File Name: mobile banking risks and mitigation measures .zip
- Retail Payment Systems
- Trust and security risks in mobile banking
- Retail Payment Systems
- Trust and security risks in mobile banking
Retail Payment Systems
Mobile financial services MFS are the products and services that a financial institution provides to its customers through mobile devices. A mobile device is a portable computing and communications device with information-storage capability. The mobile channel The mobile channel refers to providing banking and other financial services through mobile devices.
Although the risks from traditional delivery channels for financial services continue to apply to MFS, the risk management strategies may differ.
As with other technology-related risks, management should identify, measure, mitigate, and monitor the risks involved and be familiar with technologies that enable MFS. This appendix focuses on risks associated with MFS and emphasizes an enterprise-wide risk management approach to the effective management and mitigation of those risks.
This appendix also discusses the technologies used in the mobile channel and may be helpful to the board and management for the integration of MFS into the institution's risk management program. The risks and controls addressed in this appendix, however, are not exhaustive. Additionally, this appendix contains a set of work program objectives to help the examiner determine the inherent risk and adequacy of controls at an institution or third party providing MFS.
MFS involve the use of a mobile device to conduct banking transactions and to initiate retail payments. Customers' mobile transactions often emulate those initiated on traditional desktop computers; however, MFS can provide more convenient transaction execution capabilities, such as the initiation or acceptance of mobile payments. MFS can pose elevated risks related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management.
Customers are often less likely to activate security controls, virus protection, or personal firewall functionality on their mobile devices, and MFS often involve the use of third-party service providers. This appendix addresses the following:. SMS is a text messaging service component of phone, Web, or mobile communication systems. SMS uses standardized communications protocols to allow devices to exchange short text messages.
Messages are typically limited to characters and communicate either between mobile devices or between businesses and mobile devices e. Within the context of MFS, a customer uses SMS to provide financial transaction instructions to their financial institution.
Financial institutions use SMS to provide information to customers, including account alerts or to communicate one-time passwords for Web site authentication. A mobile device's browser allows customers to access a financial institution's Web site. Many financial institutions provide mobile-enabled Web sites, in addition to their regular Web site, which may improve the customer experience. The mobile-enabled Web site is designed to detect the type of device the customer is using e.
Mobile applications are downloadable software applications developed specifically for use on mobile devices. Mobile financial applications are developed by or for financial institutions to allow customers to perform account inquiries, retrieve information, or initiate financial transactions.
This technology leverages features and functions unique to each type of mobile device and often provides a more user-friendly interface than is possible or available with either SMS or Web-based mobile banking. Customers may use mobile technologies to initiate wireless payments at point-of-sale POS terminals, make person-to-person P2P payments, or make other types of wireless payments, such as parking meter and mass transit access payments.
Mobile wallets A mobile wallet is a front-end application that stores payment card information on the mobile device and allows payments to be made using a mobile device. The exchange of payment credentials and authorization between the mobile device and the payment recipient can use different core technologies.
Technologies that provide the ability to make wireless payments include the following:. With traditional retail payments channels serving as the backbone of mobile payments, users typically are required to provide verifiable financial institution account information or a credit, debit, or prepaid card to establish and fund a mobile payments service. The traditional retail payments channels allow financial institution mobile payments providers to leverage existing banking relationships to verify identities, satisfy federal anti-money laundering requirements, and fund accounts.
Management should identify the risks associated with the types of MFS being offered as part of the institution's strategic plan. Management should incorporate the identification of risks associated with mobile devices, products, services, and technologies into the financial institution's existing risk management process.
The complexity and depth of the MFS risk identification varies depending on the functionality provided through the mobile channel and the type of data in transit and at rest. The identification process should include risks at the institution and those associated with the use of mobile devices where the customer implements and manages the security settings. In providing customers with avenues for performing banking activities through mobile devices, an institution may transfer to the customer the ability to implement security settings.
This transfer increases dependence on the customer to manage the controls over sensitive financial data. Additionally, there are numerous types of mobile devices that present different risks, and management should identify unique risks associated with specific devices. Before implementing mobile products and services, management should identify the associated risks, particularly in the areas of strategic, operational, compliance, and reputation risks.
