Mobile Banking: Predicting the Risks BofA's Security Strategies Hinge on Testing, Collaboration

The proliferation of mobile, particularly as it applies to mobile banking, has opened new revenue streams and enhanced customer and member experiences and convenience. But it also has opened new doors for fraud, and staying on top of those vulnerabilities is critical.

So how are banking institutions addressing mobile security risks? Keith Gordon, who oversees authentication and security strategies for Bank of America's consumer online and mobile banking units, says most institutions are just now forging ahead in the mobile space, and new security gaps are areas for which they all must prepare, proactively.

"Customers are now using their mobile phones much like they use their PCs," Gordon says in an interview with Information Security Media Group's Tracy Kitten (transcript below). "Now we're finding that mobile phones are becoming compromised much like PCs have been in the past."

BofA is addressing those risks through a program it's dedicated to identifying upcoming threats in the mobile arena. To tackle these vulnerabilities, Gordon says the bank works closely with federal banking regulators "to really open up a level of dialogue that's really unprecedented."

The program also calls for increasing communication among and with other institutions, as well as governments and foreign partners. "What that allows us to do is to see something that may be happening over in Europe," Gordon says. "Then we can apply what threats they're seeing to our environment, to see if there's a gap that may be identified through a new process exploit."

Ideally, such gaps can be addressed and remediated before the threats even reach BofA's customer base.

During the interview, Gordon also discusses:

  • Strategies BofA has enlisted to educate its customers about mobile risks;
  • Why mobile threats have to be constantly reviewed;
  • How the security challenges posed by different mobile platforms, such as Android, can be managed.

At BofA, Gordon develops and manages the authentication and security strategies and product development for consumer online and mobile banking. His team oversees authentication, authorization, privacy and security for online and mobile banking. The team also plays a role in online and mobile customer education, identity management, domain management and enrollment. Gordon manages the bank's e-mail security strategy, addressing online threats and fraud at the enterprise level. He has been involved in the development of the bank's enterprise cybersecurity strategy. The Security by Design strategy his team developed has a patent pending.

Mobile Security Landscape

TRACY KITTEN: Bank of America really is a pioneer in the mobile banking arena. You've watched the mobile market and the security threats facing it evolve over the last 5-6 years. What can you tell us about the security of the existing mobile landscape? What mobile threats concern you the most?

KEITH GORDON: The mobile security landscape has definitely been one of quick transition and lots of movement in where the threats are moving. We've seen a dramatic shift over the past couple of years as companies like Bank of America have begun to evolve their mobile banking capabilities and other large institutions like PayPal and others that are allowing financial transactions to occur through the mobile device. The fraudsters are obviously looking for those types of opportunities and have begun to evolve their threat vectors to try to hit the emerging marketplace that we call mobile.

There are definitely some things that are out there that concern me today. In a lot of cases they're very well hidden from the consumer and that's what's most alarming; things like repackaging of applications. What I mean by that is fraudsters will go out and take common games or other apps and pull out their source code if they don't have it well-protected, repackage that up including some malware, put it back out on app stores and then consumers begin to download those apps and it has infected malware on it. (There's) the threat of losing customer data; customers are now using their mobile phones much like they use their PCs to log into sites using their passwords or their credentials and now we're finding that mobile phones are becoming compromised much like PCs have been in the past.

Mobile Payments

KITTEN: I wanted to ask about mobile payments specifically. What unique security challenges do you see facing mobile payments that don't currently exist in a traditional mobile banking environment?

GORDON: Historically, mobile banking itself has been app-based and for the most part has been fairly limited in its ability to move money outside of that institution. Now we're starting to see that trend as you start to talk about mobile payments being one of those trends, and allowing customers within a mobile experience to be able to pay another consumer or a vendor directly through their mobile device, and that's really where the threat comes for us. If the money's leaving that institution or that application, that's where the fraudsters tend to jump in and look for opportunities and look for gaps in the process.

Historically, we took years and years and years to build the online banking environment and due to market pressures and consumers really asking for this capability on their mobile devices, we've had to really accelerate our development, and in some cases the fraudsters find those gaps and exploit them. The difference in the two is that the mobile payment capability in some cases resides on the phone itself, so you never even have to pull a credit card or you never have to authenticate. In a lot of cases, it's just a tap and pay. The opportunity for consumers to misplace their phone - that becomes a threat. It absolutely exists with the phone that didn't exist with online banking.

