Description
Regulators and others commonly list additional risk considerations arising from the use of the mobile channel. These include: the higher possibility of loss of device, the restricted screen and keypad of the device, the information security of the end-to-end network, the availability and reliability of the communications network, and the use of outsourced service providers. However, a priori, these factors do not in themselves make most use cases of mFS more or less risky than other forms of e-banking.
This report was commissioned by FinMark Trust
Bankable Frontier Associates LLC
www.bankablefrontier.com
24 March 2008
BFA-080324
MANAGING THE RISK OF MOBILE BANKING TECHNOLOGIES
24 March 2008
Managing the Risk of Mobile Banking Technologies 2
EXECUTIVE SUMMARY
1. M-payments and m-banking are now spreading fast across the world, in developed and
developing countries. The use of mobile phones for mobile Financial Services (m-FS) is
relatively new and, as a consequence, the knowledge of the risks and the risk experience of
providers is still limited. However, the rapid take-up and potential scale of new offerings has
led to increased interest from mobile Financial Services Providers (mFSP), both banks and
non-banks, and from government regulators in understanding and managing any unique,
additional risks.
2. Two elements of the mobile channel are distinctive relative to other e-banking channels like
Internet banking or point of sale devices:
a. The mobile handset, which comes with a wide range of functionality from basic on
standard handsets to advanced on feature phones and smart phones;
b. The mobile network, which includes all the links carrying a data message from a handset
to the mFSP or vice versa and the methods used to communicate between the handset
and the mFSP.
Both these elements contribute to a different risk environment for m-banking. Boards and
management of mFSPs as well as regulators need to have a clear basic understanding of
how these elements work, including a comparison to other established e-banking channels.
Increasingly, as handset functionality increases, mobile financial services are converging
with Internet banking.
3. Regulators and others commonly list additional risk considerations arising from the use of
the mobile channel. These include: the higher possibility of loss of device, the restricted
screen and keypad of the device, the information security of the end-to-end network, the
availability and reliability of the communications network, and the use of outsourced service
providers. However, a priori, these factors do not in themselves make most use cases of m-
FS more or less risky than other forms of e-banking.
4. The main technical characteristics affecting the risks of m-FS:
a. The security functionality available on the handset: the lower the security requirement
from the handset, the broader the potential market, especially in developing countries;
b. The degree of dependence or independence from a particular Mobile Network Operator
(which controls access to the SIM card and the mobile network): channel options may or
may not require downloading of an application to the SIM or phone, which in turn may
require participation of the manufacturer or MNO.
24 March 2008
Managing the Risk of Mobile Banking Technologies 3
These characteristics imply four main use cases as summarized in the diagram below:
Mobile Handset Capability
Standard (all) Advanced
I
n
d
e
p
e
n
d
e
n
t
o
f
M
o
b
i
l
e
N
e
t
w
o
r
k
O
p
e
r
a
t
o
r
?
Yes
Use Case 1:
Use what is there, existing generic mobile
bearer services provided on all phones
accessible directly by user
Use Case 2:
Use mobile browsing services that
are provided on phones
Use Case 3:
Use advanced application services
provided on phones
No
Use Case 4:
Use a secure environment on the mobile
provided by the MNO or MNOs
Use Case 4 prime:
Dedicated secure application
environment on a handset
In general, in developing countries, the mass market for the foreseeable future will have
only standard handsets, hence m-FS models which seek wide reach are likely to fall into
Use Cases 1 or 4. These situations are more likely to be ?Transformational? because of
the potential to extend financial services to people who are without them.
For applications in the upper end of developing markets or in developed markets, Use
Cases 2 or 3 are likely to apply. Use case 4 prime is not yet widely available.
5. m-FS are subject to many of the same vulnerabilities as e-banking. However, the risk
associated with each identified vulnerability must be evaluated in a three step process.
a. First, the likelihood and severity of the vulnerability occurring are assessed in order to
calculate the risk rating. That is done within each one of the Use Cases.
b. Second, control measures are proposed based on the assessed risk. The final risk is the
risk adjusted for the control measure.
c. Third, environmental factors may scale the adjusted risk rating upwards or downwards.
These factors include whether the mFSP is a new entrant or not; and the extent to which
the mobile channel is the main or dominant channel offered by the mFSP itself and/or on
a country basis.
6. In general, Use Case 1, which is common in developing countries and can provide ubiquitous
access, presents higher inherent technology-related risks largely because of the lack of end-
to-end secure encryption of messages. This increased risk may be mitigated by effective
business process and or product design controls. While Use Case 4 addresses the
encryption risk by providing encryption within the SIM, and provides the most security; its use
and market may be limited by the need for MNO cooperation and a SIM with SIM Toolkit
capability. In Use Cases 2 and 3, the risks (and services) increasingly converge with
standard Internet banking risks.
7. Emerging technology: several developments are likely to change the picture of risk:
a. An increasing proportion of smart phones will lead to more reliance on Use Case 2 and 3
even in developing countries; this will heighten the need for knowledge of e-banking risks
in countries in which Internet banking may not yet be common;
24 March 2008
Managing the Risk of Mobile Banking Technologies 4
b. The development of near field communication (NFC) enabled handsets which can
effectively act as a token for local purchases (already common in Japan and under trial in
several developed countries such as UK and US) is likely to further increase take-up of
m-FS. The risks of the integration of NFC into mobile banking require further
investigation and are outside the scope of this report.
8. Findings:
The mobile technology options available today allow for a variety of choices when
implementing Mobile Financial Services. Options range from technologically secure end-to-
end implementations to less secure options that do not have full mobile to banking system
security.
It is possible to offset the increase in risk caused by using less secure mobile technologies
by introducing operational controls.
The ubiquity of less secure mobile technologies, namely Voice/DTMF/IVR, SMS and USSD
on all mobile handsets and the feasibility to offset the risks introduced by their use in mobile
financial service provision makes it possible to extend financial services to all mobile
subscribers.
Given the lower levels of mobile handset technology prevalent in many developing countries,
transformational mobile banking can be accomplished by a careful appraisal, introduction
and management of operational controls (including user education) necessary to offset the
higher technical risks inherent in choosing ubiquitous but less secure technologies.
The following diagram depicts the security models that can be used and the relative tradeoffs
between technical security and operational controls that are discussed in this report.
Moving to prudent and adjusted security models requires a proportionate regulatory
framework within which to ensure on-going and active supervision of risk management.
end-to-end
Security
model
Prudent
mobile
Security
model
Use Case 2, 3 and 4 Use Case 1
Less Technology and more Process Control
Adjusted
mobile
Security
model
Custom Implementation
L
e
v
e
l
o
f
M
o
b
i
l
e
C
h
a
n
n
e
l
T
e
c
h
n
i
c
a
l
S
e
c
u
r
i
t
y
L
e
v
e
l
o
f
O
p
e
r
a
t
i
o
n
a
l
C
o
n
t
r
o
l
s
24 March 2008
Managing the Risk of Mobile Banking Technologies 5
Recommendations:
9.1 For mFSPs:
a. To provide transformational m-FS, the mFSP should consider choosing technologies, such
as those in Use Case 1, that provide quick and widespread access to its services. Where
less secure technology is chosen, technical and operational countermeasures can be
introduced to reduce the risk both to the business and to individual clients.
b. The boards and management of mFSPs should develop a comprehensive risk framework.
This is true for banks and non-banks alike. For starting a business, a probable Use Case
should be the basis for this framework.
c. mFSPs should either implement the BIS operational risk management principles or highlight
where they intentionally intend to deviate from them.
d. After the initial business launch, the risk framework (in the form of a risk matrix) should be
updated in light of risk experience as well as other vulnerabilities identified once operational.
e. Just as large international financial institutions are increasingly sharing their experiences of
operational risk on an ongoing, confidential bases through information exchanges such as
ORX, mFSPs operating in particular Use Cases may benefit from an arrangement in which a
current industry level assessment of vulnerabilities and risk is available as a benchmark for
operational risk assessment.
