Contenu connexe Similaire à White Paper: Mobile Banking: How to Balance Opportunities and Threats (20) White Paper: Mobile Banking: How to Balance Opportunities and Threats1. WEBINAR
TRANSCRIPT MOBILE BANKING PANEL WEBINAR
MOBILE BANKING:
How to Balance Opportunities and Threats Transcript of the Webinar Panel Discussion
FEATURING
Matthew Speare, SVP – Information Technology, M&T Bank
Sam Curry, CTO, RSA
Information Security Media Group © 2012 1
2. MOBILE BANKING PANEL WEBINAR
Mobile Banking: How to Balance Opportunities and Threats
Transcript of the Webinar Panel Discussion
As banking institutions globally roll out more services through the mobile
channel, security leaders are challenged to stay a step ahead of the evolving risks.
But what are today’s top threats, and what are the emerging security components
institutions must put in place to take advantage of new mobile opportunities?
Read on to learn from a leading banking/security practitioner, as well as the CTO of a major
security solutions vendor:
• Top security considerations when rolling out a mobile strategy;
• The truth about mobile malware and other fraud threats;
• How to influence end-user behavior;
• Emerging trends in mobile payments, authentication and regulation.
Matthew Speare, SVP – Information Technology, M&T Bank
Matthew Speare is responsible for Information Technology Operations, Telecommunications and Networking, Platform
Design and Support, Information Security and IT Risk Management, and Business Continuity Planning and Disaster
Recovery.
Sam Curry, CTO, RSA
Sam Curry is Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA.
He has more than 18 years of experience in security product management and development, marketing, engineering,
quality assurance, customer support and sales. Curry has also been a cryptographer and researcher and is a regular
contributor to a number of journals and periodicals. Prior to joining RSA, Curry was Vice President of Product
Management and Marketing for a broad information security management portfolio at CA.
VIEW THIS WEBINAR NOW »
http://www.bankinfosecurity.com/webinars/mobile-banking-how-to-balance-opportunities-threats-w-290
2 Information Security Media Group © 2012
3. MOBILE BANKING PANEL WEBINAR
Transcript
TOM FIELD: You and I have been talking
about mobile banking for a number of years “We’ve seen an evolution from malware
now. I think you did the first mobile banking
webinar that we produced even, isn’t that
to what I would call ‘grayware.’ It’s less
right? about blowing up your computer than it
MATTHEW SPEARE: I believe you’re is about subtly siphoning information.”
absolutely correct.
SAM CURRY, RSA
FIELD: It’s been several years. How would
you say mobile banking is different now than
when M&T first piloted its mobile program a
number of years back?
hearing from our very large business-banking sameperiod of four years, how have you seen
customers that are much more sophisticated the threat landscape evolve?
SPEARE: Certainly I would think the
in their needs and requirements that there’s
acceleration of adoption, because if we
a huge desire out there to be able to provide SAM CURRY: Oh my goodness, enormously.
comparably look at the late 90s when web
the commercial-banking applications via I think just as Matt talked about a story of
banking became available and the adoption
mobile, most specifically around single- adoption on the side of real legitimate users
rate that occurred there is that, this really has
balance reporting and wire transfer, ACH and around mobile for everything, from
accelerated in that it’s probably more in the
approval functionality that they preferred it. personal banking to commercial banking, the
area of 2-3 times faster the adoption rate than
These are busy business folks that are moving story in the threat landscape has been very
we saw in web banking. You’re getting out to
around the country and they don’t want a much one of adoption as well. You’re a pretty
a much broader user base much more and
wire transfer being held up on their account, stupid cyber criminal, or even nation state or
in some ways it makes a lot of sense, because
so if they have the ability to approve that hacktivist, if you aren’t in fact hacking. The
what’s the one device that people carry with
from their mobile phone, they really want to risk reward equation is just so staggeringly
them all the time? It’s going to be their smart
have that kind of capability. It has certainly in favor of hacking over more legacy or
phone and so they have it readily accessible
gone upscale, as well as the adoption rate and traditional operations or means that it’s
and they’re going to want to take advantage
feature functionality have just exploded. enormous. The cyber crime, I think just the
of some of the banking opportunities that
ROI for targeting and doing crime online is
you can do.
