Clifford wilke

Comptroller of the CurrencyAdministrator of National Banks

Wireless BankingApril 1, 2003

Clifford A. Wilke Director of Bank TechnologyOffice of the Comptroller of the CurrencyWashington, DC


The views and opinions expressed in this presentation do not necessarily represent the views and directives of

the Office of the Comptroller of the Currency or the Office of the Director of the Bank

Technology Division.


Wireless Banking Motivations

Banks and financial service companies are offering wireless account access Extension of internet applications Delivery to highly portable cell phones &

personal digital assistants More people getting devices Features improving as technologies advance

Improve customer retention rates, especially technology oriented customer


Retail Delivery PCs relying on non-bank owned wireless

LANs or cell phone dial-in to access internet banking products

Mobile devices (e.g., cell phones, PDAs) accessing banking products customized to smaller form factors Application support outsourced

Services range from full internet banking services to limited balance inquiry, funds transfer, bill pay & brokerage

Wireless Banking Methods


Retail Delivery Wireless LANs rely on unlicensed

radio frequencies and IEEE 802.11 standards

Cell phone delivery rely on licensed radio frequencies and evolving voice to data focused delivery standards

Wireless Link


Security Systems Development and

Life Cycle Management Performance Return on investment

Challenges


Reported DataSecurity Incidents

Source: CERT/CC -- statistics are not limited to the banking industory and include all reported incidents

Unauthorized Activity Incidents Increasing82,094

2,412 2,573 2,134 3,734

9,85921,756

52,658

010,00020,00030,00040,00050,00060,00070,00080,00090,000

1995 1996 1997 1998 1999 2000 2001 2002


Identity Theft 86,200 identity theft incidents last

year, up from 31,000 the prior year The cost to consumers averaged

$1,200 per crime Some incidences required victims

to spend up to three years communicating with lenders and credit bureaus to straighten out records.

Source - Issue 771, Sept. 2002, of The Nilson Report, p.9 – FTC Data

Comptroller of the CurrencyAdministrator of National Banks Banking Risks

Same inherent risk and issues as Internet Banking, primary risks affected Strategic Transaction Reputation Compliance

Comptroller of the CurrencyAdministrator of National Banks Strategic Risk

Determining wireless banking role in delivering products and services

Defining risk versus reward goals and objectives Is the reward added revenue, saving lost

revenues, and/or increased efficiency? Are capital expenditures (at purchase and

retirement), maintenance and operating costs less than the reward (i.e., income)?

Comptroller of the CurrencyAdministrator of National Banks Strategic Risk

Implementing emerging e-banking strategies First Mover (“bleeding edge”) vs. wait and see

(permanently lose market share) Ease of implementing outsourced solution to

keep up with the competition Financial stability of vendors

Uncertain customer acceptance Using standards not designed for

secure banking environment needs Rapidly changing technology

standards Expertise

Comptroller of the CurrencyAdministrator of National Banks Transaction Risk

Security Issues Wireless transmission encryption

Standards retro-fitted once security became an issue

Designed to protect transmitted data from unauthorized access/use

Early standards 802.11 and Wireless Access Protocols (i.e., WAP) have known vulnerabilities

Potential need to upgrade equipment as standards change


Security Issues Access codes stored on device may

allow account access if device lost or accessed

User names and passwords may be entered in clear view on the screen

Customer acceptance of alphanumeric PINs Mobile phones require pressing a number key multiple

times for certain letters, which may be challenging even if display is not asterisked out (i,.e., ****)


Security – Lessons Reinforced Unproven standards can have security

weaknesses Risk of external attacks increases as services expand

to allow greater access to systems Companies need to maintain knowledge of attack

techniques, known and newly identified End-to-end security is key

Do not rely on wireless transport layer security for banking application security

Need effective change management processes Encourage customers to use good PIN/Password

management practices


Transaction and Reputation Risk

Outsourcing Access to expertise

Knowledge of wireless communication standards and encryption methods

Developing and converting existing products and services for wireless transmission and use

Effect of device characteristics Smaller screens Button or stylus commands

Comptroller of the CurrencyAdministrator of National Banks Reputation Risk

Reliability of delivery network Customer acceptance of no-service

due to telecommunications issues when they are in areas they expect service - Consumer Expectations

Processing and handling of interrupted transactions

Integration of wireless applications with existing products and services

Comptroller of the CurrencyAdministrator of National Banks Compliance Issues

Disclosures Wireless banking devices are easier

to lose and may increase potential of unauthorized usage Types of services offered affects level of risk (e.g.,

P2P payments increase risk)

Privacy concerns from location based services


GLBA Compliance

Primary Elements of Information Security Program Involve Board of Directors Assess Risk Manage and Control Risk

(including testing) Oversee Service Providers Adjust Program


Characteristics of Good Risk Management

Sound definitions of acceptable risk

Ownership of the risk assessment Explicitly accept risks Identify key controls Create a test plan and follow up of

results Ongoing Board involvement Active Vendor Management Sufficient Technical Expertise Appropriate Business Continuity

Planning

Comptroller of the CurrencyAdministrator of National Banks Industry Initiatives

Many companies have strong policies in place to maintain their position of trust

The reputational risk of the company and loss of market share is at stake

Financial exposure is real


Best Practices

Secure architecture Vulnerability management Intrusion detection Information sharing Training and awareness Regular testing, reporting,

improving


What’s Next - We Need to Focus On

Security Authentication and Verification Proper Due Diligence and Complete

Understanding of the Issues Prepare now for what is ahead New Entrants into the Marketplace International Perspective in the

New World


FFIEC Information Security Booklet (February 2003) Electronic Banking Final Rule (May 2002) Bank Use of Foreign-Based Service Providers (May 2002) ACH Transactions Involving the Internet (January 2002) Authentication in an E-Banking Environment (July 2001) Weblinking - (July 2001) Alert - Network Security (April 2001) GLBA Guidelines to Safeguard Customer Information (Feb 2001) Risk Management of Outsourced Technology Services (Nov

2000) Infrastructure Threats--Intrusion Detection (May 2000) Alert - Distributed Denial of Service (February 2000) Alert - Internet Domain Names (July 2000) Infrastructure Threats from Cyber-Terrorists (99-9) Technology Risk Management: PC Banking (98-38) Technology Risk Management (98-3)

OCC Technology Issuances


Summary

Safety, Soundness and Responsibility will remain

the primary driver

Clifford wilke

Documents

Transcript of Clifford wilke