Malware Threats and Risks in Mobile Banking

There has been a huge growth in the mobile threats. Mobile devices are exposed to record number of malware attacks from cyber criminals, including a 400 percent increase in Android malware, as well as highly targeted Wi-Fi attacks. Cyber criminals have turned their attention to mobile devices. At the same time, the gap between hacker capabilities and an organization's defenses is widening. These trends underscore the need for further mobile security awareness, as well as more stringent, better integrated mobile security policies and solutions.

Number of new malware threats steadily increased during 2010, from around 600 in the first quarter to nearly 1000 in the fourth quarter. Most targeted mobile platform was the symbian OS, used on Nokia smartphones and in the fourth new malware, a Zeus mobile variant, emerged that specifically targeted the platform. Apple’s ios and Google’s Android systems are also increasingly targeted.

Through close examination of recent malware exploits, there exists new areas of concern and clear recommendations on essential security technologies and practices to help consumers, enterprises/SMBs, and government entities guard against mobile device exploits.

A report indicated that 85% of the Smartphone users were not employing an antivirus solution on their mobile device to scan for malware. Of the 15%, who were using an antivirus product on their Smartphone, one in five of those users reported having been infected with a malicious application. With the rapid growth in the number of mobile phone subscribers growing at about 8 million a month in India, banks have been exploring the feasibility of using mobile phones as an alternative channel of delivery of banking services.

As there is an urgent need for a set of operating guidelines that can be adopted by banks as a few banks have already started offering information based services like balance enquiry, stop payment instruction of cheques etc, RBI has recently come out with operating guidelines for mobile payments. As per the guidelines, only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer mobile payment services to residents of India. Also, the services should be restricted to only to bank accounts/ credit card accounts in India which are KYC/AML compliant.

There can be two levels of mobile based banking service - the first or basic level in the nature of information like balance enquiry, SMS alert for credit or debit, status of last five transactions, and many other information providing services and the second or standard level in the nature of financial transactions such as payments, transfers and stop payments. For the standard level service one time registration should be done through a signed document.
The risk associated with the basic level of information services is much less compared to the standard level of actual payment services. Prior registration of the customers would be necessary irrespective of the type of service requested.

Guidelines are meant only for banking customers – within the same bank and across the banks. It would be the responsibility of the banks offering mobile payment service to ensure compliance to these guidelines. Only Indian Rupee based services should be provided. Banks may use the services of Business Correspondents for extending this facility, to their customers. The guidelines with regard to use of business correspondent would be as per the RBI circular on Business correspondents issued from time to time.

Framework enabling Mobile Payments
The framework enabling mobile payments services to banking customers would generally involve the collaboration of banks, mobile payments service providers and mobile network operators (MNOs). The service can also be provided as a proximity payment system, where the transactions are independent of the MNOs. In mobile payment systems, the banks provide the basic service framework, ensure compliance to KYC/AML norms, creates a risk management and mitigation framework, and ensures settlement of funds.

The mobile payments service providers are intermediaries for providing the technology framework for the implementation of the mobile payments services. The mobile network operators provide the telecom infrastructure and connectivity to the customers. Their role is limited to providing the SMS/WAP/GPRS/USSD/NFC GSM or CDMA voice and data services connectivity and in hosting the certain technology solutions like USSD. In a Non-MNO based systems, proximity or contactless channels like IRDA, RFID, Optical, NFC, etc. are used for communication between POS and the mobile phone of the customer.

The long term goal of mobile payment framework in India would be to enable funds transfer from account in one bank to any other account in the same or any other bank on a real time basis irrespective of mobile network a customer has subscribed to. This would require inter-operability between mobile payments service providers and banks and development of a host of message formats. Banks may keep this objective while developing solution or entering into arrangements with mobile payments solution providers. To ensure inter-operability between banks and between their mobile payments service providers, it is recommended that banks may adopt the message formats being developed by Mobile Payments Forum of India (MPFI).

Also, to meet the long term objective of a nation-wide mobile payment framework in India, robust clearing and settlement infrastructure operating on a 24x7 basis is considered necessary. Pending creation of such an infrastructure on a national basis, according to guidelines, banks may enter in to multilateral arrangement and create Mobile Switches / Inter-bank Payment Gateways with expressed permission from RBI.

Procedure set for Governance
Banks should get the Mobile payments scheme approved by their respective boards / Local board (for foreign banks) before offering it to their customers. The Board approval must document the extent of Operational and Fraud risk assumed by the bank and the bank’s processes and policies designed to mitigate such risk. Banks who have already started offering mobile payment service may review the position and comply with the guidelines within a period of three months from issuance of these guidelines.