FIELD: And remind me, what year was it that so absolutely enormous, the chance of getting
you launched your mobile pilot program? caught is slow and the potential audience that
Then the other piece would be on the
Was it 2007? you can reach is enormous.
functionality and the user, what I would
say is maturity level and demand. What
SPEARE: It was actually 2008 and for the The second category is perhaps the often
I mean by that is that when we launched
first nine months it was really a SMS-based misused or abused term advanced persistent
mobile banking, it really was about account
type of web banking that amazingly enough threat [attack]. Think of folks achieving
balance, to find out where the closest ATM
people still really like, and I’ll be honest that’s political ends or economic means, economic
is. Then really it became the platform that
the one that I don’t get because I cannot ever ends by other means and this is the category.
people preferred to do their bill pays on.
remember codes. It then went to a web-based We’ve seen enormous activity on the dark
Also, alerting and the ability to get alerts
type of application so that it renders on side there, so folks who are investing the
for transactions that are occurring on your
multiple different types of devices and then level of nation-state resources in attacking,
account via push-notification, people seem to
matured into the app, which gives you a lot of but frankly most of it isn’t bigger, badder
love that. But then on the maturity level, what
functionality. and meaner, it’s more effective. We’ve seen
we found is that, after going down consumer
an evolution from malware to what I would
retail web banking, we quickly got into where
FIELD: So we’re talking basically four years, call “grayware.” It’s less about blowing up
our business banking customers wanted that
which on one hand seems like no time at your computer or destroying data than it is
same type of functionality as well, as well
all, but when you think of the evolution it about subtly siphoning information and in
as some things to be able to service their
seems like a great deal of time. Sam, in that some cases even producing malware that will
business better. As well as we’re certainly
Information Security Media Group © 2012 3
4. MOBILE BANKING PANEL WEBINAR
“We’re going to adopt mobile in a way SPEARE: I absolutely agree with you. What’s
going to happen in the threat landscape and
that we haven’t seen since the last big certainly where I think that we’re ultimately
going is that it’s going to become device-
adoption of the Internet and I think the agnostic. Now at the same time, I think
we’re going to see an increase in feature
bad guys are going to follow.” functionality beyond what we see today and
true adoption which I think is going to take
SAM CURRY, RSA more than the 12 months around a digital
wallet. I’m no longer carrying credit cards,
ATM debit cards. I won’t because I never
use them, but my wife might get coupons
which she might want to use and all digitally
provide benefits so that it’s a bit of a trade-off FIELD: Let’s look forward a little bit. Given
because we’ve already seen some airlines
between whether you want to keep it because what we’ve seen just in four years time even,
move that way and being able to provide that
it improves the performance of the device where do you see the next mobile evolutions
type of functionality.
versus the potential violations of privacy it in terms of new customers, new technologies
might cause. and even new services?
But I think mobile wallet, mobile payments,
or digital wallet/digital payment, are going
And now that the bad guys have a certain CURRY: I think the term mobile is going
to be coming specifically to the U.S. where
critical mass, we’ve also seen them start to to become almost old-fashioned. That
we’ve already seen that movement in some of
evolve techniques to get more efficiency. convergence everyone predicted for many
the more progressive parts of the world and
Ironically, some of the greatest adopters years of all these different compute platforms,
that will allow for financial institutions to
are things like cloud computing, which the tendency has been for compute to
reach down into that under-banked market
is happening in that threat landscape. In become more powerful and more distributed
where traditionally financial institutions
fact, we see fraud as a service. We see the and I think it’s going to become a bit passé
are providing this to their current type of
mechanisms by which people will not just in the next three or four years to talk
customers. However, anywhere from 25-30
compromise accounts and credentials, but about mobile. Frankly, there will be those
percent of the overall potential market
then they will distribute information and companies that can find a way to port their
doesn’t have a banking relationship. So this is
they will tie into their supply chain for cash services and their products to the mobile
an opportunity where you can have a virtual
out has likewise taken on highly specialized platform. Many folks are holding back. They
bank relationship and be able to conduct
roles and in fact is being delivered as allow partial mobile access but still require
business - your personal payments - from
services in many cases, and they’re looking a lot of things to be done on the old legacy
your mobile device, whether it is iPhone,
for new markets to expand, new places to platforms. Either you’re going to adopt it or
iPad, Android or whatever. And I think it
grow and new vehicles for delivery of either you’re going to be left behind. And I think
will be an even greater increase in adoption.
their nefarious pay loads or their ability to the tipping point is really coming in the next
Unfortunately with that comes a more
continue to commit crime and to do bad 12 months; it’s imminent.
lucrative target for the bad guys.
things.
