Download pdf - White Paper: Mobile Banking: How to Balance Opportunities and Threats

1Information Security Media Group © 2012

MOBILE BANKING PANEL WEBINAR

Transcript of the Webinar Panel Discussion

FEATURINGMatthew Speare, SVP – Information Technology, M&T Bank

Sam Curry, CTO, RSA

WEBINARTRANSCRIPT

How to Balance Opportunities and ThreatsMOBILE BANKING:

2 Information Security Media Group © 2012


As banking institutions globally roll out more services through the mobile channel, security leaders are challenged to stay a step ahead of the evolving risks. But what are today’s top threats, and what are the emerging security components institutions must put in place to take advantage of new mobile opportunities?

Read on to learn from a leading banking/security practitioner, as well as the CTO of a major security solutions vendor:

• Top security considerations when rolling out a mobile strategy;

• The truth about mobile malware and other fraud threats;

• How to influence end-user behavior;

• Emerging trends in mobile payments, authentication and regulation.

Matthew Speare, SVP – Information Technology, M&T BankMatthew Speare is responsible for Information Technology Operations, Telecommunications and Networking, Platform Design and Support, Information Security and IT Risk Management, and Business Continuity Planning and Disaster Recovery.

Sam Curry, CTO, RSASam Curry is Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA. He has more than 18 years of experience in security product management and development, marketing, engineering, quality assurance, customer support and sales. Curry has also been a cryptographer and researcher and is a regular contributor to a number of journals and periodicals. Prior to joining RSA, Curry was Vice President of Product Management and Marketing for a broad information security management portfolio at CA.

Mobile Banking: How to Balance Opportunities and ThreatsTranscript of the Webinar Panel Discussion

VIEW THIS WEBINAR NOW » http://www.bankinfosecurity.com/webinars/mobile-banking-how-to-balance-opportunities-threats-w-290



TranscriptTOM FIELD: You and I have been talking about mobile banking for a number of years now. I think you did the first mobile banking webinar that we produced even, isn’t that right?

MATTHEW SPEARE: I believe you’re absolutely correct.

FIELD: It’s been several years. How would you say mobile banking is different now than when M&T first piloted its mobile program a number of years back?

SPEARE: Certainly I would think the acceleration of adoption, because if we comparably look at the late 90s when web banking became available and the adoption rate that occurred there is that, this really has accelerated in that it’s probably more in the area of 2-3 times faster the adoption rate than we saw in web banking. You’re getting out to a much broader user base much more and in some ways it makes a lot of sense, because what’s the one device that people carry with them all the time? It’s going to be their smart phone and so they have it readily accessible and they’re going to want to take advantage of some of the banking opportunities that you can do.

Then the other piece would be on the functionality and the user, what I would say is maturity level and demand. What I mean by that is that when we launched mobile banking, it really was about account balance, to find out where the closest ATM is. Then really it became the platform that people preferred to do their bill pays on. Also, alerting and the ability to get alerts for transactions that are occurring on your account via push-notification, people seem to love that. But then on the maturity level, what we found is that, after going down consumer retail web banking, we quickly got into where our business banking customers wanted that same type of functionality as well, as well as some things to be able to service their business better. As well as we’re certainly

hearing from our very large business-banking customers that are much more sophisticated in their needs and requirements that there’s a huge desire out there to be able to provide the commercial-banking applications via mobile, most specifically around single-balance reporting and wire transfer, ACH approval functionality that they preferred it. These are busy business folks that are moving around the country and they don’t want a wire transfer being held up on their account, so if they have the ability to approve that from their mobile phone, they really want to have that kind of capability. It has certainly gone upscale, as well as the adoption rate and feature functionality have just exploded.

FIELD: And remind me, what year was it that you launched your mobile pilot program? Was it 2007?

SPEARE: It was actually 2008 and for the first nine months it was really a SMS-based type of web banking that amazingly enough people still really like, and I’ll be honest that’s the one that I don’t get because I cannot ever remember codes. It then went to a web-based type of application so that it renders on multiple different types of devices and then matured into the app, which gives you a lot of functionality.

FIELD: So we’re talking basically four years, which on one hand seems like no time at all, but when you think of the evolution it seems like a great deal of time. Sam, in that

sameperiod of four years, how have you seen the threat landscape evolve?

