Insight Report mobile banking security mFinancial Services Series www.goodeintelligence.com First Edition October 2012 Whilst information, advice or comment is believed to be correct at © Goode Intelligence time of publication, the publisher cannot accept any responsibility All Rights Reserved for its completeness or accuracy. Accordingly, the publisher, author, or distributor shall not be liable to any person or entity with respect to any loss or damage caused or alleged to be caused Published by: directly or indirectly by what is contained in or left out of this Goode Intelligence publication. 26 Dover Street London All rights reserved. No part of this publication may be reproduced, W1S 4LY stored in a retrieval system or transmitted in any form or by any United Kingdom means, electrical, mechanical, photocopying and recording without Tel: +44.20.33564886 the written permission of Goode Intelligence. Fax: +44.20.33564886 www.goodeintelligence.com [email protected] Mobile Banking Security CONTENTS Introduction to Mobile Banking Security ................................................................................................ 3 Five years of rapid change .................................................................................................................. 3 Banking goes mobile ........................................................................................................................... 4 What about security? .......................................................................................................................... 4 Executive Summary ................................................................................................................................. 5 Smart phones can improve banking security ...................................................................................... 5 Potential pitfalls .................................................................................................................................. 6 Mobile Vulnerabilities ..................................................................................................................... 6 Mobile malware on the rise and targeting banks ........................................................................... 6 How banks need to respond ............................................................................................................... 7 Market analysis ....................................................................................................................................... 8 Business drivers for the banks ............................................................................................................ 8 Convenience trumps security ............................................................................................................. 9 Ease of use is essential, but poor security is a “show stopper” ........................................................ 10 Mobile could be more secure ........................................................................................................... 10 Less malware ................................................................................................................................. 10 Personal relationship to the device .............................................................................................. 11 Continuous connection ................................................................................................................. 11 Multi-factor Authentication and Verification (MFA/MFV) ........................................................... 11 Regional Guide ...................................................................................................................................... 14 Introduction ...................................................................................................................................... 14 The global rise of the mobile phone ................................................................................................. 14 Africa ................................................................................................................................................. 15 Case study: South Africa ............................................................................................................... 16 Asia .................................................................................................................................................... 17 USA .................................................................................................................................................... 18 Case study – Bank of America ....................................................................................................... 19 Europe ............................................................................................................................................... 20 UK .................................................................................................................................................. 20 Slovakia ......................................................................................................................................... 22 Australasia ......................................................................................................................................... 23 Goode Intelligence © 2012 P a g e | 1 www.goodeintelligence.com Mobile Banking Security New Zealand ................................................................................................................................. 23 Rest of the world ............................................................................................................................... 24 Compliance and regulation ................................................................................................................... 25 USA .................................................................................................................................................... 25 Shifting responsibilities ................................................................................................................. 25 Western Europe ................................................................................................................................ 26 Conclusion ......................................................................................................................................... 26 Technology ............................................................................................................................................ 27 Introduction ...................................................................................................................................... 27 Dealing with the right person: Authentication ................................................................................. 27 Multi-Factor Authentication/ Verification (MFA/MFV) ................................................................ 28 The threat landscape .................................................................................................................... 29 Building secure apps – and keeping them secure ............................................................................. 31 Test the whole system .................................................................................................................. 32 How to keep apps secure .............................................................................................................. 33 Handling high smart phone turnover ............................................................................................ 33 Broader considerations ..................................................................................................................... 34 Goode Intelligence advice summary ................................................................................................. 36 Technology vendors and service providers .......................................................................................... 37 Introduction ...................................................................................................................................... 37 Encap ................................................................................................................................................. 38 Entersekt ........................................................................................................................................... 40 Entrust ............................................................................................................................................... 41 Monitise ............................................................................................................................................ 42 RSA .................................................................................................................................................... 43 Beating rogue apps ....................................................................................................................... 43 Managing transaction risks across the channels .......................................................................... 43 Future additions ............................................................................................................................ 44 SecurEnvoy .......................................................................................................................................