From a user perspective and service
CURRY: Actually before the lucrative
The threat landscape in four years has perspective, just look at the rate of innovation
comment for the bad guys part, I think it’s
evolved enormously in multiple directions, of mobile devices and applications in the app
probably worth mentioning that the third
new actors on the stage, new tools and markets and what have you, people expect
world and the developing world are seeing
techniques in use, new objectives and even those services to be available. I think from
an opportunity with the power of mobile
a change in some cases of some nation’s the threat side, and I won’t go too deep here
stacks to frankly forklift and jumpstart their
stances. I think the State Department here in because I think it’s only a tangent to your
economies. Some African countries for
the U.S. actually said that hacking would be question, I think that where the business goes
instance have as much as 10 or 15 percent of
considered an act of war last year, so some and where the value goes, especially when it’s
GDP done on mobile devices already, and the
pretty remarkable advances if that makes lower risk and easier to actually hack these
opportunity would have an infrastructure to
sense. platforms, so too will the crime go. Matt,
jumpstart even needing one, getting micro-
what’s your take?
finance and micro-payments as actually a
possibility for people, and universal identity
4 Information Security Media Group © 2012
5. MOBILE BANKING PANEL WEBINAR
CURRY: I can’t remember who said it but I
heard someone once say the Internet was
both the most over-hyped and the least
over-hyped of all subjects he had ever heard
of back in the 90s, that it wound up going
many places we didn’t expect and it wound
up with the .com bubble burst not being what
we expected. At the same time, it’s both one
of the greatest things that ever happened to
civilization and one of the most over-hyped
things that has ever happened to us. And
I think the same could probably be said of
mobile. That for us as human beings, we’re
going to adopt mobile in a way that we
haven’t seen since the last big adoption of the
Internet and I think the bad guys are going to
follow. It’s a question of when and of course
predicting when is difficult.
I’m reminded that in the late 90s, when I
was doing a lot of primary malware research
we always were waiting for when we would
see a critical mass of actual cybercrime hit
things like desktop computers and personal
computing. There was evidence of it then,
but it was still very small and stochastic. Of
course it did happen, but actually being able
to predict the year in which it happened was
very difficult. I think probably the biggest
single thing in this space will be when most
people move from doing most of their value-
based transactions, their stock trades - as
Matt was mentioning - or their ACH wire
transfers and what have you, when they do
that from a mobile platform and never had
the desktop component or laptop component,
then I think that’s going to be a radical
programs like the one in India frankly means things like viruses spread to Linux operating change. That’s when the bad guys will shift
that a huge percentage of the population systems, UNIX operating systems, and even and it will take about a development cycle
that previously was disenfranchised can now to Mac, but I think we’re going to start seeing or two, because they’re going to follow the
access everything from government benefits them now go to mobile as well. money and if the money leaves the platform
and the ability to actually use their mobile - because this is big business now - if the
devices as a way of enabling them to get to FIELD: That was my follow-up question, money actually leaves those platforms and
a new lifestyle which is phenomenal and I because we talk about universal access, moves to a new platform, they migrate or die.
think some of that is going to happen outside we talk about the under-banked and Just as on the good side, companies either
the U.S. first and then come in. And Matt, the fraudsters might be looking at this embrace m-commerce or they get left out on
to your point, where the money goes so too marketplace as the under-hacked. So that’s the dark side too. If they don’t move to where
go the bad guys, where the value is that’s my question to you. How is the threat the money is, they’re going to find themselves
where they go. We’re already seeing viruses landscape evolving? And Sam, I would be with drying up coffers and no future.
for platforms that previously were considered curious from your perspective and Matt’s as
not the playground to viruses. We’re seeing well on the frontline?
Information Security Media Group © 2012 5
6. MOBILE BANKING PANEL WEBINAR
“By continuing to offer products and being able to prove
out this trust relationship with financial institutions that
this is a safe mechanism, [people] are naturally going to
come along with that.”
MATTHEW SPEARE, M&T BANK
SPEARE: Sam probably has great visibility when the bad guys will target it. and your financial lifecycle management, all
into a much broader ecosystem than we do. I from the singular device because it allows
mean certainly we have lots of customers, but FIELD: Matt, as your customer base starts you to see where you stand at any given point
at the same time we’ve been fairly fortunate to get younger, how do you influence their in time. It allows you to pay your friend
in that we have yet to experience any fraud mobile banking behavior, which I guess we the ten dollars that you owe them directly,
in this platform. Now that doesn’t mean that have a presumption might not be as cautious as well as it allows you to manage your
we’re not constantly keeping an eye out for it, as an older generation? retirement planning all from that device. I
and I think that really the hackers are looking think by continuing to offer products and
more to the emerging markets where there’s SPEARE: There’s the belief that the younger being able to prove out this trust relationship
much greater potential upside for their work generation will take advantage of being with financial institutions that this is a safe
there versus until the payments piece comes a digital native and feeling a higher level mechanism, that there’s mitigation to go
in that really it’s only the ability to approve of comfort on it. What we find is that in there for a lot of the security threats out
things that you have set up in your Internet demographically it’s not so much about the there, they’re naturally going to come along
banking context. And so the mobile banking actual age as it is about their acceptance and with that.
platforms in the U.S. themselves tend not to usage of the Internet banking platform and
be a current target because of some of the then being able to become part of the mobile FIELD: Sam, I want to ask you about mobile
limits on functionality while we allow our world and feel accepting of that. Actually, our malware. I know you’ve done a bunch of
user base to become more educated and have highest adoption rate is not on new, younger research into this. Do you find that mobile
greater demands on feature functionality. users. It’s on an existing web-banking malware is more hype than reality, and how
platform that says, “Okay, I’ve been using web should we be approaching the topic?