SAM CURRY: Oh my goodness, enormously. I think just as Matt talked about a story of adoption on the side of real legitimate users and around mobile for everything, from personal banking to commercial banking, the story in the threat landscape has been very much one of adoption as well. You’re a pretty stupid cyber criminal, or even nation state or hacktivist, if you aren’t in fact hacking. The risk reward equation is just so staggeringly in favor of hacking over more legacy or traditional operations or means that it’s enormous. The cyber crime, I think just the ROI for targeting and doing crime online is so absolutely enormous, the chance of getting caught is slow and the potential audience that you can reach is enormous.

The second category is perhaps the often misused or abused term advanced persistent threat [attack]. Think of folks achieving political ends or economic means, economic ends by other means and this is the category. We’ve seen enormous activity on the dark side there, so folks who are investing the level of nation-state resources in attacking, but frankly most of it isn’t bigger, badder and meaner, it’s more effective. We’ve seen an evolution from malware to what I would call “grayware.” It’s less about blowing up your computer or destroying data than it is about subtly siphoning information and in some cases even producing malware that will

“We’ve seen an evolution from malware to what I would call ‘grayware.’ It’s less

about blowing up your computer than it is about subtly siphoning information.”

SAM CURRY, RSA



provide benefits so that it’s a bit of a trade-off between whether you want to keep it because it improves the performance of the device versus the potential violations of privacy it might cause.

And now that the bad guys have a certain critical mass, we’ve also seen them start to evolve techniques to get more efficiency. Ironically, some of the greatest adopters are things like cloud computing, which is happening in that threat landscape. In fact, we see fraud as a service. We see the mechanisms by which people will not just compromise accounts and credentials, but then they will distribute information and they will tie into their supply chain for cash out has likewise taken on highly specialized roles and in fact is being delivered as services in many cases, and they’re looking for new markets to expand, new places to grow and new vehicles for delivery of either their nefarious pay loads or their ability to continue to commit crime and to do bad things.

The threat landscape in four years has evolved enormously in multiple directions, new actors on the stage, new tools and techniques in use, new objectives and even a change in some cases of some nation’s stances. I think the State Department here in the U.S. actually said that hacking would be considered an act of war last year, so some pretty remarkable advances if that makes sense.

FIELD: Let’s look forward a little bit. Given what we’ve seen just in four years time even, where do you see the next mobile evolutions in terms of new customers, new technologies and even new services?

CURRY: I think the term mobile is going to become almost old-fashioned. That convergence everyone predicted for many years of all these different compute platforms, the tendency has been for compute to become more powerful and more distributed and I think it’s going to become a bit passé in the next three or four years to talk about mobile. Frankly, there will be those companies that can find a way to port their services and their products to the mobile platform. Many folks are holding back. They allow partial mobile access but still require a lot of things to be done on the old legacy platforms. Either you’re going to adopt it or you’re going to be left behind. And I think the tipping point is really coming in the next 12 months; it’s imminent.

From a user perspective and service perspective, just look at the rate of innovation of mobile devices and applications in the app markets and what have you, people expect those services to be available. I think from the threat side, and I won’t go too deep here because I think it’s only a tangent to your question, I think that where the business goes and where the value goes, especially when it’s lower risk and easier to actually hack these platforms, so too will the crime go. Matt, what’s your take?

SPEARE: I absolutely agree with you. What’s going to happen in the threat landscape and certainly where I think that we’re ultimately going is that it’s going to become device-agnostic. Now at the same time, I think we’re going to see an increase in feature functionality beyond what we see today and true adoption which I think is going to take more than the 12 months around a digital wallet. I’m no longer carrying credit cards, ATM debit cards. I won’t because I never use them, but my wife might get coupons which she might want to use and all digitally because we’ve already seen some airlines move that way and being able to provide that type of functionality.

But I think mobile wallet, mobile payments, or digital wallet/digital payment, are going to be coming specifically to the U.S. where we’ve already seen that movement in some of the more progressive parts of the world and that will allow for financial institutions to reach down into that under-banked market where traditionally financial institutions are providing this to their current type of customers. However, anywhere from 25-30 percent of the overall potential market doesn’t have a banking relationship. So this is an opportunity where you can have a virtual bank relationship and be able to conduct business - your personal payments - from your mobile device, whether it is iPhone, iPad, Android or whatever. And I think it will be an even greater increase in adoption. Unfortunately with that comes a more lucrative target for the bad guys.

