White Paper: Mobile Banking: How to Balance Opportunities and Threats

  • Published on

  • View

  • Download

Embed Size (px)


  • 1Information Security Media Group 2012


    Transcript of the Webinar Panel Discussion

    FEATURINGMatthew Speare, SVP Information Technology, M&T Bank

    Sam Curry, CTO, RSA


    How to Balance Opportunities and ThreatsMOBILE BANKING:

  • 2 Information Security Media Group 2012


    As banking institutions globally roll out more services through the mobile channel, security leaders are challenged to stay a step ahead of the evolving risks. But what are todays top threats, and what are the emerging security components institutions must put in place to take advantage of new mobile opportunities?

    Read on to learn from a leading banking/security practitioner, as well as the CTO of a major security solutions vendor:

    Top security considerations when rolling out a mobile strategy; The truth about mobile malware and other fraud threats; How to influence end-user behavior; Emerging trends in mobile payments, authentication and regulation.

    Matthew Speare, SVP Information Technology, M&T BankMatthew Speare is responsible for Information Technology Operations, Telecommunications and Networking, Platform Design and Support, Information Security and IT Risk Management, and Business Continuity Planning and Disaster Recovery.

    Sam Curry, CTO, RSASam Curry is Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA. He has more than 18 years of experience in security product management and development, marketing, engineering, quality assurance, customer support and sales. Curry has also been a cryptographer and researcher and is a regular contributor to a number of journals and periodicals. Prior to joining RSA, Curry was Vice President of Product Management and Marketing for a broad information security management portfolio at CA.

    Mobile Banking: How to Balance Opportunities and ThreatsTranscript of the Webinar Panel Discussion

    VIEW THIS WEBINAR NOW http://www.bankinfosecurity.com/webinars/mobile-banking-how-to-balance-opportunities-threats-w-290

  • 3Information Security Media Group 2012


    TranscriptTOM FIELD: You and I have been talking about mobile banking for a number of years now. I think you did the first mobile banking webinar that we produced even, isnt that right?

    MATTHEW SPEARE: I believe youre absolutely correct.

    FIELD: Its been several years. How would you say mobile banking is different now than when M&T first piloted its mobile program a number of years back?

    SPEARE: Certainly I would think the acceleration of adoption, because if we comparably look at the late 90s when web banking became available and the adoption rate that occurred there is that, this really has accelerated in that its probably more in the area of 2-3 times faster the adoption rate than we saw in web banking. Youre getting out to a much broader user base much more and in some ways it makes a lot of sense, because whats the one device that people carry with them all the time? Its going to be their smart phone and so they have it readily accessible and theyre going to want to take advantage of some of the banking opportunities that you can do.

    Then the other piece would be on the functionality and the user, what I would say is maturity level and demand. What I mean by that is that when we launched mobile banking, it really was about account balance, to find out where the closest ATM is. Then really it became the platform that people preferred to do their bill pays on. Also, alerting and the ability to get alerts for transactions that are occurring on your account via push-notification, people seem to love that. But then on the maturity level, what we found is that, after going down consumer retail web banking, we quickly got into where our business banking customers wanted that same type of functionality as well, as well as some things to be able to service their business better. As well as were certainly

    hearing from our very large business-banking customers that are much more sophisticated in their needs and requirements that theres a huge desire out there to be able to provide the commercial-banking applications via mobile, most specifically around single-balance reporting and wire transfer, ACH approval functionality that they preferred it. These are busy business folks that are moving around the country and they dont want a wire transfer being held up on their account, so if they have the ability to approve that from their mobile phone, they really want to have that kind of capability. It has certainly gone upscale, as well as the adoption rate and feature functionality have just exploded.

    FIELD: And remind me, what year was it that you launched your mobile pilot program? Was it 2007?

    SPEARE: It was actually 2008 and for the first nine months it was really a SMS-based type of web banking that amazingly enough people still really like, and Ill be honest thats the one that I dont get because I cannot ever remember codes. It then went to a web-based type of application so that it renders on multiple different types of devices and then matured into the app, which gives you a lot of functionality.

    FIELD: So were talking basically four years, which on one hand seems like no time at all, but when you think of the evolution it seems like a great deal of time. Sam, in that

    sameperiod of four years, how have you seen the threat landscape evolve?

    SAM CURRY: Oh my goodness, enormously. I think just as Matt talked about a story of adoption on the side of real legitimate users and around mobile for everything, from personal banking to commercial banking, the story in the threat landscape has been very much one of adoption as well. Youre a pretty stupid cyber criminal, or even nation state or hacktivist, if you arent in fact hacking. The risk reward equation is just so staggeringly in favor of hacking over more legacy or traditional operations or means that its enormous. The cyber crime, I think just the ROI for targeting and doing crime online is so absolutely enormous, the chance of getting caught is slow and the potential audience that you can reach is enormous.

    The second category is perhaps the often misused or abused term advanced persistent threat [attack]. Think of folks achieving political ends or economic means, economic ends by other means and this is the category. Weve seen enormous activity on the dark side there, so folks who are investing the level of nation-state resources in attacking, but frankly most of it isnt bigger, badder and meaner, its more effective. Weve seen an evolution from malware to what I would call grayware. Its less about blowing up your computer or destroying data than it is about subtly siphoning information and in some cases even producing malware that will

    Weve seen an evolution from malware to what I would call grayware. Its less

    about blowing up your computer than it is about subtly siphoning information.


  • 4 Information Security Media Group 2012


    provide benefits so that its a bit of a trade-off between whether you want to keep it because it improves the performance of the device versus the potential violations of privacy it might cause.