CURRY: It’s that reserve of the final functions banking for the last ten years and why not do
that I think is keeping it from being primarily it on my mobile phone?” CURRY: For the most part, it’s more hype
mobile-based fraud. We do see fraud where than reality. We as a society tend to run at
there’s mobile compromise involved, but it’s At the same time, let’s face it; there’s going the sign of a crisis or at the sign of the first
not that mobile was the primary means for to be that generation and I think it’s going indicator of something bad happening, and
service. If you can compromise someone’s to take a number of years for those that are we don’t tend to think in terms of long,
mobile, you can probably get access to things in their teens today to have that natural slow changes or trends. So either malware
like their passwords for their e-mail and then tendency because they have for the life span is out of control or it’s not an issue. We
you use that somewhere else, or they might that they remember these mobile devices rarely think about how it might slowly grow
have an out-of-band confirmation - let’s say available to them. It seems that, through incrementally, sort of like the frog in hot
they do something on the computer - that personal experience, a lot of my neighbors water when you turn it up. Often an abused
goes through the mobile device. We have with younger kids are getting a cell phone analogy, but it has some validity here that we
seen some very small fraud statistics around and very high-end cell phones at a younger don’t often notice change until it suddenly
that, but I think as soon as they can actually and younger age. They’re going to feel that becomes something remarkable and then we
target one device in a simple hack and get it’s a natural part of them so it’s going to be get scared. In this analogy, the frog would
the means by which they can then get to a easier then to bring them along the path of, suddenly notice the water got warmer after
cash-out just by hacking that one device, as this is the type of platform that you would a few incremental increases and then would
soon as we can do that on the good side that’s use for your entire financial relationship jump out in alarm. We do see some mobile
6 Information Security Media Group © 2012
7. MOBILE BANKING PANEL WEBINAR
someone, or that they won’t themselves get
hacked and exploited. Those sorts of things
are happening and they do lead to tangible
privacy violations for people right now.
Rather than waiting for this looming spectra
of malware which will come, that shouldn’t
be the thing that makes us all stampede like
a herd away from a platform that otherwise
is very attractive. Frankly, most people
have no defenses at all on their mobile
devices. They don’t have to put on any form
of security control and there are no best
practices. Nobody’s putting out advice on
what to deploy. There are tools that you can
get and there are companies that are putting
first offers out there, but I think there’s going
to be enormous pressure on the ecosystem
to actually provide new controls, new
permissions models and new ways of storing
data in a more secure way.
Look at what we did with PPMs, for
instance, in the older platforms, desktops
and laptops. That has to start to emerge
on the mobile phones as well. It can. A lot
of the base features are there but nobody’s
really implementing them and there’s not
attention for it right now. It will be an
interesting future. Now is not the year of
mobile malware. I think I actually said that
back in 2007 when we had one of those hype
waves; but that will come. We already should
be concerned about privacy and security’s
looming on the horizon. As soon as it’s
attractive for you to do something and it’s
able for you to do something online, then
it’s also possible that the bad guys can come
malware and most of it has been things like going on in terms of privacy violations right along and steal it.
marginal exploits or proof of concepts. We now, rather than outright theft or perhaps
haven’t yet seen this sustained phenomenon security concerns, although the line gets FIELD: Matt, to this point you’ve been lucky.
but it’s coming. a bit blurred between the two. I’m not so You said there have been no breaches because
worried that the malware itself will be bad; of the mobile channel, but you’re prepared.
The real question is when will it actually take it will be abusive to the device. It will be How does an institution respond to a breach
effect, and we have a lot of complacency on that I installed something and I didn’t really in mobile banking security when it does
many of our mobile platforms. Most mobile understand those permissions. I might even occur?
platforms are in fact easier to compromise have trusted the company that gave it to me,
than traditional ones, and we take them with but do I trust the next three updates for them SPEARE: I think that you have to adopt the
us everywhere. The potential to get detailed will continue to behave in the same way and model that you have already and hopefully
information on a personal life from a mobile that they won’t go through financial difficulty you do have one for how you respond to
device is enormous, so I think there’s a lot and wind up making a shady deal with a breach in general. And by having that
Information Security Media Group © 2012 7
8. MOBILE BANKING PANEL WEBINAR
“Frankly, most people have no defenses at all
on their mobile devices.”