9.2 For financial regulators:
f. Regulators should be careful not to entrench technology specific standards in regulations
which may unnecessarily stifle m-banking development. They should create a flexible,
proportionate framework within which an on-going, active supervision of mFSPs can take
place. This assures attention to the mobile channel risks while providing adequate room for
risk appropriate innovations.
g. Regulators engaging with domestic mFSPs should share their learning with colleagues in
other jurisdictions in a structured manner so as to contribute to and benefit from an emerging
global perspective
9.3 For mFSPs, financial regulators and organizations promoting the development of the sector:
h. Given the lower levels of mobile technology prevalent in many developing countries,
transformational mobile banking is best accomplished by a careful appraisal of the
operational controls (including user education) necessary to offset the higher technical risks
inherent in choosing ubiquitous but less secure technologies.
i. The basic level of knowledge required by board, senior management and financial regulators
to meet Basel Guidelines for awareness of operational risk management in this new area
should be defined. Training curricula should be developed to meet this need.
j. As the rapid pace of technological change continues, a trusted central organization should
maintain a list of all known vulnerabilities of the mobile channel, updated by experience, to
which regulators and mFSPs should have access as a baseline for their risk frameworks.
ACKNOWLEDGEMENTS
Specific thanks to those who gave their time to participate in our interviews, whose names are
listed in Annex N; and to the following who gave comments on drafts of the document: Jenny
Hoffmann, John Ratichek, and the participants at the Transformational Branchless Banking
Seminar in Windsor, England in March 2008.
Johann Bezuidenhoudt David Porteous
Johannesburg, South Africa Somerville, MA USA
24 March 2008
Managing the Risk of Mobile Banking Technologies 6
FOREWORD—the FinMark Trust Mandate
FinMark Trust has established a strong reputation for producing credible research which supports
the development of innovative approaches to extend access to financial services. FinMark Trust
then seeks to make this research widely available to market participants, unlike proprietary
research which is not easy or affordable for many to access.
In pursuit of its mission, FinMark has commissioned a series of reports on m-banking, most
recently ?Mobile Banking Technology Options? by Troytyla (Gavin Kruegel) which overviews the
different mobile banking technology options available in the market.
In pursuit of its mission, and specifically building on the last report, FinMark Trust commissioned
this report on the risks of the different technology options and how best to manage them. As the
terms of reference stated, ?The lack of information about the level of risk inherent in the different
technologies and the opportunities to mitigate the risk through business processes and strategies
may be leading to choices which do not necessarily match the needs of the market most in need of
innovative access to financial services.? This report should therefore not only provide relevant
information but support choices which match the needs of the market which FinMark Trust seeks
ultimately to serve.
Disclaimers
This report is intended to provide a general overview of risk patterns and trends attaching to the
use of the mobile channel for providing financial services. The report is for information and
guidance of readers and it is not intended to support a specific plan of action since this would
require additional information and insight into each particular situation.
The vulnerabilities, analyses and risks shown and analysed in this report are intended to be
indicative of what risks which a mFSP may or will face. The analysis is not intended as an
exhaustive or a fully objective list. Each mFSP should assess and validate their own risks in terms
of their own situation, the intended functionality to be offered and the process controls that will be
put and or are already in place.
Additional advice should be sought where necessary from expert advisors before taking action.
Neither BFA nor FinMark Trust may be held liable for the consequences of implementing any or all
of the recommendations of this report.
24 March 2008
Managing the Risk of Mobile Banking Technologies 7
TABLE OF CONTENTS
EXECUTIVE SUMMARY ............................................................................................ 2
ACKNOWLEDGEMENTS .......................................................................................... 5
FOREWORD—the FinMark Trust Mandate ............................................................... 6
Disclaimers .......................................................................................................... 6
TABLE OF CONTENTS ............................................................................................. 7
SECTION 1. INTRODUCTION .................................................................................. 9
1.1 Context of report ............................................................................................ 9
1.2 Scope of report ............................................................................................ 10
1.3 Methodology ................................................................................................ 11
1.4 Structure of report ........................................................................................ 11
SECTION 2: ELEMENTS OF THE MOBILE CHANNEL .......................................... 13
2.1 Mobile device ............................................................................................... 13
2.2 Network ....................................................................................................... 15
2.3 Technology-related Use Cases ................................................................... 17
2.4 M-banking compared to other e-channels .................................................. 22
SECTION 3. VULNERABILITIES, RISKS & CONTROLS ........................................ 24
3.1 Structured process of risk evaluation .......................................................... 24
3.2 Vulnerabilities of the mobile channel ........................................................... 27
3.3 Prudent Practice in Addressing Technological Vulnerabilities ..................... 28
3.4 Risk Identification and Assessment by Use Case ........................................ 29
3.5 Summary of Risk Controls ........................................................................... 31
SECTION 4. ENVIRONMENTAL FACTORS, BUSINESS MODEL CHOICE, AND
GOVERNANCE PROCESSES ................................................................................ 33
4.1 Risk in context: scaling for the environment and the business model .......... 33
4.2 Regulatory oversight: Good practice principles ........................................... 37
SECTION 5. EMERGING ISSUES AND CONCLUSIONS ..................................... 39
5.1 Emerging risk scenarios .............................................................................. 39
5.2 Conclusions: Risk Approach ........................................................................ 39
5.3 Recommendations ....................................................................................... 41
24 March 2008
Managing the Risk of Mobile Banking Technologies 8
REFERENCES ........................................................................................................ 43
ANNEX A: Categories of Operational Risk ....................................................... 44
ANNEX B: Functional Survey of m-FS Technologies ....................................... 45
ANNEX C: Use Cases – Definitions and Technology ....................................... 48
ANNEX D: Particular vulnerabilities of the Mobile Channel .............................. 53
ANNEX E: Use Case Scenarios ....................................................................... 55
ANNEX F: List of Transaction available by Use Case ...................................... 58
ANNEX G: Vulnerabilities in specific Use Cases .............................................. 61
ANNEX H: Summary Risk Evaluation by Use Case ......................................... 63
ANNEX I: Business Model Choices - Elements of the service offering ............. 68
ANNEX J: Examples of Fielded mFSP Implementations .................................. 70
ANNEX K: Regulatory Oversight Principles ....................................................... 71
ANNEX L: Emerging Issues and Case Study .................................................... 74
ANNEX M: Comparison of GSM and CDMA Mobile Channel Technology ....... 76
ANNEX N: List of Interviewed Organisations .................................................... 77
ANNEX O: Glossary of Terms .......................................................................... 78
24 March 2008
Managing the Risk of Mobile Banking Technologies 9
SECTION 1. INTRODUCTION
1.1 Context of report
Mobile banking brings new opportunities and risks to financial providers, carriers and the financial
system.
On the one hand, it holds out the prospect of adding new convenience for accessing banking and
payment services to existing banked customers (?additive m-banking‘). Especially in developing
countries, it may go even further to offer banking and payment services to those who have never
participated in the formal electronic banking system before. This is called transformational m-
banking to distinguish it from additive m-banking (BFA 2006). In the process, banks, mobile
network operators (MNO) and third party suppliers stand to gain. These opportunities have caused
new players to enter this market.
On the other hand, the addition of a new channel brings new operational risks to providers, just
as the introduction of Internet banking more than a decade ago opened new categories for risk.
For this reason, mobile Financial Service Providers (mFSP) seeking to enter the market, or those
already in the market, have to assess their risks and develop strategies to mitigate them on an
ongoing basis. As adoption of mobile financial services (m-FS) increases, financial regulators in
various countries are also paying increasing attention to the specific risks brought by the use of the
mobile channel.
Although some providers in m-banking are not banks and are not subject directly to banking
regulation, we use as a benchmark the principles of operational risk management developed for
national regulators by the Bank for International Settlement (BIS).
Operational risk is defined as the risk of loss arising from the failure of operational procedures. A
number of categories of operational risk have been defined by the BIS. The operational risks
related to the choice of technology include: internal fraud (including theft and unauthorized
activity), external fraud (including theft and systems security), business disruption and system
failures, failures in the execution and maintenance of transactions, and failures on the part of
vendors and suppliers. For a full listing with descriptions of the Categories of Operational Risks,
see Annex A.
The portion of technology risk related to the mobile channel specifically is a further subset. This
report focuses on identifying the specific vulnerabilities of different payment models in different
contexts related to m-banking and m-payments.
Previous reports such as that of the Mobile Payment Forum (2003) have considered the
technological vulnerabilities and have assessed the risks related to certain specific use case
scenarios for mobile payments. In addition, the recent report for FinMark Trust by Troytyla (2007)
considers the channel choice and risks around the bearer channel and MNO integration.
However, vulnerability and risk assessment are never independent of the choice of business model
or the context in which the model is to be operated. This report differs from previous reports in that
the risk framework developed here is a dynamic one, which varies by model and context. This
enables it to be more widely applied than a static framework. Because the permutations around
model are many, the focus of this report is on models which target unbanked customers and
developing market contexts, although the framework is valid for all markets.