    And now that the bad guys have a certain critical mass, weve also seen them start to evolve techniques to get more efficiency. Ironically, some of the greatest adopters are things like cloud computing, which is happening in that threat landscape. In fact, we see fraud as a service. We see the mechanisms by which people will not just compromise accounts and credentials, but then they will distribute information and they will tie into their supply chain for cash out has likewise taken on highly specialized roles and in fact is being delivered as services in many cases, and theyre looking for new markets to expand, new places to grow and new vehicles for delivery of either their nefarious pay loads or their ability to continue to commit crime and to do bad things.

    The threat landscape in four years has evolved enormously in multiple directions, new actors on the stage, new tools and techniques in use, new objectives and even a change in some cases of some nations stances. I think the State Department here in the U.S. actually said that hacking would be considered an act of war last year, so some pretty remarkable advances if that makes sense.

    FIELD: Lets look forward a little bit. Given what weve seen just in four years time even, where do you see the next mobile evolutions in terms of new customers, new technologies and even new services?

    CURRY: I think the term mobile is going to become almost old-fashioned. That convergence everyone predicted for many years of all these different compute platforms, the tendency has been for compute to become more powerful and more distributed and I think its going to become a bit pass in the next three or four years to talk about mobile. Frankly, there will be those companies that can find a way to port their services and their products to the mobile platform. Many folks are holding back. They allow partial mobile access but still require a lot of things to be done on the old legacy platforms. Either youre going to adopt it or youre going to be left behind. And I think the tipping point is really coming in the next 12 months; its imminent.

    From a user perspective and service perspective, just look at the rate of innovation of mobile devices and applications in the app markets and what have you, people expect those services to be available. I think from the threat side, and I wont go too deep here because I think its only a tangent to your question, I think that where the business goes and where the value goes, especially when its lower risk and easier to actually hack these platforms, so too will the crime go. Matt, whats your take?

    SPEARE: I absolutely agree with you. Whats going to happen in the threat landscape and certainly where I think that were ultimately going is that its going to become device-agnostic. Now at the same time, I think were going to see an increase in feature functionality beyond what we see today and true adoption which I think is going to take more than the 12 months around a digital wallet. Im no longer carrying credit cards, ATM debit cards. I wont because I never use them, but my wife might get coupons which she might want to use and all digitally because weve already seen some airlines move that way and being able to provide that type of functionality.

    But I think mobile wallet, mobile payments, or digital wallet/digital payment, are going to be coming specifically to the U.S. where weve already seen that movement in some of the more progressive parts of the world and that will allow for financial institutions to reach down into that under-banked market where traditionally financial institutions are providing this to their current type of customers. However, anywhere from 25-30 percent of the overall potential market doesnt have a banking relationship. So this is an opportunity where you can have a virtual bank relationship and be able to conduct business - your personal payments - from your mobile device, whether it is iPhone, iPad, Android or whatever. And I think it will be an even greater increase in adoption. Unfortunately with that comes a more lucrative target for the bad guys.

    CURRY: Actually before the lucrative comment for the bad guys part, I think its probably worth mentioning that the third world and the developing world are seeing an opportunity with the power of mobile stacks to frankly forklift and jumpstart their economies. Some African countries for instance have as much as 10 or 15 percent of GDP done on mobile devices already, and the opportunity would have an infrastructure to jumpstart even needing one, getting micro-finance and micro-payments as actually a possibility for people, and universal identity

    Were going to adopt mobile in a way that we havent seen since the last big adoption of the Internet and I think the bad guys are going to follow. SAM CURRY, RSA

  • 5Information Security Media Group 2012


    programs like the one in India frankly means that a huge percentage of the population that previously was disenfranchised can now access everything from government benefits and the ability to actually use their mobile devices as a way of enabling them to get to a new lifestyle which is phenomenal and I think some of that is going to happen outside the U.S. first and then come in. And Matt, to your point, where the money goes so too go the bad guys, where the value is thats where they go. Were already seeing viruses for platforms that previously were considered not the playground to viruses. Were seeing

    things like viruses spread to Linux operating systems, UNIX operating systems, and even to Mac, but I think were going to start seeing them now go to mobile as well.

    FIELD: That was my follow-up question, because we talk about universal access, we talk about the under-banked and the fraudsters might be looking at this marketplace as the under-hacked. So thats my question to you. How is the threat landscape evolving? And Sam, I would be curious from your perspective and Matts as well on the frontline?

    CURRY: I cant remember who said it but I heard someone once say the Internet was both the most over-hyped and the least over-hyped of all subjects he had ever heard of back in the 90s, that it wound up going many places we didnt expect and it wound up with the .com bubble burst not being what we expected. At the same time, its both one of the greatest things that ever happened to civilization and one of the most over-hyped things that has ever happened to us. And I think the same could probably be said of mobile. That for us as human beings, were going to adopt mobile in a way that we havent seen since the last big adoption of the Internet and I think the bad guys are going to follow. Its a question of when and of course predicting when is difficult.

    Im reminded that in the late 90s, when I was doing a lot of primary malware research we always were waiting for when we would see a critical mass of actual cybercrime hit things like desktop computers and personal computing. There was evidence of it then, but it was still very small and stochastic. Of course it did happen, but actually being able to predict the year in which it happened was very difficult. I think probably the biggest single thing in this space will be when most people move from doing most of their value-based transactions, their stock trades - as Matt was mentioning - or their ACH wire transfers and what have you, when they do that from a mobile platform and never had the desktop component or laptop component, then I think thats going to be a radical change. Thats when the bad guys will shift and it will take about a development cycle or two, because theyre going to follow the money and if the money leaves the platform - because this is big b...