When financial institution management fails to incorporate its decisions regarding MFS into its strategic planning, the institution's level of strategic risk may increase. Management should identify the risks associated with the decision to offer MFS and determine what types of MFS best fit with the strategic vision, goals, and risk appetite of the institution.
MFS introduce unique operational risks. Management should identify the risks involved with transaction initiation, authentication and authorization, and the MFS technology itself.
Some of the operational risks are associated with the mobile device and how the device communicates with the POS or other similar terminal.
Traditional payment risks associated with the underlying payment transaction are covered by existing risk management guidance contained in earlier sections of this booklet. Additionally, the varying access points Access points include a user's home network, cellular network, NFC, Bluetooth, or public Wi-Fi connections, such as those provided by a municipality or business.
MFS provide the opportunity to leverage tools and techniques not available in traditional banking payment products. The prevalence of mobile devices, common operating systems, and downloadable applications make these devices a target for malware and viruses.
Without implementing additional controls, basic device access controls such as personal identification numbers PIN may not be adequate to protect data that is stored on a mobile device because these controls could be circumvented by someone who has unrestricted physical access to the device. Additionally, a fraudster can compromise mobile application-based financial services by developing rogue, corrupted, or malicious applications or adding rogue code to applications that a customer downloads to his or her mobile device.
Therefore, management should consider the implications of operational risks when evaluating and implementing such technologies. SMS technology presents a number of security-related risks. SMS messages typically are transmitted unencrypted over widely used telecommunications networks. The messages are also vulnerable to spoofing, SMS spoofing is the manipulation of address information to impersonate a user. Similarly, fraudulent SMS messages may mislead customers into revealing financial institution account information or information used to access financial institution systems.
Mobile-enabled Web sites rely on existing Internet security protocols, which make the sites subject to many of the same vulnerabilities Vulnerabilities include malware attacks, eavesdropping, and spoofing. Additionally, mobile devices can be limited by their hardware and operating systems, which can result in a reduced level of security.
Mobile Web browsers are common starting points for malicious attacks, and malicious messages can come from many other sources. Whereas desktop browsers have anti-phishing Anti-phishing software are programs, either integrated with or built in to the Web browser, that display the real domain name of the site that a user is visiting to help prevent fraudulent sites from posing as legitimate sites.
Attackers may use this vulnerability to bypass access controls. The lack of anti-phishing and anti-XSS modules can increase the possibility of loss of sensitive information when using a mobile device. As is the case with any Web-based application, attacks involving unvalidated "redirects and forwards" Unvalidated Web site redirects are possible when a Web application accepts untrusted input that could cause the application to redirect the request to a malicious URL. A user may be redirected and not realize it.
The attacks also can lead to malware download and installation. By modifying a URL and redirecting the browser to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Users often find it difficult to recognize a phishing message or a forged Web site, or determine whether a site is safe. Additionally, mobile browsers displayed on small screens may not effectively display the same visual security cues more easily seen on full-scale browsers on large screens.
Applications can be downloaded onto mobile devices from a number of application stores. Although device manufacturer-authorized application stores perform due diligence, applications may still contain vulnerabilities that cause risks to the user and the financial institution.
On some mobile devices, it is possible to download an application from application stores not authorized by the manufacturer, which poses a greater risk of users being exposed to malicious code because the applications may not be adequately reviewed by the store. Distribution of malware through applications is a material risk to the institution and its customers because of malware's ability to compromise sensitive data and monitor communications.
Another risk to the institution and its customers occurs with the end user's ability to access root user The root user is the conventional name of the user who has all rights or permissions to all files and programs. Having such rights or permissions allow the root user to do many things an ordinary user cannot.
The process to gain access is known as "rooting. For certain mobile devices, rooting and jailbreaking allow the user to download applications from untrusted sources, which may introduce malware onto the device. Many applications store usernames, passwords, and e-mail addresses in clear text. Because users often have the same usernames and passwords across systems, it is possible to use the information obtained from a poorly designed mobile application to compromise user accounts on other systems.