24 March 2008
Managing the Risk of Mobile Banking Technologies 10
1.2 Scope of report
This report focuses on the specific technology risks of the mobile channel and does not consider
the integration of mFS platforms with other typical IT system components, such as financial
switches, data depositories or applications as shown in Figure 1 below. The risks arising from the
integration between these components are not specific to the use of mobile, and have received
attention in other reports.
Figure 1: Technology components of m-banking models
Data
Repository
Application
Development
Financial
Switch
Mobile
Channel
Scope of
this report
Bank Generic
Source: Troytyla (2007)
The report should be of interest to:
mobile Financial Service Providers, whether banks, MNOs or non-banks, who are
considering introducing m-FS, and
financial regulators who are increasingly interested in the risks of m-banking and the extent
to which providers are understanding and managing these risks.
This report is written containing the information which a senior executive or financial regulator
should know about the vulnerabilities and risks of the mobile channel for financial transactions.
Indeed, part of the purpose of this report is to benchmark the levels of knowledge which a non-
specialist manager or board member should have about this new and dynamic area, in line with
BIS Operational Risk principle No.1: “the board of directors should be aware of the major aspects
of operational risks, and should approve and periodically review the bank’s operational risk
framework.? Prior detailed knowledge of m-banking is therefore not assumed, although
comparisons are made to banking via other electronic channels such as the Internet with which
readers may be familiar.
More detailed information on the technology can be found in the Annex C - Use Cases –
Definitions and Technology of the report.
24 March 2008
Managing the Risk of Mobile Banking Technologies 11
The two parameters of the scope of the report, the content and the level, are depicted in Figure 2
below.
Figure 2: Focus of this report
Mobile-specific risk
Senior management /
Regulator level
All technology risks
Expert level
L
e
v
e
l
Technology risk
Operational risk
The focus of this report
1.3 Methodology
This report was compiled on the basis of:
Personal knowledge and experience of the authors;
Published reports from various sources listed in the references;
Interviews with leading providers, listed in Annex N.
1.4 Structure of report
This report provides a process for identifying and assessing risks in the mobile channel, and then
suggests controls for their mitigation. It provides a prospective mFSP with a logical process of
reasoning through which to consider mobile banking risk. It provides regulators not only with that
same process but additional strategic considerations. (Note: Annex O provides a glossary of terms
used in this report.)
Section 2 reviews the particular technologies relevant to the mobile environment and benchmarks
these according to known, older electronic channels, such as e-banking or ATMs. Four main Use
Cases are outlined and are differentiated by the key factors related to the technological choices
which have a fundamental impact on risk.
Section 3 identifies the main threats and vulnerabilities attached to the mobile channel. By
assessing the likelihood and severity of each vulnerability, a risk weighting is assigned within its
particular Use Case. In particular, the distinction is made between risk at an individual incident
level, where a customer or the mFSP may be exposed to loss, and at a business or mass attack
level, where the loss to the mFSP may be severe. Controls are identified as part of defining
current practice scenarios for each Use Case.
Section 4 then addresses the choice of business model and the question of environmental risk
factors which need to be taken into account in reaching a final adjusted and scaled risk rating.
24 March 2008
Managing the Risk of Mobile Banking Technologies 12
Good governance practice by boards and management as well as the process of interaction with
financial regulators are discussed.
Section 5 concludes with an update on emerging technologies and how they may affect the risk
picture. Specific recommendations are made for mFSPs, financial regulators and supporters of
this sector as a means of increasing access to financial services.
Box A: Definitions: mobile financial services: m-banking and m-payments
The following are the definitions used in this report for:
mFSP - Since a variety of type of provider—banks, telcos or others—may provide mobile financial
services, we use the expression mobile financial service provider or mFSP to refer to the entity
which is directly interfacing with the end customer to provide mobile financial services (m-FS). M-
FS includes both:
m-banking – the activity whereby a customer uses their mobile phone to interact with their bank
either directly or indirectly via mFSPs. The customer issues instructions, authenticates themselves
and or receives information through their mobile phone.
m-payment – customers issue instructions from their mobile phone that initiate a payment to a
third party. The instructions can be to their bank, to a merchant or to a Payment Service Provider
for the payment of a specified amount to a specified beneficiary on the customer‘s behalf. Where
an m-banking relationship is in place this will include m-payment. Where a m-payment relationship
is in place this does not imply that a banking relationship is part thereof, only that electronic access
is available to a value store (eg bank account) owned by the customer and that that customer can
issue payment instructions relating to the value store for execution.
24 March 2008
Managing the Risk of Mobile Banking Technologies 13
SECTION 2: ELEMENTS OF THE MOBILE CHANNEL
This section serves as the primer to introduce and outline the key technology components of the
mobile channel and then the main current Use Cases as the basis for the analysis which follows.
The use of mobile brings two new elements to the financial services equation:
The mobile device itself
The communications channels offered by mobile network operators.
Both vary considerably in their functionality, as described in turn below.
2.1 Mobile device
The handset consists of several layers of components as shown in Figure 3 below.
Figure 3: Elements of the mobile handset
Human Interfaces
Application
Mobile
Network
Radio Link
Bearer
Keyboard Display
Handset Operating System
S@T
WIB
STK
SIM based
SMS USSD DTMF voice
Mobile Radio
D
i
r
e
c
t
J2ME
Handset
Application
WAP
HTTP/S
Internet
Browser
Advanced Features
Audio
IP
data
Standard handsets are ?plain vanilla? devices that contain:
A mobile radio to communicate to the mobile network
The capability to send Voice, SMS, USSD, and DTMF over the radio interface
An operating system that ties all the elements on the handset together
Human interfaces for audio (speaker and microphone), a keyboard and a display
24 March 2008
Managing the Risk of Mobile Banking Technologies 14
At the Application level the standard handset passes the SMS, USSD, DTMF and voice
?directly? between the display, the keyboard and the audio human interfaces and the bearer
services.
A capability to interface via SIM toolkit to SIM based applications also exists. The SIM
Toolkit programmable application facility on the SIM is the way that standard handsets can
be made secure and be given additional menu based ?application‘ functionality – such as
mobile banking
Standard handsets do not provide:
Facilities to secure or encrypt data before sending it to server based applications at
mFSPs.
Ability to run programs on the handset
The capability of the most common standard handset will increase over time.
For the purposes of this report a standard handset has been taken as a basic GSM handset
that has been shipping worldwide since around 2004, that has USSD phase 2 and SIM Toolkit
functionality, does not have a browser and can not run programs. Typically these handsets
cost under USD100. A small minority of standard handsets on GSM networks may not have
the capability to support USSD or SIM Toolkit applications.
Where needed, data security can be added to the standard handset by providing this on a new
SIM through applications loaded into the SIM and accessed through SIM Toolkit.
The report analyses the mFSP technology assuming handsets based on the GSM standard
1
.
So that mFSP‘s who have subscriber bases with CDMA handsets can apply this report, a
comparison between the GSM and CDMA technologies has been included as Annex M.
Advanced Handsets have all the functionality of standard handsets; and in addition
can communicate using IP data (GPRS, EDGE, 3G HSDPA)
have the ability to run applications under the handset operating system (usually in a
J2ME/Java environment)
browse WAP and Internet sites – these are the ?advanced‘ features.
Advanced handsets fall into two sub-types:
feature phones – handsets that have browsers and J2ME environments.
They are usually locked down, in that they do not have easily accessible programming
environments and often are MNO controlled in what software they may run. Typically
feature phones can be described as the high end mobile phones.
smart phones – handsets with programmable environments.
Operating systems such as Symbian, Windows Mobile and Mobile Unix (iPhone) and, in the
future, Android, are used. The environment on the handset resembles a small personal
computer and on most the user is free to choose and run whatever software they choose.
The handsets typically have large displays and can perform full function Internet browsing.
Examples of these phones are HTC, iMate, Apple iPhone and Nokia N95.
1
The Global System for Mobile Communications (GSM) is the most commonly used mobile standard in the
world today, especially in developing countries.
24 March 2008
Managing the Risk of Mobile Banking Technologies 15
Advanced handsets provide facilities to secure data before sending it to server-based
applications at mFSPs. This security is provided by the browsers and J2ME environments on
the phones.
Application based data security can also be provided on the advanced handset using the SIM.
Secure applications can be loaded into the SIM and accessed through SIM Toolkit.
2.2 Network
The mobile network comprises the components which carry a data message to and from the
handset to the mFSP. The features of the mobile channels used to carry those data messages are
summarized in Table 1 below.