CURRY: Actually before the lucrative comment for the bad guys part, I think it’s probably worth mentioning that the third world and the developing world are seeing an opportunity with the power of mobile stacks to frankly forklift and jumpstart their economies. Some African countries for instance have as much as 10 or 15 percent of GDP done on mobile devices already, and the opportunity would have an infrastructure to jumpstart even needing one, getting micro-finance and micro-payments as actually a possibility for people, and universal identity

“We’re going to adopt mobile in a way that we haven’t seen since the last big adoption of the Internet and I think the bad guys are going to follow.” SAM CURRY, RSA



programs like the one in India frankly means that a huge percentage of the population that previously was disenfranchised can now access everything from government benefits and the ability to actually use their mobile devices as a way of enabling them to get to a new lifestyle which is phenomenal and I think some of that is going to happen outside the U.S. first and then come in. And Matt, to your point, where the money goes so too go the bad guys, where the value is that’s where they go. We’re already seeing viruses for platforms that previously were considered not the playground to viruses. We’re seeing

things like viruses spread to Linux operating systems, UNIX operating systems, and even to Mac, but I think we’re going to start seeing them now go to mobile as well.

FIELD: That was my follow-up question, because we talk about universal access, we talk about the under-banked and the fraudsters might be looking at this marketplace as the under-hacked. So that’s my question to you. How is the threat landscape evolving? And Sam, I would be curious from your perspective and Matt’s as well on the frontline?

CURRY: I can’t remember who said it but I heard someone once say the Internet was both the most over-hyped and the least over-hyped of all subjects he had ever heard of back in the 90s, that it wound up going many places we didn’t expect and it wound up with the .com bubble burst not being what we expected. At the same time, it’s both one of the greatest things that ever happened to civilization and one of the most over-hyped things that has ever happened to us. And I think the same could probably be said of mobile. That for us as human beings, we’re going to adopt mobile in a way that we haven’t seen since the last big adoption of the Internet and I think the bad guys are going to follow. It’s a question of when and of course predicting when is difficult.

I’m reminded that in the late 90s, when I was doing a lot of primary malware research we always were waiting for when we would see a critical mass of actual cybercrime hit things like desktop computers and personal computing. There was evidence of it then, but it was still very small and stochastic. Of course it did happen, but actually being able to predict the year in which it happened was very difficult. I think probably the biggest single thing in this space will be when most people move from doing most of their value-based transactions, their stock trades - as Matt was mentioning - or their ACH wire transfers and what have you, when they do that from a mobile platform and never had the desktop component or laptop component, then I think that’s going to be a radical change. That’s when the bad guys will shift and it will take about a development cycle or two, because they’re going to follow the money and if the money leaves the platform - because this is big business now - if the money actually leaves those platforms and moves to a new platform, they migrate or die. Just as on the good side, companies either embrace m-commerce or they get left out on the dark side too. If they don’t move to where the money is, they’re going to find themselves with drying up coffers and no future.



SPEARE: Sam probably has great visibility into a much broader ecosystem than we do. I mean certainly we have lots of customers, but at the same time we’ve been fairly fortunate in that we have yet to experience any fraud in this platform. Now that doesn’t mean that we’re not constantly keeping an eye out for it, and I think that really the hackers are looking more to the emerging markets where there’s much greater potential upside for their work there versus until the payments piece comes in that really it’s only the ability to approve things that you have set up in your Internet banking context. And so the mobile banking platforms in the U.S. themselves tend not to be a current target because of some of the limits on functionality while we allow our user base to become more educated and have greater demands on feature functionality.

CURRY: It’s that reserve of the final functions that I think is keeping it from being primarily mobile-based fraud. We do see fraud where there’s mobile compromise involved, but it’s not that mobile was the primary means for service. If you can compromise someone’s mobile, you can probably get access to things like their passwords for their e-mail and then you use that somewhere else, or they might have an out-of-band confirmation - let’s say they do something on the computer - that goes through the mobile device. We have seen some very small fraud statistics around that, but I think as soon as they can actually target one device in a simple hack and get the means by which they can then get to a cash-out just by hacking that one device, as soon as we can do that on the good side that’s

when the bad guys will target it.

FIELD: Matt, as your customer base starts to get younger, how do you influence their mobile banking behavior, which I guess we have a presumption might not be as cautious as an older generation?

