How to build Web application security into your mobile banking policy

    Requires Free Membership to View

More on mobile banking
Remote deposit capture carries risk and convenience

When will attackers go mobile?
Today's threats are growing in size and complexity as more mobile devices are used to check bank balances or execute simple transfers, exchange email that contains sensitive information or store confidential documents. Most banks develop a password policy to protect Web applications on these mobile devices. The reality is that this is not enough.

Web applications associated with mobile banking are under threat from a variety of sources, such as: loss or theft of the mobile device resulting in exposure of data, interception of sensitive data that passes over Wi-Fi or a 3G network, capture of data via Bluetooth connections and mobile viruses.

The goal of a Web application security policy is to find or intercept these threats before they fully exploit the vulnerabilities and to maintain balance between consumer convenience and heavy-duty security. To achieve this, financial services should work through the following steps before a Web application is released to end users.

Review security policies to ensure they are specific to already-installed Web applications and adequately govern the use of mobile devices on the network. These policies must be enforced technologically and are dependent on user compliance. Do not apply generic security policies.

Review software life cycle documents in all phases to ensure planned Web applications have met security requirements and that their threat vulnerability analysis has been updated. Ensure application design evaluation has been adequately conducted.

Don't miss need-to-know info!
Security pros at financial organizations can't afford to be the last to know. Sign up for email updates from SearchFinancialSecurity.com and you'll never be behind the curve!
Conduct a pilot study by testing Web application security in a sample portion of a mobile banking system. This will help security managers to solve any potential technological and user compliance problems before conducting the test on a large scale, as well as determine what education and training the testers will need to solve unusual anomalies. Without proper training and education, finding or stopping the threats before they exploit the application vulnerabilities can be difficult.

As part of the study, perform the following steps to ensure the application security policy is adequate. This process can be repeated within any step to fix inherent problems.

  • Configure application servers so they do not forward emails or banking transactions marked as spam applications to mobile devices.
  • Integrate the latest digital signature capabilities into the applications. These should enable mobile workers to capture high quality digital signatures and route them wirelessly to back-end systems.
  • Install an encryption program for storage cards. A thief could take one of these cards and access unprotected data on another device.
  • Review mobile usage policies to determine if users are allowed to connect their devices to their company PCs via cradle, USB cable or Bluetooth. Technology changes could make mobile usage more vulnerable.
  • Run a password strength checker to ensure the password will be very strong. The password must be protected with strong PINs and passphrases. In addition to numbers and letters, they must include symbols. The length should be at least 12 characters.
  • Review backup and restoration policies. Run backup tapes at off-production times to ensure they are in good condition when the data and files are restored.

Protecting Web applications within banking mobility can be a challenge for a financial services firm. Developing the policy to protect them can make the job easier and keep data safer.

About the author:
Judith M. Myerson is a Systems Architect and Engineer and Enterprise System Integration consultant. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, computer security, information assurance, financial RFID technologies and project management. She can be reached at jmyerson@verizon.com.

This was first published in November 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.