A more detailed survey of the various mobile channel technologies is presented in Annex B -
Functional Survey of m-FS Technologies. The two tables in this Annex identify what can and
cannot be done with these technologies from both a customer and a security perspective.
The considerations in Annex B lead to the deployment of the technologies in what have been
defined in this paper as ?Use Cases (UC)?.
The nature and security of the mobile channel varies by these Use Cases.
Table 1 below depicts the relevant features of the mobile channel technologies, providing a
description and indicating important security attributes for each channel technology.
Type of handset that supports the technology
Whether the handset can secure the technology
If the technology provides end-to-end security
When using the technology if the mFSP can operate their service through multiple MNOs
Which Use Case the technology is assigned to
24 March 2008
Managing the Risk of Mobile Banking Technologies 16
Table 1: Mobile Channel Features
Channel
Technology
Description Supported
on
Handsets
Security of
transaction
on handset
End-to-
end
Security
Supports
Multiple
MNOs
Use
Case
Descriptive
Reference (3)
TroyTyla 2007
IVR
A call is made to (or from) an automatic system and
the user receives pre-recorded prompts and responds
by selecting keys
Standard
Handset
None No Yes UC1 Section 4.2
Structured
SMS
A SMS text message is sent to the mFSP. The
message is interpreted and acted upon and a
response SMS sent
None No Yes UC1 Section 4.1
USSD
A number is called from the handset and a menu then
displayed on the handset that the user navigates
through and selects options and enters data
None No Yes (1) UC1 Section 4.3
SIM toolkit
(WIB / SAT /
Java / custom)
Implemented within the SIM that is inserted in the
handset. The functionality appears as a set of
additional menu/s on the handset
Provided in
SIM
Yes
Possible
(2)
UC4 Section 4.6
J2ME Applications that can run on the handset
Advanced
Handset
Provided
within the
application
Yes Yes UC3 Section 4.5
WAP
Internet Browsing using a WAP protocol browser.
Same as browsing off a PC. WAP provides optimised
(data usage and size of screen presentation)
interaction for the mobile.
As provided
by the WAP
Browser
Yes –
SSL
Yes UC2 Section 4.4
HTTPS –
Internet
browser
Standard Internet browsing off the mobile to the bank‘s
web site. Mobile performs the function of a PC
As provided
by the
Internet
Browser
Yes - SSL Yes UC2 n/a
Note:
(1) Requires a common USSD short-code on every MNO
(2) Because of the need for access to the MNO SIM. Typically MNOs do not run common 3
rd
party applications (exceptions such as South Africa do exist).
(3) For a descriptive use of each technology option in mobile banking refer to the Troytyla (2007) report from Finmark Trust .
24 March 2008
Managing the Risk of Mobile Banking Technologies 17
2.3 Technology-related Use Cases
Technology choices regarding handset and network define four main Use Cases which have
different risk characteristics. These Use Cases can be distinguished according to:
the level of handset functionality required: Standard or Advanced; and
the degree of independence from a MNO or many MNOs.
Table 2 shows how the four Use Cases are derived from these two factors.
Table 2: Use Cases
2
Mobile Handset Capability
Standard (all) Advanced
Independent
of MNO
Yes
Use Case 1:
Use what is there, existing
generic mobile bearer services
provided on all phones accessible
directly by user
Use Case 2:
Use mobile browsing services
that are provided on phones
Use Case 3:
Use advanced application
services provided on phones
No
Use Case 4:
Use a secure environment on
the mobile provided by the MNO
or MNOs
Use Case 4 prime:
Dedicated secure application
environment on a handset
The technologies associated with each of these Use Cases, along with some of the more
general associated risks, are seen in the following table (Table 3).
Table 3: Main Use Cases Identified By Technology
Use Case Approach Technologies
available
Associated Risk
1 "Use what is there" Use existing
generic mobile bearer services
provided on all phones accessible
directly by a user
SMS
Voice/IVR
USSD
There is no encryption of information so
the channel from the mobile to the
mFSP is open to monitoring, replay,
modification and impersonation
2 "Use mobile browsing services"
that are provided on phones - not
MNO dependent
HTTPS = normal
web browsing
WAP phase 1
WAP phase 2
Same risks as for a PC on the Internet.
Channel is less exposed than regular
Internet as much of it is within MNOs
2
Note: Use Case 4 prime (4‘) in the lower right hand quadrant of Table 2 (dedicated secure application
environment on a handset) has to date not been adopted in the GSM mobile environment because of the control
over the environment as well as the security available/provided. However, this Use Case may develop in future.
To date, an example of a secure, managed and controlled environment on a handset is the BREW environment
developed by Qualcomm for CDMA handsets. This Use Case is seen as a future extension of Use Case 4 and
has been called Use Case 4 prime for this reason.
24 March 2008
Managing the Risk of Mobile Banking Technologies 18
3 "Use advanced application
services" provided on phones -
not MNO dependent
J2ME Same as client side applications on
PCs. Mobiles less exposed to the
Internet and the threats. However
issues around the trust (integrity and
authenticity) of the applications exist
and need to be managed
4 ?Use a secure environment on
the mobile ? provided by the MNO
or MNOs
SIM Toolkit
WIB, S@T and
Java cards
The highest technical end-to-end
security as the application runs
securely within the SIM and the
encryption keys are kept within the
SIM.
Under Use Case 1, the usual practice is to combine the available technologies.
An example is the use of structured SMS messages which are sent to the mFSP. The
mFSP then prompts the user using a USSD prompt to enter their PIN.
For this report, five sub-use cases incorporating such combinations have been defined for
Use Case 1.
They are outlined in Table 4 below.
Use Case 1A is the only Use Case where the transaction and PIN are sent at the same time.
All the other Use Case 1s interactively ask for the PIN which reduces a number of risks and
thus makes the Use Cases (1B to 1E)more secure and less risky.
Table 4: Sub-Use Cases of Use Case 1
1A. Structured SMS
Send plaintext SMS with instruction mnemonic, value and PIN to the
mFSP number, the SMS content is processed and a response sent back
to the handset
1B. Structured SMS with
confirmation and PIN
authorisation via IVR
Send plaintext SMS with instruction mnemonic and value to the mFSP
number, the SMS content is processed. IVR calls back asking for
confirmation of transaction and PIN. PIN entered as DTMF. A SMS
response sent back to the handset
1C. Structured SMS with
confirmation and PIN
authorisation via USSD
Send plaintext SMS with instruction mnemonic and value to the mFSP
number, the SMS content is processed. USSD message sent back to
handset requesting confirmation of transaction and PIN. PIN entered in
USSD menu. A SMS response sent back to the handset
1D. IVR call to setup
transaction and IVR call-
back for PIN authorisation
Call in to IVR to setup transaction via IVR voice prompts and DTMF
responses. Transaction is processed and checked. IVR calls back
asking for confirmation of transaction and PIN. PIN entered as DTMF
1E. USSD menu with PIN
login
USSD shortcode entered by user to initiate a USSD session, prompt for
PIN sent from USSD server, PIN entered and session opened and menu
displayed. Follow menu to set up transaction and then submit it for
processing. USSD transaction confirmation and thereafter a
confirmatory SMS
24 March 2008
Managing the Risk of Mobile Banking Technologies 19
Table 5 below maps various current mFSP business models into these Use Cases,
indicating transformational models in red. Those interviewed for the purpose of this report
are marked with an asterisk (*).
Table 5: Current examples of each Use Case scenario
Mobile Handset Capability
Standard (all) Advanced
M
N
O
i
n
d
e
p
e
n
d
e
n
t
Yes
Use Case 1:
G-Cash* (Ph)
Wizzit* (SA)
FNB* (SA)
ABSA* (SA)
Use Case 2:
Nedbank* (SA)
FNB* (SA)
ABSA* (SA)
Obopay* (US)
Use Case 3: J2ME
Obopay* (US)
Monitise* (UK)
No
Use Case 4:
G-Cash* (Ph)
Smart (Ph)
MTN Banking* (SA)
M-Pesa* (Ke)
Use Case 4 prime:
Obopay* (US)
Firethorn* (US)
Note: No one Use Case may totally fit the situation of an existing or prospective mFSP. Additionally a
mFSP may use multiple technologies and offer m-banking services under one or more of the Use
Cases. However, the Use Cases do represent the main technology related choices which affect the
risk environment of an mFSP.
Security by Use Case: The differences in the path and security associated with data
messages can be distinguished by the Use Cases. These are summarized in successive
figures below. Full description of the system linkages can be found in Annex C: Use Cases
– Definitions and Technology.