Stipulations in the Guidelines
For the purpose of these Guidelines, “mobile payments” is defined as information exchange between a bank and its customers for financial transactions through the use of mobile phones. Mobile payment involves debit/credit to a customer’s account’s on the basis of funds transfer instruction received over the mobile phones.

The technology used for mobile payments must be secure and should ensure confidentiality, integrity, authenticity and non-repudiability. The Information Security Policy of the banks may be suitably updated and enforced to take care of the security controls required specially for mobile phone based delivery channel.

The mobile payments could get offered through various mobile network operator (MNO) based channels (SMS, USSD, WAP, WEB, SIM tool kit, Smart phone application based, IVR, voice, etc) and non MNO based proximity or contactless channels (IRDA, RFID, Optical, NFC, etc) and these various mobile channels offer various degrees of security and interaction capability.

While the objective of the RBI is to have a fully functional digital certificate based inquiry/transaction capabilities to ensure the authenticity and non-repudiability, given the complexities involved in getting this through all the channels and given the need for enabling mobile payments to facilitate financial inclusion objectives, it is suggested that the banks evaluate each of these channels in terms of security and risks involved and offer appropriate services and transactions. Banks are also advised to provide appropriate risk mitigation measures like transaction limit (per transaction, daily, weekly, monthly), transaction velocity limit, fraud checks, AML checks etc. per channel depending on the nature of the security features, risk perception by the bank offering the services and interaction capabilities.

It is suggested that the banks issue a new mobile pin (mPIN). To facilitate the mobile payments mPIN may be issued and authenticated by the bank or by a mobile payment application service provider appointed by the bank. Banks and the various service providers involved in the m-banking should comply with the following security principles and practices with respect to mPIN

a) Implement a minimum of 4 digit customer mPIN (6 digit mPIN may be the desirable goal)

b) Protect the mPIN using end to end encryption

c) Do not allow the mPIN to be in clear text anywhere in the network or the system

d) Authenticate the mPIN in tamper-resistant hardware such as HSM (hardware security modules)

e) Store the PIN in a secure environment

f) In case of offline authentication, the banks should ensure that a proper process is put in place to positively identify the customer the first time when the service is being enabled. An offline PIN may be used as the authentication parameter with security levels being as strong as in the case of online authentication. The bank may choose to issue its own offline PIN or adopt a customer-defined PIN.

g) A second factor of authentication may be built-in for additional security and as such the second factor can be of the choosing of the bank

All transactions that affect an account should be allowed only after authentication of the mobile number and the mPIN associated with it in case of MNO based payment service. In case of Non-MNO based mobile proximity payment, specific static or dynamic identifier should be used as second factor authentication along with mPIN.

Two factor authentications may be adopted even for transactions of information nature such as balance enquiry, mini statements, and registered payee details. Two-factor authentication (TFA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security. From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.

It is suggested that proper system of verification of the mobile phone number should be implemented, wherever possible. This is to guard against spoofing of the phone numbers as mobile phones would be used as the second factor authentication. It may also be suggested but not mandatory, that either card number or OTP (one time passwords) be used as the second factor authentication rather than the phone number.

The following guidelines with respect to network and system security should be adhered to:

a) Use strong encryption for protecting the sensitive and confidential information of bank and customers in transit

b) Implement application level encryption over network and transport layer encryption wherever possible.

c) Establish proper firewalls, intruder detection systems (IDS), data file and system integrity checking, surveillance and incident response procedures and containment procedures.

d) Conduct periodic risk management analysis, security vulnerability assessment of the application and network etc at least once in a year.

e) Maintain proper and full documentation of security practices, guidelines, methods and procedures used in mobile payments and payment systems and keep them up to date based on the periodic risk management, analysis and vulnerability assessment carried out.

f) Implement appropriate physical security measures to protect the system gateways, network equipments, servers, host computers, and other hardware/software used from unauthorized access and tampering. The Data Centre of the Bank and Service Providers should have proper wired and wireless data network protection mechanisms.

Guidelines also speak about the banks dependency on mobile payments service providers. It becomes imperative that sensitive customer data, and security and integrity of transactions are protected, for which, mobile payments servers at the bank’s end or at the mobile payments service provider’s end, if any, should be certified appropriately, say through a PCI DSS certification or in compliance with each participant banks security guidelines.

In addition, banks should conduct regular information security audits on the mobile payments systems to ensure complete security. Further, if a mobile payments service provider aggregates and processes transaction, including verification of mPIN, additional security measures such as a Hardware Security Module (HSM) must be deployed over and above link encryption to ensure that mPIN data is protected adequately.