SAM CURRY, RSA
playbook you would have it on, who are the FIELD: Do you think that a mobile banking mobile. What are the new skills that our
right people to pull together upon a breach security breach is going to be perceived as teams are really going to need to develop to
notification and then how do you engage a bigger deal by the general populous just be able to satisfy these needs adequately?
with your regulators and ultimately with the because of the novelty of it?
customer notification piece, which ultimately CURRY: I think the first one is technical skills.
will have to come? Unfortunately, the first CURRY: The very first time something like It’s a new stack. It’s a new set of platforms.
bank that does have a breach around their this happens it can cause massive concern. A You have to have people who understand,
mobile banking platform is going to show up lot of it will depend on how it’s made public for instance, IOS and understand Droid. In
in the media quite a bit, and hopefully, knock and how it happens. I think the first time this particular, more may be coming, especially
on wood, that’s not us. However, to Sam’s happens it will get massive attention and I with Microsoft weighing in, RIM and Nokia
point, as this evolves over time it will happen. certainly wouldn’t want to be in those shoes both having moves yet to be made. I think
You have to be prepared and hopefully you’ve for the company that has it happen to them there are new stacks, new information, new
done your work around breach notification first. I also think it’s one of the reasons why waves and new ways things flow. We’ve
already, and that’s one of those things that folks are so hesitant to expose a full-feature already started to see concerns about low-
regulators have been looking at for a while set around a lot of mobile transactions, but stack device concern, what will happen with
and it’s just a good practice. the first one will be big and will send a lot of HTML5 and what can you do for mobile app
alarmist waves that will be out of proportion. management and device management. Apple
When you think about it, banking is a trust We’ve seen this before with other attacks that itself has said they want to raise the bar on
relationship. You can’t go into your bank go public. Time will show as it evolves, but I mobile security with their next release, which
branch and say, “I’d like to see my money.” It think the first one will be, I suppose, a hack I’m waiting patiently to see. So you’ve got a
doesn’t exist. It’s ones and zeros on systems heard around the world. whole set of technical skills.
that we provide from a banking services
web. When you have a breach event, you’re SPEARE: I couldn’t agree with you more Two, strong fundamentals in security,
now breaking the trust with that customer Sam. For the first one, and perhaps the next especially having seen how to apply those in
and you have to have your message together couple after that, depending upon the scale of more legacy areas like network or endpoint
as well as what are you going to do to be the breach they will get more press attention security, are a great tool kit to have, but I
able to do the analysis on what occurred to mainly because of the novelty of this channel, think that frankly the CIO has a challenge.
prevent it from happening again and be able but then after that it will go into the routine. On the one hand, the CIO has seen their
to communicate that to your customers? And If you go to PrivacyRights.org and take a infrastructure where their entire applications
it’s all ultimately dependent upon your ability look at all the breaches that have occurred move out of their control and go to things
to be able to determine if the breach path was not just in banking - because banking is one like the cloud. Now on the other hand, they’re
in mobile - whether it was Internet - or was of the smaller areas that you see breaches in seeing mobile devices leave the infrastructure
it because of privacy issues where customer - but certainly around privacy information, and that standard operating environment
information was able to be used to take on healthcare, universities, the volumes continue they used to be responsible for, their
some kind of lending activity or setting up to rise every year and you hear less and customers are now in unpredictable massive
false accounts. You really have to have a less about them and they don’t make quite combinations and permutations of devices
robust monitoring ecosystem so that you the splash. [Mobile] will have that natural accessing that on the other hand. They’ve got
can narrow down where it did occur because evolution over time as well. a real challenge.
we all have multiple channels that this could
occur at. FIELD: Let’s talk about the security and Then [it’s] a whole new way of translating the
privacy approaches that are necessary for risks of these platforms into business risk that
8 Information Security Media Group © 2012
9. MOBILE BANKING PANEL WEBINAR
executives can understand and the public that are going to want to be able to provide FIELD: Matt, you’ve been critical in the past
can understand, because a lot of it is very this to their customers and they’re not of a lack of regulatory guidance from mobile.
esoteric and scary to folks. I think one of the going to know who to go to, which service What do you hope to see, maybe as soon as
worst things that can happen is if the hype providers to use or what questions to ask to next year, in terms of mobile guidance?