24 March 2008
Managing the Risk of Mobile Banking Technologies 20
Description of the Use Case Technologies
Figure 4.1: The mobile channel for SMS, USSD and IVR DTMF – Use Case 1
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
SMSC
USSD
IVR
mFSP
HLR
Radio
Interface
Enciphered
Secured link
Use Case 1
SSL
Secured link
Bearer
Servers
In this Use Case, the intrinsic security available in the network is used. This security is not
end-to-end but is instead built up of the security available at each of the individual elements
that make up the path that the transaction takes from the Mobile handset through to the
mFSP.
Thus, at insecure elements, the transaction can be copied, altered, resent (replayed) and or
destroyed.
The vulnerabilities of this Use Case are analysed in Section 3.
Figure 4.2: The mobile channel for IP Data Browsing – Use Case 2
Mobile
Handset
(MS)
BTS BSC
“web”
servers
Core
Telephony
network
HTTPS
mFSP
HLR
WAP
Use Case 2
SSL
Secured link
Mobile network
In this Use Case, because it is possible to run an explicit security program on the handset in
the form of a browser with SSL it is possible to secure the data link end-to-end from the
handset to the WAP or HTTPS Web Servers.
24 March 2008
Managing the Risk of Mobile Banking Technologies 21
Figure 4.3: The mobile channel for IP Data Applications – Use Case 3
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
mFSP
HLR
Use Case 3
SSL
Secured link
Application
Server
In this Use Case, because it is possible to run a program with explicit security on the
handset, in this case a J2ME application with a cryptographic capability, it is possible to
secure the data link end-to-end from the handset to the Application Server.
This handset based application secures all the data sent and received typically through a
SSL link (secure tunnel or ?pipe‘) that passes through the mobile network all the way to the
Application Server.
Figure 4.4: The mobile channel for SIM toolkit – Use Case 4
Wireless
Gateway
WIG/S@T
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
mFSP
HLR
Use Case 4
3DES
Secured link
SIM
HSM HSM
SMSC
In this Use Case an application is securely placed into the SIM. The handset communicates
with the SIM and thus the application using a set of commands called SIM Toolkit. The
communication allows the application on the SIM to appear as part of the cell-phone‘s menu.
The display and selection of menu items and the entry of data is then possible.
The SIM has a set of security keys stored within it that are linked to keys in the secure High
Security Module (HSM) attached to the Wireless Gateway. In this way the SIM can
communicate to the Wireless Gateway securely as the traffic between the two is enciphered
using these shared keys.
24 March 2008
Managing the Risk of Mobile Banking Technologies 22
2.4 M-banking compared to other e-channels
To put m-banking as described by these Use Cases into the proper context, it is helpful to
understand that it is one type of electronic banking. The following table provides a
comparison among the various e-channels used in banking.
Table 6: Comparing the different forms of e-banking
ATM EFT POS Internet
banking
m-Banking
Devices ATM POS device
Shop tills
PC
Advanced mobile
handsets
Mobile handset
Owned by Bank or third
party network
Acquiring bank or
merchant or ISO
Client Client
Common
functionality
Balance enquiries
Transfers
Payments
Cash in or out
Payments
Cash in or out
Balance enquiries
Transfers
Payments
Balance enquiries
Transfers
Payments
Cash in or out
Form of
authentication
2 factor (card +
PIN)
2 factor (card +
PIN/ signature)
1 or 2 factor
(with additional
token or OTP)
2 factor (MSISDN
+ PIN)
Encryption usage
for securing
communications
3DES common 3 DES common SSL in browsers 3DES when
available on
handset or in SIM
Communications Dedicated line
Mobile IP data
(GPRS/3G/HSDPA)
Dedicated line
Wifi
Mobile IP data
(GPRS/3G/HSDPA)
TCP/IP over:
Dedicated line
Wifi
Mobile IP data
(GPRS/3G/HSDPA)
IVR / DTMF
SMS
USSD
Mobile IP data
(GPRS/3G/HSDPA)
Client access to
Mobile Financial Service Provision
Internet banking and m-banking share many features. Figure 5 below illustrates the
similarity between Internet banking and certain m-banking technologies. It shows how the
SSL link through the mobile network (Use Cases 2 and 3) and the link through the Internet
both provide end-to-end security. Whether browsing on a mobile handset or off a PC, the
security is end-to-end. The vulnerabilities are at the ends of the secure SSL links.
24 March 2008
Managing the Risk of Mobile Banking Technologies 23
Figure 5 – Mobile Banking versus Internet Banking
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
HTTPS
mFSP
HLR
WAP
Use Cases 2 and 3
SSL
Secured link
Application
Server
Personal
Computer
Core IP
network
HTTPS
Bank /
FSP
SSL
Secured link
Wireless
Interface
WAP
Personal
Computer
Internet
Internet
Mobile/wireless data connections are now widely used across the different banking
channels. For example, they are used to connect ATMs and portable POS devices to banks
and to connect PCs to the Internet for Internet banking.
In many developing communities, mobile data, or more accurately access to the Internet
over the mobile/wireless network, is becoming the predominant way of accessing the
Internet due to the lack of fixed line alternatives. In this role the data service provided over
the mobile network is not different from the Internet provided over fixed lines, wireless or
satellite connections.
A rapidly growing Internet banking sector uses Advanced mobile handsets, such as Apple
iPhones, to access banking web sites and perform Internet directly banking off the mobile.
This is both Internet banking and mobile banking. For the purposes of this paper, Internet
banking off a mobile device is considered as mobile banking and assigned to Use Case 3.
Browser based Internet banking whether from a PC or a mobile phone is technically identical
and the associated vulnerabilities are the same. However, there are differences in some of
the risks arising from these vulnerabilities. For example the malware threat is different.
While malware (viruses, Trojans key loggers and the like) is highly developed in the PC
environment, it is not yet so fully developed in the mobile handset environment. But with the
rapid growth of advanced handsets, it is expected that mobile malware will be on the rise in
the medium term.
As convergence continues to take place where the number of smart phones that have direct
access to Internet banking grows, the distinction between Internet banking and mobile
banking will continue to reduce. To the extent that mobile banking converges with Internet
banking, the existing, well-developed e-banking security procedures apply.
As a result, the focus of this paper is particularly on those Use Cases (1 and 4) not covered
by the existing e-banking security measures. These require particular attention as they are
the leading edge of mobile banking expansion, especially in developing countries.
24 March 2008
Managing the Risk of Mobile Banking Technologies 24
SECTION 3. VULNERABILITIES, RISKS & CONTROLS
3.1 Structured process of risk evaluation
In order to evaluate risks and choose the controls to manage them, the structured approach
laid out in Table 7 was followed for each Use Case. It is important to note that what may
well be a high risk for an individual customer may not be a risk to the business (and visa
versa) so the business and individual risks have to evaluated separately.
The process can be represented graphically as follows:
Figure 6: Structured Risk Evaluation Process
Identify each
VULNERABILITY
Result if
VULNERABILITY is
EXPLOITED
What is the THREAT that the
exploited VULNERABILITY
will bring?
How will this threat
IMPACT on each of the
mFSP’s CUSTOMERs?
(H,M,L)
How will this threat
IMPACT on the mFSP
BUSINESS? (H,M,L)
What is the LIKELIHOOD
of this happening – how
FEASIBLE? (H,M,L)
What is the LIKELIHOOD
of this happening – how
FEASIBLE? (H,M,L)
The RISK to the CUSTOMER
( IMPACT x LIHELIHOOD ) of
the VULNERABILITY
(H,M,L)
The RISK to the BUSINESS
( IMPACT x LIHELIHOOD ) of
the VULNERABILITY
(H,M,L)
Decide on a RESPONSE
for INDIVIDUAL related risk
Decide on a RESPONSE
for BUSINESS related risk
The metrics used in this paper to allocate the risk ratings of High (H), Medium (M) and Low
(L) to the impact, likelihood and resulting risk of specific vulnerabilities are defined in Table
7. The explanation for each term and a worked example are also given.
24 March 2008
Managing the Risk of Mobile Banking Technologies 25
Table 7: Process and Risk Metrics
Analysis Item Explanation Metric used Example using plaintext
SMS messages (UC1A)
Vulnerability The weakness
identified
Description of the
weakness
SMSC not protected
Result What happens if
the vulnerability
can be exploited
Identification of the result
if the vulnerability
materialises
The traffic through the
SMSC can be logged
and MSISDN and PIN
harvested
Threat to the
business
What is the
resultant threat to
the business if
the vulnerability is
exploited
Indication of how a threat
to the business would
materialise – as a:
Fraudulent transaction
Error transaction
Loss of data privacy
(exposure of
information)
Denial of service
Fraudulent transactions
can be initiated and
access to personal data
obtained
Impact The magnitude of
the event if it
occurs
There are two
ways to look at
the impact:
On the
business as a
whole
and
On the
individual
customer
Business:
High Impact – the
result of an event that
will disrupt the
business to the extent
that it‘s existence may
be threatened
Medium Impact – the
result of a non-routine
event that will
seriously disrupt the
business
Low Impact – a
routine event that is
handled by the day-
today management
processes and whose
impact is absorbed in
the operational
expenditure
Individual:
High Impact – loss of
all funds and/or
reputation
Medium Impact – loss
that can be remedied
but that seriously
affects the individual‘s
financial position
Business:
Mass attack is possible
through the bulk
harvesting of credentials
(MSISDN and PIN) and it
would have a major
impact on the business
due to bulk account
compromise therefore
Mass Impact is High
Individual:
the impact is High as the
individual‘s account could
be emptied of funds
24 March 2008
Managing the Risk of Mobile Banking Technologies 26
Low Impact – loss that
can be recovered
using operational
process of the mFSP
Likelihood /
feasibility.