SPEARE: There’s the belief that the younger generation will take advantage of being a digital native and feeling a higher level of comfort on it. What we find is that demographically it’s not so much about the actual age as it is about their acceptance and usage of the Internet banking platform and then being able to become part of the mobile world and feel accepting of that. Actually, our highest adoption rate is not on new, younger users. It’s on an existing web-banking platform that says, “Okay, I’ve been using web banking for the last ten years and why not do it on my mobile phone?”

At the same time, let’s face it; there’s going to be that generation and I think it’s going to take a number of years for those that are in their teens today to have that natural tendency because they have for the life span that they remember these mobile devices available to them. It seems that, through personal experience, a lot of my neighbors with younger kids are getting a cell phone and very high-end cell phones at a younger and younger age. They’re going to feel that it’s a natural part of them so it’s going to be easier then to bring them along the path of, this is the type of platform that you would use for your entire financial relationship

and your financial lifecycle management, all from the singular device because it allows you to see where you stand at any given point in time. It allows you to pay your friend the ten dollars that you owe them directly, as well as it allows you to manage your retirement planning all from that device. I think by continuing to offer products and being able to prove out this trust relationship with financial institutions that this is a safe mechanism, that there’s mitigation to go in there for a lot of the security threats out there, they’re naturally going to come along with that.

FIELD: Sam, I want to ask you about mobile malware. I know you’ve done a bunch of research into this. Do you find that mobile malware is more hype than reality, and how should we be approaching the topic?

CURRY: For the most part, it’s more hype than reality. We as a society tend to run at the sign of a crisis or at the sign of the first indicator of something bad happening, and we don’t tend to think in terms of long, slow changes or trends. So either malware is out of control or it’s not an issue. We rarely think about how it might slowly grow incrementally, sort of like the frog in hot water when you turn it up. Often an abused analogy, but it has some validity here that we don’t often notice change until it suddenly becomes something remarkable and then we get scared. In this analogy, the frog would suddenly notice the water got warmer after a few incremental increases and then would jump out in alarm. We do see some mobile

“By continuing to offer products and being able to prove out this trust relationship with financial institutions that this is a safe mechanism, [people] are naturally going to come along with that.” MATTHEW SPEARE, M&T BANK



malware and most of it has been things like marginal exploits or proof of concepts. We haven’t yet seen this sustained phenomenon but it’s coming.

The real question is when will it actually take effect, and we have a lot of complacency on many of our mobile platforms. Most mobile platforms are in fact easier to compromise than traditional ones, and we take them with us everywhere. The potential to get detailed information on a personal life from a mobile device is enormous, so I think there’s a lot

going on in terms of privacy violations right now, rather than outright theft or perhaps security concerns, although the line gets a bit blurred between the two. I’m not so worried that the malware itself will be bad; it will be abusive to the device. It will be that I installed something and I didn’t really understand those permissions. I might even have trusted the company that gave it to me, but do I trust the next three updates for them will continue to behave in the same way and that they won’t go through financial difficulty and wind up making a shady deal with

someone, or that they won’t themselves get hacked and exploited. Those sorts of things are happening and they do lead to tangible privacy violations for people right now.

Rather than waiting for this looming spectra of malware which will come, that shouldn’t be the thing that makes us all stampede like a herd away from a platform that otherwise is very attractive. Frankly, most people have no defenses at all on their mobile devices. They don’t have to put on any form of security control and there are no best practices. Nobody’s putting out advice on what to deploy. There are tools that you can get and there are companies that are putting first offers out there, but I think there’s going to be enormous pressure on the ecosystem to actually provide new controls, new permissions models and new ways of storing data in a more secure way.

Look at what we did with PPMs, for instance, in the older platforms, desktops and laptops. That has to start to emerge on the mobile phones as well. It can. A lot of the base features are there but nobody’s really implementing them and there’s not attention for it right now. It will be an interesting future. Now is not the year of mobile malware. I think I actually said that back in 2007 when we had one of those hype waves; but that will come. We already should be concerned about privacy and security’s looming on the horizon. As soon as it’s attractive for you to do something and it’s able for you to do something online, then it’s also possible that the bad guys can come along and steal it.

FIELD: Matt, to this point you’ve been lucky. You said there have been no breaches because of the mobile channel, but you’re prepared. How does an institution respond to a breach in mobile banking security when it does occur?