gets really bad and the flood gets really bad, the service provider, and how to ultimately
the fear, uncertainty and doubt is that people monitor those service providers around SPEARE: What we need to see is a much
will slow their adoption of what could be one security levels. They’re not big enough, faster cycle in the time that it takes to start
of the greatest things to happen to us as a they’re not mature enough and certainly working on a piece of regulatory guidance
civilization since the Internet, and that would they’re all good bankers but they don’t know to it actually being published. I know Jeff
be a tragedy in and of itself. technology. Kopchik, and I think he did an absolutely
great job in putting the last authentication
guidance out, but it was really a three- and-
a-half year process. This technology is
“Unfortunately, the first bank that does moving so quickly that they really need to be
dependent upon industry technology groups
have a breach around their mobile to provide them with what’s occurring and
banking platform is going to show up in be able to dive into the details about what
will be the best practices as well as the full
the media quite a bit.” expectation not being making requirements
of certain types of technology, but here are
MATTHEW SPEARE, M&T BANK the management capabilities that you must
put in place to be able to offer this. I think
that too often, especially as you go downscale
in terms of the size of financial institution,
there are less and less capabilities to be able to
be proactive from a management standpoint,
We’ve got massive new skill sets to learn What you’re going to evolve over time is and so they need to be predictive in what are
within the companies from the actual the ecosystem of large service providers going to be their expectations.
workers to the managers and to the who are going to have this as part of their
executives, and then we really have to forge offering platform and we that are larger in the I fully understand the reason why the last
a deep understanding in simple terms in industry are going to have to push them on authentication guidance came out the way
the public of these things. And you also being able to provide the depth of technical that it did, but really we need to look at this
mentioned earlier about generations. The skills as well as monitoring capabilities versus as a new channel. This is not just the Internet,
retirees I think are the biggest adopters of it just being an app that’s on the phone and having capabilities based in a web browser.
new technologies and have no idea of how then they’re looking for anomalies in the These are all new functions and applications
to be safe and secure while doing it. With an back office. Because of this 24/7 utilization and we’re quickly going to move into near-
aging population in general, I think they’re of these types of platforms - because they’re field chip capabilities and phones in the U.S.
going to want to buy the latest iPhone or always on, I can’t even remember the last and digital wallet and digital payment, and
the latest Droid. They’re going to want to do time that I rebooted my iPhone - they’re you can’t wait until three years after the fact
it and they’re going to want to do all their always accessible and the level of monitoring to actually publish guidance for these banks
retirement benefits on it and everything capabilities is going to have to double in because many of them are dependent upon
else, and you can’t have that generation terms of the capacity to react in real time to the guidance of the FFIEC to determine what
getting scared of technology. That would be those anomalies that they can detect in real to do as well as what’s that standard they need
a disaster. time. Today it’s a somewhat near real-time, to hold their service providers in.
almost after the fact, capability and all of
SPEARE: When you look at the U.S. banking these smaller financial institutions are going FIELD: Sam, we’ve talked generally about
industry as a whole, you have maybe 10-25 to be totally dependent upon these service fraud threats. How do you specifically
banks that are large enough to be able to providers to be able to provide that kind of envision the fraud threats evolving to match
build out the necessary technical skill sets, security excellence. the technologies as they evolve?
but there’s another 8,000-plus banks out there
Information Security Media Group © 2012 9
10. MOBILE BANKING PANEL WEBINAR
“You really have
to have a robust
monitoring ecosystem
so that you can narrow
down where the [breach]
did occur because we all
have multiple channels that
this could occur at.”
-MATTHEW SPEARE, M&T BANK
10 Information Security Media Group © 2012
11. MOBILE BANKING PANEL WEBINAR
CURRY: The bad guys have a ROI to think improvements. house. For mobile banking, should banks be
about. They don’t tend to make many developing their own apps in-house?
long-term investments. They tend to make But of course, this is the crystal ball.
incremental improvement to things that Everybody wishes they could see what would SPEARE: I think it really comes down to
work. You’ll see a big splash, almost like a come first. How we act on the system will a level of skills. Here’s the way I look at it.
new product launch, from them and then affect the system, and it’s far more complex Globally, you probably have 30 banks that
you’ll see small refinements on that to reduce than one or two people in their basement. will have enough expertise to be able to do
costs and reduce risk and exposure and to This is a large, invested industry and frankly so and execute on and be able to do it well.
improve “quality.” To be specific, I think if you’re a criminal these days, you probably I think the biggest challenge that you have
that the next phase of exploits is going to be have to decide where you’re going to put is that when you look at mobile developers,
characterized by simplicity, almost elegance your funds next. Are you going to attack they really in some ways have a different
in design. I think that they’re going to find things like the smart grid? Are you going to thought process in that they’re all about the
ways to start by taking project and they’re not tied
advantage of the human to the institution. So where a
weakness as they’ve done lot of the mobile developers
in other platforms. In fact, I originally started in San Jose,
wouldn’t be surprised if the “[It’s] a whole new way they’re all about moving
first exploits here actually
were recognized as uniquely
of translating the risks from one project to the next
great project to the next great
mobile. They would look
like variations on a theme
of these platforms project and with that it makes
it very difficult for financial
that we had seen before and into business risk that institutions to be able to keep
extensions of other hacks, them around for a long period
and they’ll try to get to the executives can understand of time.
