The Federal Deposit Insurance Corporation is warning US financial institutions to step up risk management and security procedures in the provision of wireless networks and mobile customer services.
In a letter to chief executive officers, Michael Zamorski, director of the FDIC, says that financial institutions must take great care to prevent unauthorised access to sensitive financial data as it passes over wireless networks.
The FDIC notes that wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Such networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines. Many banks are also increasingly providing customers with mobile device access to Internet banking applications.
The FDIC warns that wireless technology carries additional risks to those incurred in the traditional networked environment, including the potential compromise of customer information and transactions, disruptions to services from radio transmissions of other wireless devices, network intrusion, and obsolescense of current systems due to rapidly changing standards.
"These risks could ultimately compromise the bank's computer system," notes the FDIC, resulting in financial loss, consumer identity theft, loss of consumer confidence and reputational risk from negative media attention.
"Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks," states Zamorski. "Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications."
As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier, he says. Steps that can be taken immediately in wireless implementation include:
* establishing a minimum set of security requirements for wireless networks and applications;
* adopting proven security policies and procedures to address the security weaknesses of the wireless environment;
* adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;
* adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;
* ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);
* providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and
* performing independent security testing of wireless network and application implementations.