SPEARE: I think that you have to adopt the model that you have already and hopefully you do have one for how you respond to a breach in general. And by having that



playbook you would have it on, who are the right people to pull together upon a breach notification and then how do you engage with your regulators and ultimately with the customer notification piece, which ultimately will have to come? Unfortunately, the first bank that does have a breach around their mobile banking platform is going to show up in the media quite a bit, and hopefully, knock on wood, that’s not us. However, to Sam’s point, as this evolves over time it will happen. You have to be prepared and hopefully you’ve done your work around breach notification already, and that’s one of those things that regulators have been looking at for a while and it’s just a good practice.

When you think about it, banking is a trust relationship. You can’t go into your bank branch and say, “I’d like to see my money.” It doesn’t exist. It’s ones and zeros on systems that we provide from a banking services web. When you have a breach event, you’re now breaking the trust with that customer and you have to have your message together as well as what are you going to do to be able to do the analysis on what occurred to prevent it from happening again and be able to communicate that to your customers? And it’s all ultimately dependent upon your ability to be able to determine if the breach path was in mobile - whether it was Internet - or was it because of privacy issues where customer information was able to be used to take on some kind of lending activity or setting up false accounts. You really have to have a robust monitoring ecosystem so that you can narrow down where it did occur because we all have multiple channels that this could occur at.

FIELD: Do you think that a mobile banking security breach is going to be perceived as a bigger deal by the general populous just because of the novelty of it?

CURRY: The very first time something like this happens it can cause massive concern. A lot of it will depend on how it’s made public and how it happens. I think the first time this happens it will get massive attention and I certainly wouldn’t want to be in those shoes for the company that has it happen to them first. I also think it’s one of the reasons why folks are so hesitant to expose a full-feature set around a lot of mobile transactions, but the first one will be big and will send a lot of alarmist waves that will be out of proportion. We’ve seen this before with other attacks that go public. Time will show as it evolves, but I think the first one will be, I suppose, a hack heard around the world.

SPEARE: I couldn’t agree with you more Sam. For the first one, and perhaps the next couple after that, depending upon the scale of the breach they will get more press attention mainly because of the novelty of this channel, but then after that it will go into the routine. If you go to PrivacyRights.org and take a look at all the breaches that have occurred not just in banking - because banking is one of the smaller areas that you see breaches in - but certainly around privacy information, healthcare, universities, the volumes continue to rise every year and you hear less and less about them and they don’t make quite the splash. [Mobile] will have that natural evolution over time as well.

FIELD: Let’s talk about the security and privacy approaches that are necessary for

mobile. What are the new skills that our teams are really going to need to develop to be able to satisfy these needs adequately?

CURRY: I think the first one is technical skills. It’s a new stack. It’s a new set of platforms. You have to have people who understand, for instance, IOS and understand Droid. In particular, more may be coming, especially with Microsoft weighing in, RIM and Nokia both having moves yet to be made. I think there are new stacks, new information, new waves and new ways things flow. We’ve already started to see concerns about low-stack device concern, what will happen with HTML5 and what can you do for mobile app management and device management. Apple itself has said they want to raise the bar on mobile security with their next release, which I’m waiting patiently to see. So you’ve got a whole set of technical skills.

Two, strong fundamentals in security, especially having seen how to apply those in more legacy areas like network or endpoint security, are a great tool kit to have, but I think that frankly the CIO has a challenge. On the one hand, the CIO has seen their infrastructure where their entire applications move out of their control and go to things like the cloud. Now on the other hand, they’re seeing mobile devices leave the infrastructure and that standard operating environment they used to be responsible for, their customers are now in unpredictable massive combinations and permutations of devices accessing that on the other hand. They’ve got a real challenge.

Then [it’s] a whole new way of translating the risks of these platforms into business risk that

“Frankly, most people have no defenses at all on their mobile devices.” SAM CURRY, RSA



executives can understand and the public can understand, because a lot of it is very esoteric and scary to folks. I think one of the worst things that can happen is if the hype gets really bad and the flood gets really bad, the fear, uncertainty and doubt is that people will slow their adoption of what could be one of the greatest things to happen to us as a civilization since the Internet, and that would be a tragedy in and of itself.