'Security by Design'

KITTEN: BofA has come up with an interesting way to assess the security of some of these mobile applications, and the one you've done that is by internally testing vulnerabilities that have been identified by ethical hacks, hacks that sometimes offer conflicting results. What can you tell us about this program that BofA has initiated, and how long has it been going on?

GORDON: Six years ago we developed a program we called Security by Design, and that was really (about) how can we get ahead of security vulnerabilities that sometimes come up in the development lifestyle. We developed it for the online space because at the time that was really our primary development focus. What that does is it gives us a proactive view into not only very beginning stages of requirements gathering and development, but as we go through the process and move something from maybe a testing environment into a production environment or into an app store from a mobile perspective, we've got certain thresholds that we've put in place that won't allow us if we're seeing security vulnerabilities show up in some of these ethical hacks as you mentioned. We're ensuring now that all of those identified vulnerabilities are fixed and remediated before they're actually available for customers to use.

One of the things that we also have done which interestingly has proven to your points some interesting results is the utilization of multiple assessments or ethical hacks in a single instance where we may contract out a couple different companies or maybe do a couple different internal assessments of the same code base just to see if we can come up with different results. In most cases, we have. In our mind, that's actually a benefit because different groups, different companies look at things a little bit differently. We're utilizing that as a positive aspect of our Security by Design lifecycle.

Tackling Emerging Threats

KITTEN: BofA is spending quite a bit of time and resources on some of these anticipated threats. What can you tell us about some of the proactive steps you're taking to address unknown risks and how are you anticipating some of those risks?

GORDON: On my team, we have developed a program called the Emerging Threats Program. We have dedicated resources that literally their job is to not only work and identify within the bank, but also working with other institutions - even outside of financial services - to identify what's happening out in the marketplace today that the general consumer may not hear about. We work very closely with our government agency partners to really open up a level of dialogue that's really unprecedented that we haven't seen historically. What that allows us to do is to see something that may be happening over in Europe or maybe in Australia where we have some relationships with some folks there and they're sharing their intelligence with us, but then we can apply what threat they're seeing to our environment to see if there's a gap that may be identified through a new process exploit or something like that. Then through all of these relationships and these assessments, (it) allows us if a gap is identified to quickly go in and build a remediation plan so that we close the gap in many cases before the threat even gets to our customer base.

KITTEN: What about some of the technology solutions that BofA is investing in to enhance authentication as well as device identification when it comes to mobile? When customers log into accounts via their mobile devices either online or with an app, what's BofA doing to authenticate those users?

GORDON: One of the things that we have been very deliberate about is ensuring that the customers' experience is identical. That's if you're going in through online, if you're going in through the mobile app or the mobile web. Our customers were very vocal and they wanted that seamless experience. Actually, it has helped out as well in allowing us to build something once and utilize it in all three environments. You mentioned things like device identification. We're able to see what devices our customers are coming to us from on a typical basis, so that if per chance we see something that's anomalous or maybe a new device, we can proactively challenge that experience or that session to ensure that it's that customer trying to authenticate. If a fraudster is trying to access an account, we're able to block it right at that point just in knowing that it's not the customer's device trying to come to us.

Software Development

KITTEN: What can you tell me about SDK and how does it connect the online channel to mobile?

GORDON: SDK is a term; software development kit is what it stands for. Apple a few years back - when they first came out with their SDK - (that) was really when we saw the explosion of app development. What that means is it's a basic little kit that you can build a framework around an application. It's got all of the basic capabilities for an app to run on the device. What we're now seeing is a lot of the vendors in the marketplace that we've used for online security capabilities are now developing mobile versions within an SDK so we can quickly and easily plug into our mobile app. Again, it's getting a consistent experience, not only for the consumer, but also from the bank's side we're able to monitor sessions with our customers just like we do in online. Now we can do the same thing in mobile. We're not getting out of balance between the channels.

Differing Platforms

KITTEN: I wanted to ask a little bit about the mobile platforms themselves. Currently Bank of America offers mobile banking for iPhone, the iPod Touch, iPad, Google Android, Android tablet, the Kindle Fire, Blackberry, and even the Windows phone. Is there a question about the security of one platform or device over another?

