Human fallibility deemed weakest link in mobile banking security
09 November 2016 | 4794 views | 0
Source: Mobey Forum
Human fallibility is now one of the biggest risks that banks and financial institutions must manage in mobile financial services (MFS), according to a new report from the Risk Mitigation Workgroup of global industry association Mobey Forum, released today.
The Risk Review: Mobey Forum’s Guide to Risk Management in Mobile Financial Services contends that, in addition to device and software vulnerabilities, banks must pay particularly close attention to the high risks associated with the criminal targeting of end-users, through social engineering and phishing, for example, together with fraudulent impersonation of customers during the enrollment and installation of new apps and services.
Ron van Wezel, Senior Analyst at Aite Group and Co-Chair of the Risk Mitigation Workgroup at Mobey Forum, comments: “Today’s banks and financial institutions need to develop applications for multiple operating systems and many flavours of mobile device, so it can be easy for them to be distracted by the vulnerabilities of the technologies themselves. If they are to implement proper risk mitigation measures, however, it is vitally important that they also acquire specialist knowledge of the user-oriented threats which are now commonplace in mobile fraud. Our report offers a framework for banks to consult when conducting their own risk analyses.”
The Risk Review identifies twelve categories of threats and assigns each a ‘risk level’, based upon its likelihood of occurrence and its anticipated impact. The report then details appropriate mitigation measures that banks can implement before mapping these measures by stakeholder group, enabling banks to quickly identify required action points within their own organisations.
“Threats to the mobile device must not be considered in isolation,” adds Philippe Roy, IT Security Specialist at Danske Bank and Co-Chair the Risk Mitigation Workgroup at Mobey Forum. “The smart phone is only the ‘user facing component’ of a much wider ecosystem of app stores, services and content providers. This interconnectivity exposes both the mobile device and its applications to increased risks, all of which must be carefully considered by banks before they launch new services.”
“Maintaining the delicate balance between user convenience and security is a fine line for banks to walk,” adds Sirpa Nordlund, Executive Director, Mobey Forum. “To succeed, banks must take a holistic view of risk; one that considers the weaknesses in both the technologies and their customers’ behaviour. As adoption rates increase, device-oriented financial services will diversify, making the risk landscape more convoluted and difficult for banks to navigate. We intend to produce content that will help banks and financial institutions maintain robust security in the digital age and, most importantly, mitigate risk, both for themselves and their customers.”
The Risk Review, the first of two parts, uses a standardised risk management approach to provide financial institutions with an overview of the field. Mobey Forum is now developing a second accompanying report, providing further guidance to financial institutions on mitigation measures and best practices to reduce the risks identified.