The Fraud Blog with Tracy Kitten

Mobile Security: Act Now

Including Mobile Banking in Risk Assessments
Mobile Security: Act Now

Many financial institutions are not addressing mobile banking security risks in a targeted way. Mobile banking is not a prominent part of their risk assessments and mitigation strategies. But it should be.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

Although federal regulators have yet to spell out clear-cut mobile security requirements, banks and credit unions cannot afford to wait for federal guidance before taking action. They need to put plans in place now to mitigate emerging risks, such as attacks from mobile malware and device identification challenges posed by roaming IP addresses.

Bankers who procrastinate could face the dire consequences that follow account breaches.

BITS and other organizations have offered advice on mobile banking security that financial institutions can put to use. But regulatory guidance is still pending.

Mobile Security: At a Glance

The Federal Financial Institutions Examination Council hasn't issued mobile security mandates ... yet. And while I don't think we'll see anything specific to mobile before the end of 2012, I'm pretty certain mobile already is coming up during FFIEC authentication compliance audits.

Industry pundits may be split about when mobile directives are coming, but they're in agreement that they're coming. Those directives could arrive in the form of an addendum to existing guidance; they could be laid out in an FAQ; or they could comprise their own guidance all together.

Regulators are gathering information and assessing where institutions stand on mobile security. It's just a matter of time before they put their heads together and come up with a way to address mobile more specifically.

Mobile's missing mention in the FFIEC's Authentication Guidance raised eyebrows in June, when it was issued. [See FFIEC Authentication Guidance.]

Now the Federal Deposit Insurance Corp. has hinted guidance or suggestions for mobile security and risk mitigation could be on the way. In July, Jeff Kopchik, FDIC senior policy analyst said, "We are thinking about mobile," during a BankInfoSecurity webinar on FFIEC Authentication Guidance..

Five months later, the FDIC issued some insights about mobile and its connection to existing guidance in the Winter edition of Supervisory Insights. "Should a risk assessment identify new risks or vulnerabilities, financial institutions should address them promptly to appropriately and effectively mitigate the risks for the institution and its customers." [See "Mobile Banking: Rewards and Risks."]

It's not a matter of if mobile mandates are on the way. It's more a matter of when.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.