than a desktop (or even a laptop)
o Unauthorized payments/transfers – theft or unauthorized access can lead to payments or transactions being performed by unauthorized individuals
o Wireless Eavesdropping – mobile payment information may be intercepted between the device and the Point-of-Sale terminal if proper encryption is not implemented
o Identify Theft – unauthorized access to MFS may lead to customer or transaction information, which may, in turn, lead to identity theftoFake Accounts – using stolen identity information to create fake accounts on stolen devices using MFS
- Compliance Risk: Compliance risks to the institution include not being in compliance with consumer laws, regulations, and supervisory guidance, as well as failure to perform proper due diligence and ongoing management of MFS vendors
- Reputation Risk: the risk of the financial institution’s reputation being harmed as a result of information stored, transmitted, and processed through the MFS becoming compromised or interrupted for a period of time
The answer to preventing these attacks from affecting your institution and customers is layered security. Layered security includes implementing proper technical controls to help prevent phishing emails from reaching inboxes, building procedural controls such as proper backups and restricted user access controls to ensure proper implementation of technical controls, and most importantly, educating and testing employees and customers.
As with all new technologies that a financial institution is looking to implement, everything should start with the risk assessment. The risk assessment should identify the importance of the technology to-be-implemented, as well as the risks associated with the new technology. The institution should then make decisions regarding which controls to implement to mitigate new organizational risk.
Mobile Financial Services require the interaction of numerous entities – including the institution, mobile network operators, application developers, device manufacturers, and other third parties – to ensure the secure transmission and processing of customer transactions. Below is a list of controls that financial institutions should consider implementing when rolling out MFS.
Strategic Risk: The institution must evaluate all new technologies during the strategic planning processes. Considerations include the products and services to be offered, types of transactions allowed, transaction limits, mobile architecture design, supported mobile devices, customer needs, and the use of third parties.
Operational Risk: Controls around Operational Risk should follow the layered-security approach at different levels, including vendor-controls, bank-controls, application-controls, and customer-controls. Controls to be evaluated include:
- Third Party Selection, Management, and Contract Review
- Transaction Limits
- Transaction Monitoring
- Geolocation Transaction Anomaly Detection
- Rapid Incident Notification
- Strong Authentication
- Customer Social Engineering Education
- Employee Social Engineering Education
- Customer Mobile Security Education
- Customer Mobile Risk Awareness
- Customer Enrollment Process
- Multifactor Authentication
- Out-of-band Authentication
- Formal SDLC process
- Annual Secure Source Code Audit
- Annual Application Vulnerability Assessment & Penetration Testing
- Re-Authentication Per Login
- Session Timeout
- Application Logging
- Anomalous Monitoring
Controls for specific MFS application types include the following:
SMS Mobile Banking
- Redacted Customer Information
- Limited Customer Access
- Security Tokens
- PIN Authentication
- PIN Regularly Changed
- SMS Phishing Awareness Campaigns
- Customer Education/Awareness for Compromised Sites
- Secure SDLC Process
- OWASP Web Application Compliance
- OWASP Mobile Application Compliance
- Customer Awareness to Baseline Mobile Controls
- Detection of Unsupported Web Browsers
- Detection of Unsupported Mobile Operating System
- Detection of Anti-XSS Software
- URL Whitelisting
- Avoid Redirects/Forwards
- URL Redirect Notification
- Website Application Assessment
- Hard-code URL
- Device Policy Enforcement (allowing MFS after requirements met)
- Customer Education/Awareness Application Secure Download/Install
- Security Testing in SDLC
- Deactivating Older Application Versions
- Customer Education Rooted/Jailbroken
- Application Review Storage of Customer Data
- Device or application encryption
- Application Development with Minimal Data Collection/App Permissions
- Detection of Unsupported Mobile Operating System
- Third Party Management
- Secure Back-end Servers
- Application Sandbox
- Vulnerability Awareness (US-CERT/FS-ISAC)
- Periodic Functionality Testing
- Traffic Filtering – DDOS
- Trusted Platform Modules
- Transmission Encryption
- Anti-malware software
- Storage Encryption
Compliance Risk: Management should reassess mobile service offerings regularly and ensure MFS offerings are in compliance with all current laws, regulations, and consumer protection guidance. Applicable disclosure requirements must be accessible on mobile devices. All policies and procedures must be updated to include current MFS offerings. The financial institution must train employees to handle MFS compliance issues.
Reputation Risk: To ensure the financial institution’s reputation is protected and monitored, management should ensure proper controls are in place around the MFS provider(s) that are storing, transmitting, and processing the institution’s confidential customer information. Controls to prevent the unauthorized disclosure of customer information and fraudulent transactions must be in place.
Monitoring and Reporting
Financial Institution management should ensure that proper monitoring and reporting are in place to ensure MFS products are meeting operational expectations. Such reporting should include the following:
- The acceptable levels of risk the financial institution is willing to assume
- Specific performance objectives and criteria, including quantitative methods for evaluating performance
- A comparison of actual performance to projections and benchmarks to identify trends
- Modify expectations and strategic plans based on the performance of the MFS product, including an exit strategy if the product does not meet expectations or projections.
Mobile Financial Services are not only here to stay, but they have also become a staple of modern banking practices. This guidance helps to break down the different types of MFS, including very specific threats and risk-mitigating controls applicable to each type of MFS. If your financial institution has not yet reviewed this guidance and updated its risk assessments accordingly, this update to the FFIEC Retail Payments booklet – Appendix E - Mobile Financial Services is a great place to start.
What can SBS do to help?
Secure Banking Solutions has a team of auditors and consultants that can assist you in updating your IT Risk Assessments and ensuring your Information Security Program adequately reflects the risk-mitigating controls around MFS.
Additionally, SBS is a leading provider of online risk management solutions designed to be your security expert. The TRAC information security suite of products includes our flagship module – IT Risk Assessment. TRAC’s IT Risk Assessment module is designed to provide pre-defined, financial institution-specific data that saves you the time of researching all of the applicable threats and controls for a specific IT asset. This pre-defined data acts as your security expert and helps to ensure your risk assessment is comprehensive and correct. No more guessing whether not a threat or a control applies to your Mobile Banking application; it’s already included.
Written by: Jon Waldman, CISA, CRISCPartner - Secure Banking Solutions
Vice President of Business Development - SBS Institute
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.