Probability of the
event happening
– namely the
probability that an
attacker will be
able to actually
exploit the
vulnerability
Business and Individual
High – likely in the
course of business in
the short term
Regulators and others commonly list additional risk considerations arising from the use of the mobile channel. These include: the higher possibility of loss of device, the restricted screen and keypad of the device, the information security of the end-to-end network, the availability and reliability of the communications network, and the use of outsourced service providers. However, a priori, these factors do not in themselves make most use cases of mFS more or less risky than other forms of e-banking.
This report was commissioned by FinMark Trust
Bankable Frontier Associates LLC
www.bankablefrontier.com
24 March 2008
BFA-080324
MANAGING THE RISK OF MOBILE BANKING TECHNOLOGIES
24 March 2008
Managing the Risk of Mobile Banking Technologies 2
EXECUTIVE SUMMARY
1. M-payments and m-banking are now spreading fast across the world, in developed and
developing countries. The use of mobile phones for mobile Financial Services (m-FS) is
relatively new and, as a consequence, the knowledge of the risks and the risk experience of
providers is still limited. However, the rapid take-up and potential scale of new offerings has
led to increased interest from mobile Financial Services Providers (mFSP), both banks and
non-banks, and from government regulators in understanding and managing any unique,
additional risks.
2. Two elements of the mobile channel are distinctive relative to other e-banking channels like
Internet banking or point of sale devices:
a. The mobile handset, which comes with a wide range of functionality from basic on
standard handsets to advanced on feature phones and smart phones;
b. The mobile network, which includes all the links carrying a data message from a handset
to the mFSP or vice versa and the methods used to communicate between the handset
and the mFSP.
Both these elements contribute to a different risk environment for m-banking. Boards and
management of mFSPs as well as regulators need to have a clear basic understanding of
how these elements work, including a comparison to other established e-banking channels.
Increasingly, as handset functionality increases, mobile financial services are converging
with Internet banking.
3. Regulators and others commonly list additional risk considerations arising from the use of
the mobile channel. These include: the higher possibility of loss of device, the restricted
screen and keypad of the device, the information security of the end-to-end network, the
availability and reliability of the communications network, and the use of outsourced service
providers. However, a priori, these factors do not in themselves make most use cases of m-
FS more or less risky than other forms of e-banking.
4. The main technical characteristics affecting the risks of m-FS:
a. The security functionality available on the handset: the lower the security requirement
from the handset, the broader the potential market, especially in developing countries;
b. The degree of dependence or independence from a particular Mobile Network Operator
(which controls access to the SIM card and the mobile network): channel options may or
may not require downloading of an application to the SIM or phone, which in turn may
require participation of the manufacturer or MNO.
24 March 2008
Managing the Risk of Mobile Banking Technologies 3
These characteristics imply four main use cases as summarized in the diagram below:
Mobile Handset Capability
Standard (all) Advanced
I
n
d
e
p
e
n
d
e
n
t
o
f
M
o
b
i
l
e
N
e
t
w
o
r
k
O
p
e
r
a
t
o
r
?
Yes
Use Case 1:
Use what is there, existing generic mobile
bearer services provided on all phones
accessible directly by user
Use Case 2:
Use mobile browsing services that
are provided on phones
Use Case 3:
Use advanced application services
provided on phones
No
Use Case 4:
Use a secure environment on the mobile
provided by the MNO or MNOs
Use Case 4 prime:
Dedicated secure application
environment on a handset
In general, in developing countries, the mass market for the foreseeable future will have
only standard handsets, hence m-FS models which seek wide reach are likely to fall into
Use Cases 1 or 4. These situations are more likely to be ?Transformational? because of
the potential to extend financial services to people who are without them.
For applications in the upper end of developing markets or in developed markets, Use
Cases 2 or 3 are likely to apply. Use case 4 prime is not yet widely available.
5. m-FS are subject to many of the same vulnerabilities as e-banking. However, the risk
associated with each identified vulnerability must be evaluated in a three step process.
a. First, the likelihood and severity of the vulnerability occurring are assessed in order to
calculate the risk rating. That is done within each one of the Use Cases.
b. Second, control measures are proposed based on the assessed risk. The final risk is the
risk adjusted for the control measure.
c. Third, environmental factors may scale the adjusted risk rating upwards or downwards.
These factors include whether the mFSP is a new entrant or not; and the extent to which
the mobile channel is the main or dominant channel offered by the mFSP itself and/or on
a country basis.
6. In general, Use Case 1, which is common in developing countries and can provide ubiquitous
access, presents higher inherent technology-related risks largely because of the lack of end-
to-end secure encryption of messages. This increased risk may be mitigated by effective
business process and or product design controls. While Use Case 4 addresses the
encryption risk by providing encryption within the SIM, and provides the most security; its use
and market may be limited by the need for MNO cooperation and a SIM with SIM Toolkit
capability. In Use Cases 2 and 3, the risks (and services) increasingly converge with
standard Internet banking risks.
7. Emerging technology: several developments are likely to change the picture of risk:
a. An increasing proportion of smart phones will lead to more reliance on Use Case 2 and 3
even in developing countries; this will heighten the need for knowledge of e-banking risks
in countries in which Internet banking may not yet be common;
24 March 2008
Managing the Risk of Mobile Banking Technologies 4
b. The development of near field communication (NFC) enabled handsets which can
effectively act as a token for local purchases (already common in Japan and under trial in
several developed countries such as UK and US) is likely to further increase take-up of
m-FS. The risks of the integration of NFC into mobile banking require further
investigation and are outside the scope of this report.
8. Findings:
The mobile technology options available today allow for a variety of choices when
implementing Mobile Financial Services. Options range from technologically secure end-to-
end implementations to less secure options that do not have full mobile to banking system
security.
It is possible to offset the increase in risk caused by using less secure mobile technologies
by introducing operational controls.
The ubiquity of less secure mobile technologies, namely Voice/DTMF/IVR, SMS and USSD
on all mobile handsets and the feasibility to offset the risks introduced by their use in mobile
financial service provision makes it possible to extend financial services to all mobile
subscribers.
Given the lower levels of mobile handset technology prevalent in many developing countries,
transformational mobile banking can be accomplished by a careful appraisal, introduction
and management of operational controls (including user education) necessary to offset the
higher technical risks inherent in choosing ubiquitous but less secure technologies.
The following diagram depicts the security models that can be used and the relative tradeoffs
between technical security and operational controls that are discussed in this report.
Moving to prudent and adjusted security models requires a proportionate regulatory
framework within which to ensure on-going and active supervision of risk management.
end-to-end
Security
model
Prudent
mobile
Security
model
Use Case 2, 3 and 4 Use Case 1
Less Technology and more Process Control
Adjusted
mobile
Security
model
Custom Implementation
L
e
v
e
l
o
f
M
o
b
i
l
e
C
h
a
n
n
e
l
T
e
c
h
n
i
c
a
l
S
e
c
u
r
i
t
y
L
e
v
e
l
o
f
O
p
e
r
a
t
i
o
n
a
l
C
o
n
t
r
o
l
s
24 March 2008
Managing the Risk of Mobile Banking Technologies 5
Recommendations:
9.1 For mFSPs:
a. To provide transformational m-FS, the mFSP should consider choosing technologies, such
as those in Use Case 1, that provide quick and widespread access to its services. Where
less secure technology is chosen, technical and operational countermeasures can be
introduced to reduce the risk both to the business and to individual clients.
b. The boards and management of mFSPs should develop a comprehensive risk framework.