Mobile applications collect personal information e. These data are valuable to attackers and can result in compromised user privacy. Without properly securing the mobile application, unauthorized users can gain access to the back-end databases containing confidential information. The mobile ecosystem is the collection of carriers, networks, platforms, operating systems, developers, and application stores that enable mobile devices to function and interact with other devices.
Vulnerabilities may exist in any area of this decentralized mobile ecosystem and, therefore, result in a multi-entity patch management process among mobile device operating system developers, device manufacturers, wireless carriers, and other application developers. As a result of the decentralized ecosystem of some devices, a known vulnerability may remain unremediated while the various parties review, update, and ensure compatibility with their applications and the security mitigation.
Additionally, integrating MFS application functionality with other applications and services on the customer's device may introduce vulnerabilities because MFS applications are not built in or native to the device. The portability of mobile devices can lead to the devices being misplaced or stolen, which may allow unauthorized access to the mobile wallet or user credentials. Such access can result in unauthorized payments and funds transfers and fraudulent purchases.
Because mobile payments at the POS may use NFC, communications between the device and the POS terminal can be intercepted, while the device is in the user's possession. Even if these communications are encrypted, which they are not by default, there remains a potential for unauthorized access to transaction information, which could be used to perpetrate financial fraud. Vulnerabilities create the potential to take advantage of weak security controls in the payment provisioning or enrollment functions of the NFC payment system process to commit fraud.
Malicious actors using stolen identity information e. Refer to U. Financial institution management should identify the compliance risks as it determines which MFS to offer and continue to monitor these risks as the technology for MFS evolves. Consumer laws, regulations, and supervisory guidance that apply to a given financial product or payment method generally apply regardless of the technology used to provide the products and services.
One of the challenges in providing MFS is that a significant portion of the innovation in the industry is driven by entities outside of the traditional financial services sector.
These entities may be unfamiliar with regulatory requirements and supervisory expectations that apply to regulated financial institutions and their service providers. Management should understand how the institution's risk profile changes when it uses any third party, but particularly a third-party service provider that is unfamiliar with the regulation and supervision of the financial services sector, to design applications.
Management should identify and consider how providing MFS may create reputation risk. Reputation risk is particularly relevant in the context of privacy and data security, as public scrutiny of the treatment of customer information continues to grow. The mobile channel, with many of its activities trending toward personalization Personalization is providing a tailored user experience based on user preferences through MFS.
Trust and security risks in mobile banking
Das Modell umfasst neben den Bewertungsobjekten und Merkmalen zur Bewertungsergebnisklassifikation auch die Bewertungsergebnisse selbst. In this paper we focus on the IRB framework for regulating bank capital and consider some scenarios of capital reservations practice in the changing economic conditions, prevailing in Croatia for last several years. We describe the issues of the second consultative document of the new accord and describe how to measure the required capital. After an overview of the basic ideas in the new accord the determining aspects of the approaches to Credit risk in the new capital accord are surveyed: the standardized approach STD as well as the two forms of the internal rating based IRB approach - foundation and advanced. No wadays, considering the avai lability of credits as 0 Fully restructured, featuring new material and discussions on new financial products, derivatives, Basel II, credit models based on time intensity models, implementing risk systems and intensity models of default, it also includes a section on Subprime that discusses the crisis mechanisms and makes numerous references throughout to the recent stressed financial conditions. To trace out the process and system of risk management. Includes bibliographical references leaves
Mobile devices — smartphones and tablets — are easy to use and can be taken almost anywhere. But they can also be lost or stolen, infected with malware, and used as a vehicle for fraud. Even so, smartphones and tablets are here to stay. The way consumers use them may change over time, but it is clear that mobile banking via smartphones and tablets is on trend to grow rapidly in the coming years. Mobile device software provider Malauzai Software, Inc.
Retail Payment Systems
Cover Letter. Order Journal. Statement of Originality. Visitor Statistics. Mendeley Zotero Grammarly.