We’ve got massive new skill sets to learn within the companies from the actual workers to the managers and to the executives, and then we really have to forge a deep understanding in simple terms in the public of these things. And you also mentioned earlier about generations. The retirees I think are the biggest adopters of new technologies and have no idea of how to be safe and secure while doing it. With an aging population in general, I think they’re going to want to buy the latest iPhone or the latest Droid. They’re going to want to do it and they’re going to want to do all their retirement benefits on it and everything else, and you can’t have that generation getting scared of technology. That would be a disaster.

SPEARE: When you look at the U.S. banking industry as a whole, you have maybe 10-25 banks that are large enough to be able to build out the necessary technical skill sets, but there’s another 8,000-plus banks out there

that are going to want to be able to provide this to their customers and they’re not going to know who to go to, which service providers to use or what questions to ask to the service provider, and how to ultimately monitor those service providers around security levels. They’re not big enough, they’re not mature enough and certainly they’re all good bankers but they don’t know technology.

What you’re going to evolve over time is the ecosystem of large service providers who are going to have this as part of their offering platform and we that are larger in the industry are going to have to push them on being able to provide the depth of technical skills as well as monitoring capabilities versus it just being an app that’s on the phone and then they’re looking for anomalies in the back office. Because of this 24/7 utilization of these types of platforms - because they’re always on, I can’t even remember the last time that I rebooted my iPhone - they’re always accessible and the level of monitoring capabilities is going to have to double in terms of the capacity to react in real time to those anomalies that they can detect in real time. Today it’s a somewhat near real-time, almost after the fact, capability and all of these smaller financial institutions are going to be totally dependent upon these service providers to be able to provide that kind of security excellence.

FIELD: Matt, you’ve been critical in the past of a lack of regulatory guidance from mobile. What do you hope to see, maybe as soon as next year, in terms of mobile guidance?

SPEARE: What we need to see is a much faster cycle in the time that it takes to start working on a piece of regulatory guidance to it actually being published. I know Jeff Kopchik, and I think he did an absolutely great job in putting the last authentication guidance out, but it was really a three- and-a-half year process. This technology is moving so quickly that they really need to be dependent upon industry technology groups to provide them with what’s occurring and be able to dive into the details about what will be the best practices as well as the full expectation not being making requirements of certain types of technology, but here are the management capabilities that you must put in place to be able to offer this. I think that too often, especially as you go downscale in terms of the size of financial institution, there are less and less capabilities to be able to be proactive from a management standpoint, and so they need to be predictive in what are going to be their expectations.

I fully understand the reason why the last authentication guidance came out the way that it did, but really we need to look at this as a new channel. This is not just the Internet, having capabilities based in a web browser. These are all new functions and applications and we’re quickly going to move into near-field chip capabilities and phones in the U.S. and digital wallet and digital payment, and you can’t wait until three years after the fact to actually publish guidance for these banks because many of them are dependent upon the guidance of the FFIEC to determine what to do as well as what’s that standard they need to hold their service providers in.

FIELD: Sam, we’ve talked generally about fraud threats. How do you specifically envision the fraud threats evolving to match the technologies as they evolve?

“Unfortunately, the first bank that does have a breach around their mobile banking platform is going to show up in the media quite a bit.” MATTHEW SPEARE, M&T BANK



“You really have to have a robust monitoring ecosystem so that you can narrow down where the [breach] did occur because we all have multiple channels that

this could occur at.” -MATTHEW SPEARE, M&T BANK



CURRY: The bad guys have a ROI to think about. They don’t tend to make many long-term investments. They tend to make incremental improvement to things that work. You’ll see a big splash, almost like a new product launch, from them and then you’ll see small refinements on that to reduce costs and reduce risk and exposure and to improve “quality.” To be specific, I think that the next phase of exploits is going to be characterized by simplicity, almost elegance in design. I think that they’re going to find ways to start by taking advantage of the human weakness as they’ve done in other platforms. In fact, I wouldn’t be surprised if the first exploits here actually were recognized as uniquely mobile. They would look like variations on a theme that we had seen before and extensions of other hacks, and they’ll try to get to the same kinds of targets they’ve got before. If folks have a cash-out mechanism, for instance, using mules to take advantage of things like stolen credit card numbers or debit card numbers, or even Social Security numbers, for some cash-out mechanism, then they will still be going after those prizes.

Simply exposing something of value out there isn’t necessarily going to attract the bad guys. If you attract something that there’s no cash-out mechanism for it, it will actually take longer for them to be attracted, and frankly that could lull people into a false sense of security or complacency. My advice is that anybody thinking about going and doing something that seriously offers value and the ability to move money to change ownership of things onto a mobile platform should have an aggressive program to update security and to revisit it, given that the landscape will change. It will happen with a big bang followed by lots of little incremental

improvements.