This is true for banks and non-banks alike. For starting a business, a probable Use Case
should be the basis for this framework.
c. mFSPs should either implement the BIS operational risk management principles or highlight
where they intentionally intend to deviate from them.
d. After the initial business launch, the risk framework (in the form of a risk matrix) should be
updated in light of risk experience as well as other vulnerabilities identified once operational.
e. Just as large international financial institutions are increasingly sharing their experiences of
operational risk on an ongoing, confidential bases through information exchanges such as
ORX, mFSPs operating in particular Use Cases may benefit from an arrangement in which a
current industry level assessment of vulnerabilities and risk is available as a benchmark for
operational risk assessment.
9.2 For financial regulators:
f. Regulators should be careful not to entrench technology specific standards in regulations
which may unnecessarily stifle m-banking development. They should create a flexible,
proportionate framework within which an on-going, active supervision of mFSPs can take
place. This assures attention to the mobile channel risks while providing adequate room for
risk appropriate innovations.
g. Regulators engaging with domestic mFSPs should share their learning with colleagues in
other jurisdictions in a structured manner so as to contribute to and benefit from an emerging
global perspective
9.3 For mFSPs, financial regulators and organizations promoting the development of the sector:
h. Given the lower levels of mobile technology prevalent in many developing countries,
transformational mobile banking is best accomplished by a careful appraisal of the
operational controls (including user education) necessary to offset the higher technical risks
inherent in choosing ubiquitous but less secure technologies.
i. The basic level of knowledge required by board, senior management and financial regulators
to meet Basel Guidelines for awareness of operational risk management in this new area
should be defined. Training curricula should be developed to meet this need.
j. As the rapid pace of technological change continues, a trusted central organization should
maintain a list of all known vulnerabilities of the mobile channel, updated by experience, to
which regulators and mFSPs should have access as a baseline for their risk frameworks.
ACKNOWLEDGEMENTS
Specific thanks to those who gave their time to participate in our interviews, whose names are
listed in Annex N; and to the following who gave comments on drafts of the document: Jenny
Hoffmann, John Ratichek, and the participants at the Transformational Branchless Banking
Seminar in Windsor, England in March 2008.
Johann Bezuidenhoudt David Porteous
Johannesburg, South Africa Somerville, MA USA
24 March 2008
Managing the Risk of Mobile Banking Technologies 6
FOREWORD—the FinMark Trust Mandate
FinMark Trust has established a strong reputation for producing credible research which supports
the development of innovative approaches to extend access to financial services. FinMark Trust
then seeks to make this research widely available to market participants, unlike proprietary
research which is not easy or affordable for many to access.
In pursuit of its mission, FinMark has commissioned a series of reports on m-banking, most
recently ?Mobile Banking Technology Options? by Troytyla (Gavin Kruegel) which overviews the
different mobile banking technology options available in the market.
In pursuit of its mission, and specifically building on the last report, FinMark Trust commissioned
this report on the risks of the different technology options and how best to manage them. As the
terms of reference stated, ?The lack of information about the level of risk inherent in the different
technologies and the opportunities to mitigate the risk through business processes and strategies
may be leading to choices which do not necessarily match the needs of the market most in need of
innovative access to financial services.? This report should therefore not only provide relevant
information but support choices which match the needs of the market which FinMark Trust seeks
ultimately to serve.
Disclaimers
This report is intended to provide a general overview of risk patterns and trends attaching to the
use of the mobile channel for providing financial services. The report is for information and
guidance of readers and it is not intended to support a specific plan of action since this would
require additional information and insight into each particular situation.
The vulnerabilities, analyses and risks shown and analysed in this report are intended to be
indicative of what risks which a mFSP may or will face. The analysis is not intended as an
exhaustive or a fully objective list. Each mFSP should assess and validate their own risks in terms
of their own situation, the intended functionality to be offered and the process controls that will be
put and or are already in place.
Additional advice should be sought where necessary from expert advisors before taking action.
Neither BFA nor FinMark Trust may be held liable for the consequences of implementing any or all
of the recommendations of this report.
24 March 2008
Managing the Risk of Mobile Banking Technologies 7
TABLE OF CONTENTS
EXECUTIVE SUMMARY ............................................................................................ 2
ACKNOWLEDGEMENTS .......................................................................................... 5
FOREWORD—the FinMark Trust Mandate ............................................................... 6
Disclaimers .......................................................................................................... 6
TABLE OF CONTENTS ............................................................................................. 7
SECTION 1. INTRODUCTION .................................................................................. 9
1.1 Context of report ............................................................................................ 9
1.2 Scope of report ............................................................................................ 10
1.3 Methodology ................................................................................................ 11
1.4 Structure of report ........................................................................................ 11
SECTION 2: ELEMENTS OF THE MOBILE CHANNEL .......................................... 13
2.1 Mobile device ............................................................................................... 13
2.2 Network ....................................................................................................... 15
2.3 Technology-related Use Cases ................................................................... 17
2.4 M-banking compared to other e-channels .................................................. 22
SECTION 3. VULNERABILITIES, RISKS & CONTROLS ........................................ 24
3.1 Structured process of risk evaluation .......................................................... 24
3.2 Vulnerabilities of the mobile channel ........................................................... 27
3.3 Prudent Practice in Addressing Technological Vulnerabilities ..................... 28
3.4 Risk Identification and Assessment by Use Case ........................................ 29
3.5 Summary of Risk Controls ........................................................................... 31
SECTION 4. ENVIRONMENTAL FACTORS, BUSINESS MODEL CHOICE, AND
GOVERNANCE PROCESSES ................................................................................ 33
4.1 Risk in context: scaling for the environment and the business model .......... 33
4.2 Regulatory oversight: Good practice principles ........................................... 37
SECTION 5. EMERGING ISSUES AND CONCLUSIONS ..................................... 39
5.1 Emerging risk scenarios .............................................................................. 39
5.2 Conclusions: Risk Approach ........................................................................ 39
5.3 Recommendations ....................................................................................... 41
24 March 2008
Managing the Risk of Mobile Banking Technologies 8
REFERENCES ........................................................................................................ 43
ANNEX A: Categories of Operational Risk ....................................................... 44
ANNEX B: Functional Survey of m-FS Technologies ....................................... 45
ANNEX C: Use Cases – Definitions and Technology ....................................... 48
ANNEX D: Particular vulnerabilities of the Mobile Channel .............................. 53
ANNEX E: Use Case Scenarios ....................................................................... 55
ANNEX F: List of Transaction available by Use Case ...................................... 58
ANNEX G: Vulnerabilities in specific Use Cases .............................................. 61
ANNEX H: Summary Risk Evaluation by Use Case ......................................... 63
ANNEX I: Business Model Choices - Elements of the service offering ............. 68
ANNEX J: Examples of Fielded mFSP Implementations .................................. 70
ANNEX K: Regulatory Oversight Principles ....................................................... 71
ANNEX L: Emerging Issues and Case Study .................................................... 74
ANNEX M: Comparison of GSM and CDMA Mobile Channel Technology ....... 76
ANNEX N: List of Interviewed Organisations .................................................... 77
ANNEX O: Glossary of Terms .......................................................................... 78
24 March 2008
Managing the Risk of Mobile Banking Technologies 9
SECTION 1. INTRODUCTION
1.1 Context of report
Mobile banking brings new opportunities and risks to financial providers, carriers and the financial
system.
On the one hand, it holds out the prospect of adding new convenience for accessing banking and
payment services to existing banked customers (?additive m-banking‘). Especially in developing
countries, it may go even further to offer banking and payment services to those who have never
participated in the formal electronic banking system before. This is called transformational m-
banking to distinguish it from additive m-banking (BFA 2006). In the process, banks, mobile
network operators (MNO) and third party suppliers stand to gain. These opportunities have caused
new players to enter this market.
On the other hand, the addition of a new channel brings new operational risks to providers, just
as the introduction of Internet banking more than a decade ago opened new categories for risk.
For this reason, mobile Financial Service Providers (mFSP) seeking to enter the market, or those
already in the market, have to assess their risks and develop strategies to mitigate them on an
ongoing basis. As adoption of mobile financial services (m-FS) increases, financial regulators in
various countries are also paying increasing attention to the specific risks brought by the use of the
mobile channel.
Although some providers in m-banking are not banks and are not subject directly to banking
regulation, we use as a benchmark the principles of operational risk management developed for
national regulators by the Bank for International Settlement (BIS).
