How to build Web application security into your mobile banking policy

Web applications associated with mobile banking are under threat from a variety of sources, such as: loss or theft of the mobile device resulting in exposure of data, interception of sensitive data that passes over Wi-Fi or a 3G network, capture of data via Bluetooth connections and mobile viruses.

The goal of a Web application security policy is to find or intercept these threats before they fully exploit the vulnerabilities and to maintain balance between consumer convenience and heavy-duty security. To achieve this, financial services should work through the following steps before a Web application is released to end users.

Review security policies to ensure they are specific to already-installed Web applications and adequately govern the use of mobile devices on the network. These policies must be enforced technologically and are dependent on user compliance. Do not apply generic security policies.

Review software life cycle documents in all phases to ensure planned Web applications have met security requirements and that their threat vulnerability analysis has been updated. Ensure application design evaluation has been adequately conducted.

Conduct a pilot study by testing Web application security in a sample portion of a mobile banking system. This will help security managers to solve any potential technological and user compliance problems before conducting the test on a large scale, as well as determine what education and training the testers will need to solve unusual anomalies. Without proper training and education, finding or stopping the threats before ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Mobile device security in financial institutions Study reveals lack of financial wireless computer security Secure communications Security on the street with SearchFinancialSecurity.com: Mobile banking Policies for reducing mobile risk Virus onslaught sickens smartphones BlackBerry flaw highlights growing mobile device risks Mobile device security in six simple steps Emerging security threats and attacks UK police arrest two in connection with Zeus Trojan Fraudulent emails pretend to be from NACHA Four hackers indicted in RBS WorldPay breach ACH fraud scams total $100 million, FBI says FDIC warns of rise in "money mule" schemes FDIC warns of bogus emails Bank Trojan used against German accounts evades antifraud systems Wyoming bank sues Google after bank employee email mishap California man sentenced in online brokerage scam Zeus Trojan hitting banking customers hard

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

they exploit the application vulnerabilities can be difficult.

As part of the study, perform the following steps to ensure the application security policy is adequate. This process can be repeated within any step to fix inherent problems.

• Configure application servers so they do not forward emails or banking transactions marked as spam applications to mobile devices.

• Integrate the latest digital signature capabilities into the applications. These should enable mobile workers to capture high quality digital signatures and route them wirelessly to back-end systems.

• Install an encryption program for storage cards. A thief could take one of these cards and access unprotected data on another device.

• Review mobile usage policies to determine if users are allowed to connect their devices to their company PCs via cradle, USB cable or Bluetooth. Technology changes could make mobile usage more vulnerable.

• Run a password strength checker to ensure the password will be very strong. The password must be protected with strong PINs and passphrases. In addition to numbers and letters, they must include symbols. The length should be at least 12 characters.

• Review backup and restoration policies. Run backup tapes at off-production times to ensure they are in good condition when the data and files are restored.

Protecting Web applications within banking mobility can be a challenge for a financial services firm. Developing the policy to protect them can make the job easier and keep data safer.

About the author:
Judith M. Myerson is a Systems Architect and Engineer and Enterprise System Integration consultant. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, computer security, information assurance, financial RFID technologies and project management. She can be reached at jmyerson@verizon.com.