But of course, this is the crystal ball. Everybody wishes they could see what would come first. How we act on the system will affect the system, and it’s far more complex than one or two people in their basement. This is a large, invested industry and frankly if you’re a criminal these days, you probably have to decide where you’re going to put your funds next. Are you going to attack things like the smart grid? Are you going to

go after things like corporate data? In fact, the maker of Zeus, for instance, actually went from exploiting consumers and end-users to turning code over to another entity and going after enterprise targets, a higher investment in cost to hack and bigger payoffs down the road on a per-hack basis. That took investment and funds, and frankly a transfer of business, almost like you would see corporate mergers, acquisition and divestures. Those sorts of things are going to have to shake down on the dark side as well.

FIELD: We see a number of organizations that rather than have their customers or their employees go outside the organization for mobile apps are developing their own in-

house. For mobile banking, should banks be developing their own apps in-house?

SPEARE: I think it really comes down to a level of skills. Here’s the way I look at it. Globally, you probably have 30 banks that will have enough expertise to be able to do so and execute on and be able to do it well. I think the biggest challenge that you have is that when you look at mobile developers, they really in some ways have a different thought process in that they’re all about the

project and they’re not tied to the institution. So where a lot of the mobile developers originally started in San Jose, they’re all about moving from one project to the next great project to the next great project and with that it makes it very difficult for financial institutions to be able to keep them around for a long period of time.

Additionally, with that I think you have very few that have the capability to not only understand banking and how it works from a work-flow process but then be able to intuitively see where the vulnerability points are. That makes it very difficult for a

bank to have any continuity of development opportunity in the mobile channel as well as being able to put security embedded in with those applications. I think it just makes it very, very difficult. From my perspective, I think that having those centers of excellence so that the organizations where this is what they do, they provide mobile banking applications and they have a level of banking expertise as well as technical expertise, and of course have to build in security with it, that’s going to be the more common model that’s going to be available out there. While banks would love to be able to drive down the cost of producing these types of applications, the reality is if you want in the game, it’s an expensive proposition and it’s ongoing caring

“[It’s] a whole new way of translating the risks

of these platforms into business risk that

executives can understand and the public can

understand.” -SAM CURRY, RSA



and feeding that has to occur and I think that most banks just are not prepared to do that.

CURRY: Even beyond banks, an institution has to make a decision strategically in the five- to-ten-year time frame how important mobile is going to be. That’s a tough question. It’s worth seeing how other companies near you address it; others in your vertical address it and regionally what mega trends folks see. Tap into your extended network if you don’t have these resources in your institution. The big question to answer is, if you were to draw a map of all the technologies that touch your business, how close to the center will mobile be in five to ten years? If the answer is close to the center and you come up with that, you need to be thinking about how you can use outsource help. But, how are you going to build a platform that enables you the most flexibility and control? If it winds up on the outside, then it’s a less important question. It might be a random experiment.

If we were to go back in time 15 years and ask folks this question with respect to the Internet, or even before that with respect to micro-computers, folks often did these sort of half-hearted experiments and then found that they were behind the curve for where they should be. It’s time to understand mega trends. It’s time to think strategically. You can outsource and still retain an ability to scale and to control things, but you’re going

to have to not just contract someone to do a one-off app; that would be very dangerous. I think banking is probably less likely to do that. The real question is, how serious do they want to put the functionality in the applications that they actually field and that’s a tough right decision, somewhat based on what your competition is doing and some of it will be based on how important you think it’s going to be to attracting the right kind of demographic to your offerings and your products. That’s a not a trivial set of questions to answer.

FIELD: Sam, I would like to hear about the evolving forms of mobile authentication that you’re seeing and researching through RSA.

CURRY: This is fascinating because the first thing is we think of authentication as very episodic. It happens at a point in time. You prove that you’re Sam, for instance, prove that you’re Matt and then afterwards you get this open access for probably a fairly extensive period of time. The first thing we’re going to have to do is to have a more continuous form of authentication. We’re going to have to be sampling and doing off-checks more often.