GORDON: Speaking from the Bank of America-app perspective, we don't necessarily have any concerns because again it's basically the same app developed just for a different platform. However, we do have concerns as it relates to the operating systems themselves. (You're) more likely to encounter malware if you're on Android vs. other platforms. One of the reasons that we're seeing that is the Android platform was purposely built as an open platform, which in theory would spur on innovation but it's obviously spurred on the innovation of the fraudsters as well. It's been basically a knit on the other platforms. And honestly that kind of goes along with the market penetration too where the Android platform is equal to the Apple platform.

KITTEN: Does Bank of America worry about the security of source code or the fact that some devices are targeted by malware more often than others? What control can you have there?

GORDON: It goes back to an adage that my dad always used to tell me: control what you can control. In this case, I can control the security of our app. I can control how we're using data on that and ensure that our customer's data is not at any point exposed to the operating system. It's in its own little self-contained bubble. From a code perspective, we have hardened our code to where even if fraudsters were able to get a hold of it, they couldn't reverse-engineer it or understand how the code works to find any gaps in the process. Malware is definitely one of those things that we have to keep abreast on, and when I say it that way I mean on a daily basis we're looking at what malware is in the marketplace today and ensuring that we have the correct controls in place within our app to keep our customers secured and protected.

KITTEN: I'm glad that you brought up reverse-engineering because that's actually something that I wanted to ask about. What steps is BofA taking to add additional security to prevent reverse-engineering of some of these downloadable mobile applications?

GORDON: It really gets down to a couple of basic elements and one is: How are you developing the code itself? What layers of protection are you putting within that code, and then how is the code packaged before it's sent to an app store? In all cases, I'm not able to share some of our secrets in our black box, but I can say that we're absolutely putting a level of diligence around our code to protect it, because we consider that an asset to the bank - intellectual property - and we want to protect it just like we would anything else. But at the same time, it absolutely protects our customers.

KITTEN: BofA recently announced that its number of mobile banking users exceeds ten million, an increase of nearly three million users in the last 12 months. What increased risks does BofA face as its pool of mobile banking users continues to grow?

GORDON: The primary risk is not necessarily about what we're providing but just continues to be about the mobile banking platform itself, and that the fraudsters are continuing to spend a lot of their time focusing on that mobile platform and looking for ways to interject or to compromise the customer device. Just like they do PCs today, they are looking for new and creative ways. There are things that we have to continue to educate our customers about. We've been a strong proponent of online security and we're now evolving to, "How can we continue to educate our customers about mobile security?" There are things out there called "malwaretizing," "smishing," compromised QR codes, things that you say those terms and customers may not know what you're talking about, but these are the new distribution methods that the fraudsters are using in the increasingly complex mobile threat space.

The Role of Education

KITTEN: I wanted to ask about customer education specifically because we often talk about the end user being the most vulnerable or the weakest link in the security chain. What's BofA doing to help secure that one part that it doesn't control, which is the user, the customer?

GORDON: Right. It's increasingly been one of the challenges in that we haven't seen, like today in your PC, there's one of 50 different anti-virus tools that are out for you to go install on our PC. We've got a relationship with McAfee where we're offering to our customers. There's another for anti-malware. There are a few that are out there for the PC. We're offering Trusteer to our customers, but mobile has been slow to migrate just because of the way the mobile platform works. We have just recently engaged to offer a mobile version of McAfee to our customers; it's literally late-breaking and will be coming to a store near you shortly, but we will be offering it through our portal very shortly. We're continuing to push our partners to continue to evolve the capabilities they're offering, specifically for the mobile platform to help secure it even further.

KITTEN: Before we close, what advice could you offer other institutions as the number of their mobile users continues to grow and they struggle to balance security with customer convenience?

GORDON: I think the one thing is that it's definitely a balance and if you go too far on trying to please the customer experience and you lose sight of some of the controls to keep the security in balance, the potential for increased fraud is going to be there. But you go the other way and (if) you put too much security control in place and it makes it too onerous for that customer, then you're going to see a migration away from that platform. I think that's where we've done a really good job of balancing that and seeing a continued phenomenal growth of our customers adopting the mobile platform.

Around the Network