Mobile Banking: Authentication is 'Your Best Friend'Expert Says Mobile Security Does Not Have to be Daunting
Authenticating mobile transactions is challenging, because of the fluid nature of mobile-browsing habits, "It's an unfortunate side-effect of the way that a lot of wireless networks are structured," Rouse says. "So, as I connect and disconnect from the network, as I turn my phone on and off or as I just roam to other carriers, it is actually very difficult to maintain a single IP address. As a consequence of the way that the networks are structured, technically, we normally have IP changes in the range of hours to days for every mobile client."
Better transaction authentication, using technologies such as biometrics, could help. As the financial industry gets a better handle on the steps needed to secure mobile-banking transactions, Rouse says security and authentication will improve. During the Mobile Financial Services Forum (@Twitter #MobileForum) in Arlington, Va., Rouse discussed some of the security challenges facing the industry.
In this interview, Rouse gives his top three tips for mobile security, explaining:
- The role biometrics plays in transaction authentication;
- The importance of managing the user experience; and
- Solid analytics: A banker's "best friend."
Rouse is the principal security consultant for Cigital, where he leads the mobile and wireless security practice, performs security architecture assessments and serves as an advisor to some of the world's largest development organizations. He also is responsible for the creation of durable, actionable artifacts, spanning the continuum of software security from development standards to enterprise risk-management frameworks.
Mobile NFC and Global PlatformTRACY KITTEN: Mobile security concerns -- it's a big concern, and for many reasons we don't yet truly understand. Jason Rouse, a mobile security expert, talks about mobile's vulnerabilities during the Mobile Financial Services Forum in Arlington, Va. Jason, you sat on a panel and during that panel discussion we talked quite a bit about the security of the mobile channel overall, and you noted that near-field communications or radio-frequency communication is perhaps the least secure type of communication. I also spoke with someone who was talking about Global Platform, this set of standards set up to protect some of this wireless connectivity or wireless communication. Could you talk a little bit about the security and where the global platform from your mind fits into the picture?
JASON ROUSE: Global Platform is a set of protocols and standards that allow for secure communication over potentially insecure channels. When we were talking on the panel yesterday, I wanted to note that radio-frequency communication, in general -- 802.11, ZigBee, Bluetooth -- are very insecure by nature, and therefore must be paired up with things like Global Platform in order to be even remotely secured. Most of the time, security standards are very well implemented and they are very well designed. But, throughout history, in almost every platform available, there have always been implementation problems; there have always been hiccups, and there has always been issues that come up, usually when a technology or a standard has been used beyond its normal end-of-life.
We have used TCP for a long time and a lot of hiccups have come up over the last 10 years in the Internet, and that is because it is being used much, much further than its design capacity. Global Platform is relatively recent and very dynamic, but at the same time, we still have to rely on old-fashioned things, like getting it right, especially in implementation, and we have to make sure that we test these things in order to actually assure security in the platform. Global platform paired with radio-frequency communication should be secure; in general, though, each does not guarantee security for the other.
Mobile Authentication and BiometricsKITTEN: One of the things that we talked about related to authentication, and this kind of ties in with IP security. With the mobile device, it is a fluid IP address, so it is very difficult to authenticate or to do some kind of comparison or data analytics, because this person browsing the Internet could be browsing the Internet on a mobile device anywhere in the world and there is no way to really nail down where this person is. So, how do we get around some of those authentication questions, when it comes to mobile banking or mobile payments, and what role, perhaps, could biometrics play?
ROUSE: I think that biometrics are wonderful. A lot of the time, we are limited by the number of transducers to the phone; so it would be great if I could just down press my fingertip to the surface of the screen and have it become a fingerprint, but, unfortunately, with most platforms, we are limited to simply a microphone as our main biometric transducer. In terms of using biometrics to firmly identify a person, I think it is a great idea and it has lots of technical merit. I think that the handsets, though, are far from the ideal for a platform that could capture those biometrics, so we may see things like sleeves or add-on devices, even Bluetooth-tethered devices, that may take things like fingerprints or even iris scans easier. But right now, platforms like Android, iPhone and BlackBerry simply don't have a very rich set of capabilities.
You mentioned the IP address being very fluid, and it's an unfortunate side-effect of the way that a lot of wireless networks are structured. So, as I connect and disconnect from the network, as I turn my phone on and off or as I just roam to other carriers, it is actually very difficult to maintain a single IP address. As a consequence of the way that the networks are structured, technically, we normally have IP changes in the range of hours to days for every mobile client. While we can white-list things like IP blocks for providers such as AT&T, Verizon, T-Mobile and Sprint, we generally can't rely on individual IP addresses per handset as a white-listing capability for our transaction security.
Mobile: 3 Security TipsKITTEN: What are the three pieces of advice that you could give to an institution that is just now beginning to embark upon a mobile platform?
ROUSE: The first one: Manage user experience. You have to be careful in moving into the mobile platform, because you are speaking to a different mindset in potentially the same customer; but it is a very different mindset when you are using a mobile handset and a mobile device.
No. 2: All of the technology you need to secure your phones already exists, so you should not panic that you don't have the controls that you need and you shouldn't panic that the mobile devices are some sort of magical land that you can't control - you can. But it is going to take a long-term investment in both research and implementation to get the mobile device or the mobile platform to the place where you, as a bank, would want it to be.
And third: Your best friend is analytics. Keeping track of what is happening in your systems -- antifraud, anti-money laundering and even just transaction-risk measures -- can be your best option as you deploy mobile devices or mobile applications to mobile platforms.
So those are very important, and if I can add a fourth: Make the platform transparent. In terms of market-capture or subscriber-capture, what you really want to do is ignore the fact that you know one platform is more popular or more interesting than the other. Right now, the top three platforms in North America are iPhone, Android and BlackBerry, in no particular order. You should make sure that if you deploy a capability on one that it actually is on all of the others as well. And even thought the platforms differ in their security capabilities, the controls that you already have can be used effectively to secure each platform, regardless of their inherent capabilities.