FFIEC: Mobile Financial Services

The FFIEC recently updated the IT Examination HandBook – Retail Payment Systems.  The new information can be found in Appendix E “Mobile Financial Services”.  Mobile financial services are growing in popularity and are radically changing how consumers pay for goods and services.  Convenience is key; however, that means new threats and risks are introduced into a consumer’s life.

Mobile devices present new risks since they are in fact mobile and are brought out from the confines of an assumed safe corporate or home network.  Users tend to exercise less caution with mobile devices, and many do not even give thought to protecting these devices against malware.  With the rise in availability and low (or no) cost of apps, users are installing apps on mobile devices at a greater degree than ever experienced with the home or work computer.

This appendix identifies the major risks and mitigation controls that should be implemented for mobile financial services (MFS).  The FFIEC specifically identifies four new MFS technologies: SMS Technology, Mobile-Enabled Website, Mobile Application Website and Mobile Payment Technologies.  These new technologies are not only vulnerable to the same threats as traditional online banking but also the new risks brought on by being a technology that resides on and is intended for a mobile device. 

This guidance is a critical read for electronic banking department personnel or individuals responsible for risk management.  In it, specific risks that you should be aware of are identified along with controls that should be considered when utilizing MFS.  As a reminder, this is not an all-inclusive list; however, it should aid in assessing risk and implementing appropriate controls.

The appendix discusses general operational controls that should be considered for any MFS technology and specific controls for the four different MFS technologies.  The general operational controls are as follows.

  • Enrollment
  • Authentication and authorization
  • Application development and distribution
  • Application security
  • Contracts
  • Customer awareness
  • Logging and monitoring

The specific risks and controls for each MFS technology are identified below.

SMS Technology
Text messages are used for customers to communicate with their financial institutions and initiate transactions.  Financial institutions use text messages to provide information to customers or as an out-of-band (multi-factor) means of customer verification.
Risks Controls
  • Unencrypted network
  • Vulnerable to spoofing and smishing
  • Redact customer account numbers
  • Limit functionality available
  • Pre-registration
  • Use of security tokens
  • Use of PINs that change periodically
  • Customer awareness training
Mobile-Enabled Website
Websites are programmed to detect a mobile device and deliver the content that can be rendered appropriately for the smaller screen of the detected device.  The functionality and security controls may also change for the mobile-enabled version.
Risks Controls
  • Mobile web browsers may not have as high security features as their desktop counterparts (e.g., anti-phishing and anti-cross-site scripting features)
  • Web-based applications could be vulnerable to attacks such as redirects and forwards
  • More difficult for end users to detect suspicious signs on a small screen size that could indicate fraudulent activity
  • Customer awareness training
  • Secure development life cycle followed by developer
  • Security standards utilized by developer in building site 
  • Baseline controls for customers (e.g., complex device passwords, app passwords, auto-wipe feature)
  • Deny access to mobile browsers that don’t have appropriate safeguards
  • Controls on mobile site to combat “redirect and forward” vulnerabilities
Mobile Application
Software specifically written for mobile devices.  In the financial institution industry, most apps are written to mimic the functionality of the Internet banking site.  Mobile apps can have additional functionality based upon the native features of the device, such as the camera, location services and biometric capture abilities.
Risks Controls
  • Applications can contain vulnerabilities
  • Some devices allow applications from sources not authorized by the manufacturer
  • Invite malware
  • End user could root or jailbreak the device so native security controls can be circumvented
  • Applications could store sensitive information in clear text on the device
  • Too many players in the mobile device industry (carriers, networks, platforms, operating systems, developers and application stores), so known vulnerabilities may exist for some time prior to being patched
  • Policy enforcement/device fingerprinting (O/S, security controls, patch status, rooted/jailbroken)
  • Customer awareness training (include rooted/jailbroken devices and how to recognize legitimate download sites to download app)
  • Maintain a list of reputable sites to download institution approved applications
  • Security testing at all phases of the app development life cycle
  • Automatically disable older versions of the app 
  • Determine if any information is stored on the device and encrypting stored data 
  • Ensure data collected by the app about the user is necessary and secure 
  • Prevent apps from being installed on devices with O/S that are outdated or may not be supported 
  • Secure backend servers that support applications and databases
  • Sandbox the application
  • Remain aware of vulnerabilities via US-CERT, FS-ISAC and other sources, and take a risk based approach with customers using devices with known vulnerabilities
  • Periodically test the functionality of app with other integrated mobile apps and services
Mobile Payment Technologies
Mobile payments include wireless payments at point-of-sale (POS) terminals, person-to-person (P2P) or any other contactless payment system involving the mobile device.  Wireless payments can work using various technologies including, but not limited to, near field communication (NFC), image-based (e.g., QR codes), carrier-based or mobile P2P.
Risks Controls
  • Portability of mobile devices leads to unauthorized use of mobile wallet
  • Some mobile payments use NFC, which is not encrypted by default
  • Weak controls in the provisioning process
  • Traffic filtering to prevent DoS attacks
  • Use trusted platform modules (secure hardware with cryptographic keys)
  • Secure telecommunication protocols
  • Tokenization (limits transmission of account information)
  • Encryption
  • Anti-malware software
  • User and application authentication controls
  • Encryption of personal info stored on mobile devices

 

RESOURCES

  • Click here for Appendix E
  • Click here for FIL-31-2016: Mobile Financial Services Update to FFIEC IT Examination Handbook Series.