same kinds of targets they’ve
got before. If folks have a
and the public can Additionally, with that I think
cash-out mechanism, for
instance, using mules to
understand.” you have very few that have
the capability to not only
take advantage of things like -SAM CURRY, RSA understand banking and
stolen credit card numbers or how it works from a work-
debit card numbers, or even flow process but then be able
Social Security numbers, for to intuitively see where the
some cash-out mechanism, vulnerability points are. That
then they will still be going makes it very difficult for a
after those prizes. go after things like corporate data? In fact, bank to have any continuity of development
the maker of Zeus, for instance, actually opportunity in the mobile channel as well as
Simply exposing something of value out went from exploiting consumers and end- being able to put security embedded in with
there isn’t necessarily going to attract the bad users to turning code over to another entity those applications. I think it just makes it
guys. If you attract something that there’s no and going after enterprise targets, a higher very, very difficult. From my perspective, I
cash-out mechanism for it, it will actually investment in cost to hack and bigger payoffs think that having those centers of excellence
take longer for them to be attracted, and down the road on a per-hack basis. That so that the organizations where this is
frankly that could lull people into a false took investment and funds, and frankly a what they do, they provide mobile banking
sense of security or complacency. My advice transfer of business, almost like you would applications and they have a level of banking
is that anybody thinking about going and see corporate mergers, acquisition and expertise as well as technical expertise, and of
doing something that seriously offers value divestures. Those sorts of things are going to course have to build in security with it, that’s
and the ability to move money to change have to shake down on the dark side as well. going to be the more common model that’s
ownership of things onto a mobile platform going to be available out there. While banks
should have an aggressive program to update FIELD: We see a number of organizations would love to be able to drive down the cost
security and to revisit it, given that the that rather than have their customers or their of producing these types of applications,
landscape will change. It will happen with a employees go outside the organization for the reality is if you want in the game, it’s an
big bang followed by lots of little incremental mobile apps are developing their own in- expensive proposition and it’s ongoing caring
Information Security Media Group © 2012 11
12. MOBILE BANKING PANEL WEBINAR
“Because of this 24/7 utilization of give me everything from temperature to
maybe even some biometrics soon and
these platforms, the level of monitoring bio-feedback, thing like heart rate, blood
pressure and those sorts of things we’re
capabilities is going to have to double starting to see some advances around. I can
in terms of capacity to react in real also tell relative motion. I can tell all kinds
of things, even using the camera. What
time to those anomalies.” kind of environment you’re in without
necessarily having to send feeds that would
MATTHEW SPEARE, M&T BANK affect privacy back. In other words, I can
tell patterns of behavior in and around the
device, like what other wifis are around you,
what other phones are around you. And I
don’t care which specific ones; I just care if
and feeding that has to occur and I think to have to not just contract someone to do a patterns are different.
that most banks just are not prepared to do one-off app; that would be very dangerous.
that. I think banking is probably less likely to First, we have this notion of more
do that. The real question is, how serious continuous, then second I have context and
CURRY: Even beyond banks, an institution do they want to put the functionality in third - and it may sound strange to hear this
has to make a decision strategically in the applications that they actually field and from a company that does authentication -
the five- to-ten-year time frame how that’s a tough right decision, somewhat it’s not about any one form of authentication
important mobile is going to be. That’s a based on what your competition is doing form factor. You often hear people talk
tough question. It’s worth seeing how other and some of it will be based on how about multi-credential authentication or
companies near you address it; others in important you think it’s going to be to multi-factor authentication and they say,
your vertical address it and regionally attracting the right kind of demographic to “No, mine’s better because I do two or
what mega trends folks see. Tap into your your offerings and your products. That’s a three.” Well, why limit yourself? Why not
extended network if you don’t have these not a trivial set of questions to answer. have ten, 20 or 30 and be able to really
resources in your institution. The big crisp up an image of people and a certainty
question to answer is, if you were to draw FIELD: Sam, I would like to hear about the of who they are and then take the whole
a map of all the technologies that touch evolving forms of mobile authentication that authentication notion of, “Are you who
your business, how close to the center will you’re seeing and researching through RSA. you say you are? Yes or no?” and then
mobile be in five to ten years? If the answer come up with much more subtle degrees
is close to the center and you come up with CURRY: This is fascinating because the first of difference, maybe different shades of
that, you need to be thinking about how you thing is we think of authentication as very gray if you will. [It’s] not just the black and
can use outsource help. But, how are you episodic. It happens at a point in time. You white of are you Sam or aren’t you, but
