Out-Law News 2 min. read
19 Nov 2012, 1:02 pm
Financial services sector head John Salmon brings you insight and analysis on what really matters in the world of financial services.
For businesses within the financial services sector not all-consumed by RDR and auto-enrolment issues, attention may again be turning to the threats, risks and uncertainties associated with mobile banking and other trends and developments in financial services technology.
While the Australian bank Westpac has suggested that "the take-up of mobile banking is much faster than any previous technological innovation in banking," and indicated, according to reports, that it "processes three times more transactions made digitally, compared to transactions made in person," security providers in other parts of the world are stressing the heightened level of intrusion into mobile environments that have occurred during the third quarter of 2012.
AVG Technologies has reported on the prevalence of the malware known as Zitmo during the period, which exposes network security weaknesses and gains access to Transaction Authentication Numbers (TANs) sent to customers via SMS, while the US Federal Bureau of Investigation has issued warnings regarding Loozfon and FinFisher, two Trojans particularly targeting mobile devices operating the Android platform.
Loozfon induces consumers with bogus work-from-home schemes seeking to obtain personal information and it has been reported that FinFisher enables remote control of devices by hackers.
Yet with the move from online to mobile we are now talking about a second generation shift (the first being offline to online) and the question to be asked is whether the delivery of financial services and the processing of financial data through mobile networks and to mobile devices pose any unique risks or ones which are substantially different to online banking.
There is no doubt that some existing risks are heightened in the mobile environment, but it is not clear that any of these risks are unique and cannot be overcome by adjusting existing mitigation strategies.
Personally, I have never really understood why it appears that when new technology is used one's risks must be greater than when engaging in same processes in the offline world. While it is true that there will be new risks which must be properly considered it sometimes appears that the new technology enabled service must be much more tightly controlled from the equivalent offline process.
A good example is the use of the handwritten signature as the standard against which all authentication mechanisms are measured. This mechanism itself has never guaranteed reliability and has often not been properly checked. Nevertheless it has, on occasion, roadblocked the shift from offline service provision to online delivery, even though in many instances the evidence has indicated a lessening of fraudulent activities where online authentication mechanisms are implemented.
An example of such evidence is that of credit and debit transactions, where the phasing out of authentication by handwritten signatures in favour of pins has led to significant reductions of fraudulent payments being made, according to research reports.
So as banks increasingly look to "jump on the apps bandwagon", and shift their focus to offering services which are responsive to multiple environments, an approach which focuses first on assessing risks unique to the mobile environment, rather than one which emphasises those that are merely heightened by it, will likely form a better strategy for negotiating standards with suppliers that are acceptable to regulators and attractive to customers.