The second thing is I really care about context. Context, context, context; it’s not just about whether you can provide a set of credentials to do a pass/fail. I actually want to know the conditions under which you’re accessing and the mobile device can actually

give me everything from temperature to maybe even some biometrics soon and bio-feedback, thing like heart rate, blood pressure and those sorts of things we’re starting to see some advances around. I can also tell relative motion. I can tell all kinds of things, even using the camera. What kind of environment you’re in without necessarily having to send feeds that would affect privacy back. In other words, I can tell patterns of behavior in and around the device, like what other wifis are around you, what other phones are around you. And I don’t care which specific ones; I just care if patterns are different.

First, we have this notion of more continuous, then second I have context and third - and it may sound strange to hear this from a company that does authentication - it’s not about any one form of authentication form factor. You often hear people talk about multi-credential authentication or multi-factor authentication and they say, “No, mine’s better because I do two or three.” Well, why limit yourself? Why not have ten, 20 or 30 and be able to really crisp up an image of people and a certainty of who they are and then take the whole authentication notion of, “Are you who you say you are? Yes or no?” and then come up with much more subtle degrees of difference, maybe different shades of gray if you will. [It’s] not just the black and white of are you Sam or aren’t you, but how much do I trust you to be Sam, and what do I want to authorize you under this context and this particular physical setting to do certain things. That’s a very different proposition than I think we’ve seen to date, and then of course that implies a very important part of this would be the machine running behind it to determine both what’s normal and not normal, when patterns have changed significantly without having to share the specifics of the pattern, and how do I look at things in a big data, big picture way to actually find things that are going to be indicative of fraud, insider theft, treason, those sorts of things, and then

“Because of this 24/7 utilization of these platforms, the level of monitoring capabilities is going to have to double in terms of capacity to react in real time to those anomalies.” MATTHEW SPEARE, M&T BANK



flagging them appropriately. That’s a much bigger challenge set than just, “What’s your certificate or your token,” and that’s where I’m thinking these days.

FIELD: I’m going to give each of you a chance to have some final thoughts, and Matt I will turn to you first. Crystal ball time, your predictions of what we’re going to see in mobile banking in 2013 whether in terms of services, technologies, threats. What do you see?

SPEARE: I see that digital wallet and digital payment, there are going to be at least three major banks that are going to launch those and get a large user base on them. Now, the larger banks are more progressive in that space and I think that will then allow many of us to quickly follow behind in terms of being able to offer that service, because as soon as you have the J.P. Morgan Chases of the world or Bank of America [have] it as part of their core offering set, then those of us that compete with them are going to want to follow and follow quickly, and

my hope is that we all do so in a measured method so that we continue to build upon the trust that our customers have on us to provide them with secure mechanisms to do their banking, and that none of us jump in and try to move too fast without thinking through the potential vulnerabilities to the overall system of how we make payments and how we manage money on an end device. I think that’s coming and that’s going to be the tip of the iceberg of what’s going to follow in the years after that.

CURRY: I’m actually going to say what happens in the wider financial industries than just banking and consumer banking is going to have a big play here. What happens around insurance, what happens around credit, what happens around mortgages, even going up further, what happens around health will all drive expectations on the consumer’s part of what they can get out of a mobile device. I think that will also put pressure on banks to similarly meet with features and to do the same sorts of things.

The Bank of India - which is notoriously very conservative - has actually now allowed institutions that aren’t banks with a different requirement on cash out and reserve to get into banking. You’re starting to see telcos provide banking in some of those countries. I don’t think that will happen here in the U.S., but if it’s not done correctly, it will provide incentive for the bad guys to sharpen their tools and get ready to find victims somewhere and when the U.S. finally catches up, they’ll likewise come hunting here. I think [it’s] very interesting to watch what happens globally, very interesting to what happens in the rest of the financial industry and especially the credit card companies. There’s a big emphasis and [it’s] interesting to see what happens with consumer expectations of mobile devices because the bad guys are sharpening their knives and getting ready for a feast. Hopefully the banks move most appropriately and actually set some of the right standards here, but a lot is being determined outside of the sway of the banks I feel. n

“You often hear people talk about multi-factor authentication and they say, “No, mine’s better

because I do two or three.” Well, why limit yourself? Why not have ten, 20 or 30 and be

able to really crisp up an image of people?” SAM CURRY, RSA



4 Independence Way • Princeton, NJ • 08540 • www.ismgcorp.com

About ISMG

Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.

Contact

(800) 944-0401 [email protected]