24 April 2014

Karl Rieder

Karl Rieder - GFT

15 | posts 66,636 | views 1 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Mobile Doesn't Have to Mean Insecure

22 September 2011  |  4060 views  |  3

In my last blog, I stated that security is the number one concern for retail bank customers and investment bank managers. In fact, at one time or another, nearly all of our investment banking clients who are considering building mobile applications for their employees have asked, “what if they lose their iPad on the Tube?” – a good question.

I think the best way to answer that question would be with another: “what if it were their laptop?”

Banks are perfectly comfortable providing portable computers to their employees and providing a mechanism for them to gain access to critical bank systems via the Internet (via a VPN or web access with SecurID-based two-part authentication). They do, rightly so, because they have mitigated the various security risks:

  • physical security – access to the portable is controlled by username / password
  • data security – data on the disk drives of their portables is often encrypted and password controlled as an additional protection; in this way, the disk drive cannot be read if removed
  • communication security – access to the bank systems is controlled by username and password and communications are encrypted via software (VPN client); web communication is always encrypted (https)
  • role based security – access to individual applications and functions within those applications is controlled by role-based authorization to ensure that employees can only do what they are authorized to
  • software security – portables have anti-virus and anti-malware software to inhibit malicious attacks

Well, you know what? You can do all the same things on mobile devices!

  • physical security – access to iPad, iPhone, Android or Blackberry devices can be protected by password and enforced upon installing an enterprise app. Disabling this feature can also disable the use of the app. Using a push notification system (near to real time) messages delivered to the device can also force the app to deny access or wipe any sensitive data
  • data security – application data on the device should always be minimized (in comparison to a portable computer, mobile devices will tend to hold far less information), and apps are capable of encrypting the data written to disk
  • communication security – as with enterprise web applications, apps should communicate with servers only via encrypted communication (https). Access to VPNs is also available on mobile devices both via the device’s browser and via device-specific apps
  • role based security – the same mechanisms used in web applications (user identification and authorization) should be applied to mobile apps
  • software security – for now, virus and malware are not a problem, but implementation of cross-site scripting prevention code can inhibit hackers from injecting client-side scripts to gain unauthorized access. Detecting if the device is jail broken or has rooted access, and subsequently locking the application or making the application unusable, also protects unauthorized access

Investment banks’ concerns about security of mobile devices and applications are warranted, but the technologies and best practices already exist to appropriately mitigate these risks. However, the bank must ensure that the applications built and used by its employees adhere to these best practices. In this respect, the support of a trusted technological partner with experience in mobile security is a welcomed advantage.

Karl Rieder, Delivery Manager, GFT

TagsSecurityMobile & online

Comments: (3)

A Finextra member | 23 September, 2011, 08:58

Agree and in favour of mobile banking - its been around for over a decade in one form or another.

The challenge with iPads and Smartphones is exactly that they are just like a PC, but they are not a PC.  There are unknowns around keyboard logging, viruses, rogue apps or security loopholes, and it is these uncertainties that prevent the banks from putting a firm tick in the box and supporting them.  In short, I don't agree that mobile device malware in not a problem.

Let's assume a browser on a smart phone is fundamentally the same as one on a PC.  The security (encryption) on the session is the same. But the ability for something else on the mobile device (IOS, Android, Windows...) to be sitting there logging activity is greater, because there is not the proliferation of trusted security software for those devices.  I am very sceptical about some of the top Android security apps simply because they require root access, access to everything on my device and are based in foreign countries.  Who knows what data they would be farming from my device.

So what about an on-device approach (custom banking App).  Now I have some some of these, and they are great.  As a retail bank customer its the best and fastest way for me to check my account. Once I have securely set up my App, the credentials are encrypted and only the App connects to the banks servers.  I am happy that this approach is secure and its very convenient for me - I just sign-on to the App and am happy that no resident (or remote) code could do the same.  Add a visual verification image and it would be even safer.  The device checks you mention are also perfectly sensible.

What do others think?  I am only talking (and experienced) about retail bank access and you are talking Investment Banking which is more to do with corporate/employee access.

 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 23 September, 2011, 14:34

Great article! Drawing an analogy between smartphones / tablets and laptops is a masterstroke in making the case for the adoption of mobile devices in investment banking applications.

Now, the bad news: A Top 5 UK bank had a corporate policy until three years ago not to have WiFi on its corporate laptops! (To be sure, their policy changed later).

Point is, while security might be the bogey, the bigger challenge might lie in finding compelling reasons for using mobile devices to access such applications in the first place viz. does smartphone-based trading improve trader productivity without introducing new compliance risks; can a financial adviser increase ticket size by reviewing the customer's portfolio on a tablet, etc. The challenge is exacerbated by the fact that banks have already invested in enabling these applications for laptops not so long back and now need a strong business case to justify additional investments to enable them for mobile devices. While only time will tell when and whether this will happen, we can be reasonably sure that alleviation of security concerns will not be the tipping point.

James King - Kinglear Enterprises Agent for Alacrity - Sydney | 30 September, 2011, 00:38

What about mobile thin client.  Application built at the back end as a platform.  Send an alert to the customer to click on link and draw them back up, after they validate themselves--the system requests a signature pin/password to be involved.  No down load of data to the cell phone.  the phone acts as a key ro view and interact not as a wallet or bin.  Cost effective for all parties and secure.

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Karl

From Evolution to Revolution

09 April 2014  |  699 views  |  0  |  Recommends 0 TagsInnovationGroupInnovation in Financial Services

Volcker - The Ultimate Challenge

03 March 2014  |  844 views  |  0  |  Recommends 0 TagsRisk & regulationGroupInnovation in Financial Services

Why is Mobile Banking Considered Unsafe?

22 May 2013  |  3787 views  |  1  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Apple and the Future of NFC

12 February 2013  |  5513 views  |  2  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Mobility - Social Networking is Unavoidable

23 November 2012  |  8521 views  |  0  |  Recommends 1 TagsMobile & onlineGroupFinance 2.0
name

Karl Rieder

job title

Executive Consultant

company name

GFT

member since

2011

location

London and Barcelona

Summary profile See full profile »
Executive Consultant, with extensive IT management experience, leading developments for large cor...

Karl's expertise

What Karl reads
Karl writes about

Who is commenting on Karl's posts

Ketharaman Swaminathan