going to build a platform that enables you prove that you’re Sam, for instance, prove how much do I trust you to be Sam, and
the most flexibility and control? If it winds that you’re Matt and then afterwards you what do I want to authorize you under
up on the outside, then it’s a less important get this open access for probably a fairly this context and this particular physical
question. It might be a random experiment. extensive period of time. The first thing setting to do certain things. That’s a very
we’re going to have to do is to have a more different proposition than I think we’ve seen
If we were to go back in time 15 years and continuous form of authentication. We’re to date, and then of course that implies a
ask folks this question with respect to the going to have to be sampling and doing off- very important part of this would be the
Internet, or even before that with respect to checks more often. machine running behind it to determine
micro-computers, folks often did these sort both what’s normal and not normal, when
of half-hearted experiments and then found The second thing is I really care about patterns have changed significantly without
that they were behind the curve for where context. Context, context, context; it’s not having to share the specifics of the pattern,
they should be. It’s time to understand mega just about whether you can provide a set of and how do I look at things in a big data,
trends. It’s time to think strategically. You credentials to do a pass/fail. I actually want big picture way to actually find things that
can outsource and still retain an ability to to know the conditions under which you’re are going to be indicative of fraud, insider
scale and to control things, but you’re going accessing and the mobile device can actually theft, treason, those sorts of things, and then
12 Information Security Media Group © 2012
13. MOBILE BANKING PANEL WEBINAR
“You often hear people talk about multi-factor
authentication and they say, “No, mine’s better
because I do two or three.” Well, why limit
yourself? Why not have ten, 20 or 30 and be
able to really crisp up an image of people?”
SAM CURRY, RSA
flagging them appropriately. That’s a much my hope is that we all do so in a measured The Bank of India - which is notoriously
bigger challenge set than just, “What’s your method so that we continue to build upon very conservative - has actually now
certificate or your token,” and that’s where the trust that our customers have on us to allowed institutions that aren’t banks
I’m thinking these days. provide them with secure mechanisms to do with a different requirement on cash out
their banking, and that none of us jump in and reserve to get into banking. You’re
FIELD: I’m going to give each of you a and try to move too fast without thinking starting to see telcos provide banking in
chance to have some final thoughts, and through the potential vulnerabilities to the some of those countries. I don’t think that
Matt I will turn to you first. Crystal ball overall system of how we make payments will happen here in the U.S., but if it’s not
time, your predictions of what we’re going and how we manage money on an end done correctly, it will provide incentive
to see in mobile banking in 2013 whether device. I think that’s coming and that’s going for the bad guys to sharpen their tools and
in terms of services, technologies, threats. to be the tip of the iceberg of what’s going to get ready to find victims somewhere and
What do you see? follow in the years after that. when the U.S. finally catches up, they’ll
likewise come hunting here. I think [it’s]
SPEARE: I see that digital wallet and digital CURRY: I’m actually going to say what very interesting to watch what happens
payment, there are going to be at least three happens in the wider financial industries globally, very interesting to what happens
major banks that are going to launch those than just banking and consumer banking is in the rest of the financial industry and
and get a large user base on them. Now, the going to have a big play here. What happens especially the credit card companies. There’s
larger banks are more progressive in that around insurance, what happens around a big emphasis and [it’s] interesting to see
space and I think that will then allow many credit, what happens around mortgages, what happens with consumer expectations
of us to quickly follow behind in terms of even going up further, what happens around of mobile devices because the bad guys are
being able to offer that service, because as health will all drive expectations on the sharpening their knives and getting ready
soon as you have the J.P. Morgan Chases of consumer’s part of what they can get out of for a feast. Hopefully the banks move most
the world or Bank of America [have] it as a mobile device. I think that will also put appropriately and actually set some of
part of their core offering set, then those pressure on banks to similarly meet with the right standards here, but a lot is being
of us that compete with them are going features and to do the same sorts of things. determined outside of the sway of the banks
to want to follow and follow quickly, and I feel. n
Information Security Media Group © 2012 13
14. MOBILE BANKING PANEL WEBINAR
About ISMG Contact
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) (800) 944-0401
is a media company focusing on Information Technology Risk Management for vertical sales@ismgcorp.com
industries. The company provides news, training, education and other related content for risk
management professionals in their respective industries.
This information is used by ISMG’s subscribers in a variety of ways researching for a
—
specific information security compliance issue, learning from their peers in the industry,
gaining insights into compliance related regulatory guidance and simply keeping up with the
Information Technology Risk Management landscape.
4 Independence Way • Princeton, NJ • 08540 • www.ismgcorp.com
14 Information Security Media Group © 2012