Mobile financial services MFS are the products and services that a financial institution provides to its customers through mobile devices. A mobile device is a portable computing and communications device with information-storage capability. The mobile channel The mobile channel refers to providing banking and other financial services through mobile devices. Although the risks from traditional delivery channels for financial services continue to apply to MFS, the risk management strategies may differ. As with other technology-related risks, management should identify, measure, mitigate, and monitor the risks involved and be familiar with technologies that enable MFS.
As digital banking continues to rise, consumers expect to onboard and access financial institutions and smoothly manage their finances on any connected device. In parallel, financial institutions face a dramatic increase in the number of cyberattacks , with more sophistication and complexity. Fraudsters and hackers continuously challenge the security measures in place by financial institutions to protect their customers' sensitive data. We see that, even though financial institutions in the UK do a fairly good job and prevent approx.
Trust and security risks in mobile banking
Там его дожидается лирджет. Прогремел выстрел. Пуля ударила в асфальт в нескольких метрах позади. Беккер оглянулся. Убийца целился, высунувшись из окна. Беккер вильнул в сторону, и тут же боковое зеркало превратилось в осколки.
Тепло дня здесь сменяется влажной прохладой, а шум улицы приглушается мощными каменными стенами. Никакое количество люстр под сводами не в состоянии осветить бесконечную тьму. Тени повсюду. И только в вышине витражи окон впускают внутрь уродство мира, окрашивая его в красновато-синие тона.
Смотрите, полоска осталась незагорелой. Похоже, он носил кольцо. Офицер был поражен этим открытием. - Кольцо? - Он вдруг забеспокоился. Вгляделся в полоску на пальце и пристыжено покраснел. - О Боже, - хмыкнул он, - значит, эта история подтверждается.
M-payments and m-banking are now spreading fast across the world, Second, control measures are proposed based on the assessed risk. technologies and the opportunities to mitigate the risk through business processes and strategies Bank Supervision July luciegaillard.org
Лейтенант рассказал вам про кольцо? - удивился Клушар, - Рассказал. - Что вы говорите! - Старик был искренне изумлен. - Я не думал, что он мне поверил. Он был так груб - словно заранее решил, что я лгу. Но я рассказал все, как .
И тогда ты решишь, уходить тебе или. Повисла долгая тишина. Сьюзан словно во сне подошла и села с ним. - Сьюзан, - начал он, - я не был с тобой вполне откровенен. ГЛАВА 73 У Дэвида Беккера было такое ощущение, будто его лицо обдали скипидаром и подожгли.
И с ироничной усмешкой вспомнил: - Без воска. Беккер стоял с закрытыми глазами, а человек в очках в металлической оправе приближался к. Где-то неподалеку зазвонил колокол. Беккер молча ждал выстрела, который должен оборвать его жизнь. ГЛАВА 89 Лучи утреннего солнца едва успели коснуться крыш Севильи и лабиринта узких улочек под .
- Мидж торопливо пересказала все, что они обнаружили с Бринкерхоффом. - Вы звонили Стратмору.
Значит, это не Дэвид. Сьюзан почувствовала, что у нее перехватило дыхание. Она лишь хотела знать, что человек, которого она любит, в безопасности. Стратмор, в свою очередь, тоже сгорал от нетерпения, но подругой причине. Если Дэвид и дальше задержится, придется послать ему на помощь кого-то из полевых агентов АНБ, а это было связано с риском, которого коммандер всеми силами хотел избежать.
Сьюзан и Соши занялись поисками во Всемирной паутине. - Лаборатория вне закона? - спросила Сьюзан. - Это что за фрукт.
Хм-м, - наконец произнесла. - Вчерашняя статистика безукоризненна: вскрыто двести тридцать семь кодов, средняя стоимость - восемьсот семьдесят четыре доллара. Среднее время, потраченное на один шифр, - чуть более шести минут. Потребление энергии на среднем уровне. Последний шифр, введенный в ТРАНСТЕКСТ… - Она замолчала.
Алчущие хакеры прорывались со всех уголков мира. Их количество удваивалось каждую минуту. Еще немного, и любой обладатель компьютера - иностранные шпионы, радикалы, террористы - получит доступ в хранилище секретной информации американского правительства.