It is recommended that Internet Banking login ids and passwords may not be allowed to be used through the mobile phones. For channels such as WAP and WEB which do not contain the phone number as identity, a separate login ID and password be provided as distinct from the internet banking either by bank or the payment service provider. This restriction may be communicated to the customers while offering mobile payments service. However, Internet Banking login ids and passwords can allowed to be used through the mobile phones provided

a) Https connectivity through GPRS is used and
b) End to end encryption of the password and customer sensitive information happens.

Impact of Two factor authentication
Two factor authentications caused a 73% decrease in our average transactions and an 84% decrease against the highest volume day for the trailing 30 days as per the study conducted recently.

The RBI circular did not specify how two factor authentications should be implemented; they left that to the banks and payment gateways. Banks could have met the requirement by asking for a cardholder’s date of birth or billing address. Instead, they rolled out 3-D Secure, better know as Verified by Visa or MasterCard Secure--a two factor authentication scheme widely regarded as a failure for three reasons:

1. The design of the system is vulnerable to phishing or man-in-the-middle attacks
2. The scheme is designed from the ground up to protect merchants not customers
3. Payment failures increase massively causing losses for merchants and frustration for customers
The RBI mandate issued and implemented in 2009 explicitly exempted mobile-based online payments because 3-D Secure was never considered reliable for mobile transactions. Then, in April 2010, the RBI issued a new circular mandating the use of two factor authentication for all IVR and mobile-based online payments with effect from January 2011.

To comply with the RBI’s new guidelines, India’s banks have made it mandatory for a customer to generate a “One Time Password” (OTP) for every single mobile transaction. This creates additional overhead and headache for honest customers who just want to buy something. Also, it increases costs for India’s online companies by increasing failure rates and customer support costs.

Where there exist many other ways through which second level of authentication could be done...the OTP is not considered as the best method created. It is really an awesome process to first wait for the sms, then open it, commit the 6 digit password to memory, type half the password, then shift back to the sms to get the remaining numbers, all within the 2 minutes that was assigned to complete the entire transaction.

As we all know, security and fraud reduction are equally important to give Consumers the necessary confidence to shop online or via IVR, while we all understand our comfort is super important.

--------------------------
AUTHOR- Rajarajeswari S
+91 9940358662
--------------------------

List of Abbreviations
AML Anti Money Laundering
CDMA Code Division Multiple Access
GPRS General Packet Radio Service
GSM Global System for Mobile
IDS Intruder Detection System
IRDA Infrared Data Association
ISO International Standards Organization ( Some times also
written as International Organization for Standardization)
IVR Integrated Voice Response
KYC Know Your Customer
MNO Mobile Network Operator
mPIN Mobile Personal Identification Number
MPFI Mobile Payment Forum of India
NFC Near Field communication.
OTP One Time Password
PCI-DSS Payment Card Industry Data Security Standard
PIN Personal Identification Number
RFID Radio Frequency Identification
SIM Subscriber Identity Module
SMS Short Messaging Service
USSD Unstructured Supplementary Service Data
WAP Wireless Application Protocol

Other Services of Interest

  • Global Compliances - Free Webinar on key Global Regulations

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on how to be future ready with respect to Global Compliances. Alleviate risk and strengthen your control on global compliance with this...
  • Sarbanes Oxley (SOX) Compliance - Free Webinar

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on SOX (Sarbanes Oxley) Compliance which will take you through the applicability and requirements of the SOX 404 and 302 Act. The...
  • Auditing EUC - Free Webinar

    EVENT OVERVIEW Uncontrolled and untested spreadsheet models pose significant business risks. These risks include: lost revenue and profits; mis-pricing and poor decision making due to prevalent but...
  • Personal Data Protection Services (PDP) - India

    Overview of the Indian PDP Bill (draft) 2018 The Indian PDP Bill (draft) 2018 is one of the most momentous steps towards safeguarding the personal data of citizens. The Bill gives citizens a say...
  • SSPA Assessment - Microsoft DPR Assessments

    The Supplier Security and Privacy Assurance (SSPA) and Data Protection Requirement (DPR) previously known as the Vendor Privacy Assurance Program is an assessment for Microsoft suppliers/vendors who...
  • Self Assessment Software Login - India Data Protection Regulation

    Riskpro India has developed a Self Assessment tool to evaluate and manage the compliance gaps against the almost here regulation on Data Protection. The Free Login access provides you the ability...
  • India: Data Protection Services

    The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Now India has its own version of Data protection regulation that will change...
  • Fire Safety Assessments and Training

    Some of our features of Fire Safety Assessments and Training • Fire Science • The common causes of fire • Identify fire hazards • Types of fires and extinguishers • Fire...
  • Data Protection Officer (DPO) Services

    Why a DPO The General Data Protection Regulation (GDPR) makes it compulsory for certain companies to appoint a DPO. this is a mandatory position that is expected to carry out certain defined tasks....
  • Go to top