Web applications associated with mobile banking are under threat from a variety of sources, such as: loss or theft of the mobile device resulting in exposure of data, interception of sensitive data that passes over Wi-Fi or a 3G network, capture of data via Bluetooth connections and mobile viruses.
The goal of a Web application security policy is to find or intercept these threats before they fully exploit the vulnerabilities and to maintain balance between consumer convenience and heavy-duty security. To achieve this, financial services should work through the following steps before a Web application is released to end users.
Review security policies to ensure they are specific to already-installed Web applications and adequately govern the use of mobile devices on the network. These policies must be enforced technologically and are dependent on user compliance. Do not apply generic security policies.
Review software life cycle documents in all phases to ensure planned Web applications have met security requirements and that their threat vulnerability analysis has been updated. Ensure application design evaluation has been adequately conducted.
As part of the study, perform the following steps to ensure the application security policy is adequate. This process can be repeated within any step to fix inherent problems.
- Configure application servers so they do not forward emails or banking transactions marked as spam applications to mobile devices.
- Integrate the latest digital signature capabilities into the applications. These should enable mobile workers to capture high quality digital signatures and route them wirelessly to back-end systems.
- Install an encryption program for storage cards. A thief could take one of these cards and access unprotected data on another device.
- Review mobile usage policies to determine if users are allowed to connect their devices to their company PCs via cradle, USB cable or Bluetooth. Technology changes could make mobile usage more vulnerable.
- Run a password strength checker to ensure the password will be very strong. The password must be protected with strong PINs and passphrases. In addition to numbers and letters, they must include symbols. The length should be at least 12 characters.
- Review backup and restoration policies. Run backup tapes at off-production times to ensure they are in good condition when the data and files are restored.
Protecting Web applications within banking mobility can be a challenge for a financial services firm. Developing the policy to protect them can make the job easier and keep data safer.
About the author:
Judith M. Myerson is a Systems Architect and Engineer and Enterprise System Integration consultant. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, computer security, information assurance, financial RFID technologies and project management. She can be reached at firstname.lastname@example.org.
This was first published in November 2008