How to build Web application security into your mobile banking policy

Web applications on mobile devices are under threat from many sources, especially when those applications are used for mobile banking. In this tip, learn the steps to creating a Web application security policy that protects mobile devices from the unique threats they face.

More on mobile banking
Remote deposit capture carries risk and convenience

When will attackers go mobile?
Today's threats are growing in size and complexity as more mobile devices are used to check bank balances or execute simple transfers, exchange email that contains sensitive information or store confidential documents. Most banks develop a password policy to protect Web applications on these mobile devices. The reality is that this is not enough.

Web applications associated with mobile banking are under threat from a variety of sources, such as: loss or theft of the mobile device resulting in exposure of data, interception of sensitive data that passes over Wi-Fi or a 3G network, capture of data via Bluetooth connections and mobile viruses.

The goal of a Web application security policy is to find or intercept these threats before they fully exploit the vulnerabilities and to maintain balance between consumer convenience and heavy-duty security. To achieve this, financial services should work through the following steps before a Web application is released to end users.

Review security policies to ensure they are specific to already-installed Web applications and adequately govern the use of mobile devices on the network. These policies must be enforced technologically and are dependent on user compliance. Do not apply generic security policies.

Review software life cycle documents in all phases to ensure planned Web applications have met security requirements and that their threat vulnerability analysis has been updated. Ensure application design evaluation has been adequately conducted.

Don't miss need-to-know info!
Security pros at financial organizations can't afford to be the last to know. Sign up for email updates from SearchFinancialSecurity.com and you'll never be behind the curve!
Conduct a pilot study by testing Web application security in a sample portion of a mobile banking system. This will help security managers to solve any potential technological and user compliance problems before conducting the test on a large scale, as well as determine what education and training the testers will need to solve unusual anomalies. Without proper training and education, finding or stopping the threats before they exploit the application vulnerabilities can be difficult.

As part of the study, perform the following steps to ensure the application security policy is adequate. This process can be repeated within any step to fix inherent problems.

  • Configure application servers so they do not forward emails or banking transactions marked as spam applications to mobile devices.
  • Integrate the latest digital signature capabilities into the applications. These should enable mobile workers to capture high quality digital signatures and route them wirelessly to back-end systems.
  • Install an encryption program for storage cards. A thief could take one of these cards and access unprotected data on another device.
  • Review mobile usage policies to determine if users are allowed to connect their devices to their company PCs via cradle, USB cable or Bluetooth. Technology changes could make mobile usage more vulnerable.
  • Run a password strength checker to ensure the password will be very strong. The password must be protected with strong PINs and passphrases. In addition to numbers and letters, they must include symbols. The length should be at least 12 characters.
  • Review backup and restoration policies. Run backup tapes at off-production times to ensure they are in good condition when the data and files are restored.

Protecting Web applications within banking mobility can be a challenge for a financial services firm. Developing the policy to protect them can make the job easier and keep data safer.

About the author:
Judith M. Myerson is a Systems Architect and Engineer and Enterprise System Integration consultant. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, computer security, information assurance, financial RFID technologies and project management. She can be reached at jmyerson@verizon.com.


This was first published in November 2008

Dig deeper on Mobile device security in financial institutions

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close