Operational risk is defined as the risk of loss arising from the failure of operational procedures. A
number of categories of operational risk have been defined by the BIS. The operational risks
related to the choice of technology include: internal fraud (including theft and unauthorized
activity), external fraud (including theft and systems security), business disruption and system
failures, failures in the execution and maintenance of transactions, and failures on the part of
vendors and suppliers. For a full listing with descriptions of the Categories of Operational Risks,
see Annex A.
The portion of technology risk related to the mobile channel specifically is a further subset. This
report focuses on identifying the specific vulnerabilities of different payment models in different
contexts related to m-banking and m-payments.
Previous reports such as that of the Mobile Payment Forum (2003) have considered the
technological vulnerabilities and have assessed the risks related to certain specific use case
scenarios for mobile payments. In addition, the recent report for FinMark Trust by Troytyla (2007)
considers the channel choice and risks around the bearer channel and MNO integration.
However, vulnerability and risk assessment are never independent of the choice of business model
or the context in which the model is to be operated. This report differs from previous reports in that
the risk framework developed here is a dynamic one, which varies by model and context. This
enables it to be more widely applied than a static framework. Because the permutations around
model are many, the focus of this report is on models which target unbanked customers and
developing market contexts, although the framework is valid for all markets.
24 March 2008
Managing the Risk of Mobile Banking Technologies 10
1.2 Scope of report
This report focuses on the specific technology risks of the mobile channel and does not consider
the integration of mFS platforms with other typical IT system components, such as financial
switches, data depositories or applications as shown in Figure 1 below. The risks arising from the
integration between these components are not specific to the use of mobile, and have received
attention in other reports.
Figure 1: Technology components of m-banking models
Data
Repository
Application
Development
Financial
Switch
Mobile
Channel
Scope of
this report
Bank Generic
Source: Troytyla (2007)
The report should be of interest to:
mobile Financial Service Providers, whether banks, MNOs or non-banks, who are
considering introducing m-FS, and
financial regulators who are increasingly interested in the risks of m-banking and the extent
to which providers are understanding and managing these risks.
This report is written containing the information which a senior executive or financial regulator
should know about the vulnerabilities and risks of the mobile channel for financial transactions.
Indeed, part of the purpose of this report is to benchmark the levels of knowledge which a non-
specialist manager or board member should have about this new and dynamic area, in line with
BIS Operational Risk principle No.1: “the board of directors should be aware of the major aspects
of operational risks, and should approve and periodically review the bank’s operational risk
framework.? Prior detailed knowledge of m-banking is therefore not assumed, although
comparisons are made to banking via other electronic channels such as the Internet with which
readers may be familiar.
More detailed information on the technology can be found in the Annex C - Use Cases –
Definitions and Technology of the report.
24 March 2008
Managing the Risk of Mobile Banking Technologies 11
The two parameters of the scope of the report, the content and the level, are depicted in Figure 2
below.
Figure 2: Focus of this report
Mobile-specific risk
Senior management /
Regulator level
All technology risks
Expert level
L
e
v
e
l
Technology risk
Operational risk
The focus of this report
1.3 Methodology
This report was compiled on the basis of:
Personal knowledge and experience of the authors;
Published reports from various sources listed in the references;
Interviews with leading providers, listed in Annex N.
1.4 Structure of report
This report provides a process for identifying and assessing risks in the mobile channel, and then
suggests controls for their mitigation. It provides a prospective mFSP with a logical process of
reasoning through which to consider mobile banking risk. It provides regulators not only with that
same process but additional strategic considerations. (Note: Annex O provides a glossary of terms
used in this report.)
Section 2 reviews the particular technologies relevant to the mobile environment and benchmarks
these according to known, older electronic channels, such as e-banking or ATMs. Four main Use
Cases are outlined and are differentiated by the key factors related to the technological choices
which have a fundamental impact on risk.
Section 3 identifies the main threats and vulnerabilities attached to the mobile channel. By
assessing the likelihood and severity of each vulnerability, a risk weighting is assigned within its
particular Use Case. In particular, the distinction is made between risk at an individual incident
level, where a customer or the mFSP may be exposed to loss, and at a business or mass attack
level, where the loss to the mFSP may be severe. Controls are identified as part of defining
current practice scenarios for each Use Case.
Section 4 then addresses the choice of business model and the question of environmental risk
factors which need to be taken into account in reaching a final adjusted and scaled risk rating.
24 March 2008
Managing the Risk of Mobile Banking Technologies 12
Good governance practice by boards and management as well as the process of interaction with
financial regulators are discussed.
Section 5 concludes with an update on emerging technologies and how they may affect the risk
picture. Specific recommendations are made for mFSPs, financial regulators and supporters of
this sector as a means of increasing access to financial services.
Box A: Definitions: mobile financial services: m-banking and m-payments
The following are the definitions used in this report for:
mFSP - Since a variety of type of provider—banks, telcos or others—may provide mobile financial
services, we use the expression mobile financial service provider or mFSP to refer to the entity
which is directly interfacing with the end customer to provide mobile financial services (m-FS). M-
FS includes both:
m-banking – the activity whereby a customer uses their mobile phone to interact with their bank
either directly or indirectly via mFSPs. The customer issues instructions, authenticates themselves
and or receives information through their mobile phone.
m-payment – customers issue instructions from their mobile phone that initiate a payment to a
third party. The instructions can be to their bank, to a merchant or to a Payment Service Provider
for the payment of a specified amount to a specified beneficiary on the customer‘s behalf. Where
an m-banking relationship is in place this will include m-payment. Where a m-payment relationship
is in place this does not imply that a banking relationship is part thereof, only that electronic access
is available to a value store (eg bank account) owned by the customer and that that customer can
issue payment instructions relating to the value store for execution.
24 March 2008
Managing the Risk of Mobile Banking Technologies 13
SECTION 2: ELEMENTS OF THE MOBILE CHANNEL
This section serves as the primer to introduce and outline the key technology components of the
mobile channel and then the main current Use Cases as the basis for the analysis which follows.
The use of mobile brings two new elements to the financial services equation:
The mobile device itself
The communications channels offered by mobile network operators.
Both vary considerably in their functionality, as described in turn below.
2.1 Mobile device
The handset consists of several layers of components as shown in Figure 3 below.
Figure 3: Elements of the mobile handset
Human Interfaces
Application
Mobile
Network
Radio Link
Bearer
Keyboard Display
Handset Operating System
S@T
WIB
STK
SIM based
SMS USSD DTMF voice
Mobile Radio
D
i
r
e
c
t
J2ME
Handset
Application
WAP
HTTP/S
Internet
Browser
Advanced Features
Audio
IP
data
Standard handsets are ?plain vanilla? devices that contain:
A mobile radio to communicate to the mobile network
The capability to send Voice, SMS, USSD, and DTMF over the radio interface
An operating system that ties all the elements on the handset together
Human interfaces for audio (speaker and microphone), a keyboard and a display
24 March 2008
Managing the Risk of Mobile Banking Technologies 14
At the Application level the standard handset passes the SMS, USSD, DTMF and voice
?directly? between the display, the keyboard and the audio human interfaces and the bearer
services.
A capability to interface via SIM toolkit to SIM based applications also exists. The SIM
Toolkit programmable application facility on the SIM is the way that standard handsets can
be made secure and be given additional menu based ?application‘ functionality – such as
mobile banking
Standard handsets do not provide:
Facilities to secure or encrypt data before sending it to server based applications at
mFSPs.
Ability to run programs on the handset
The capability of the most common standard handset will increase over time.
For the purposes of this report a standard handset has been taken as a basic GSM handset
that has been shipping worldwide since around 2004, that has USSD phase 2 and SIM Toolkit
functionality, does not have a browser and can not run programs. Typically these handsets
cost under USD100. A small minority of standard handsets on GSM networks may not have
the capability to support USSD or SIM Toolkit applications.
Where needed, data security can be added to the standard handset by providing this on a new
SIM through applications loaded into the SIM and accessed through SIM Toolkit.
The report analyses the mFSP technology assuming handsets based on the GSM standard
1
.
So that mFSP‘s who have subscriber bases with CDMA handsets can apply this report, a
comparison between the GSM and CDMA technologies has been included as Annex M.
Advanced Handsets have all the functionality of standard handsets; and in addition
can communicate using IP data (GPRS, EDGE, 3G HSDPA)
have the ability to run applications under the handset operating system (usually in a
J2ME/Java environment)
browse WAP and Internet sites – these are the ?advanced‘ features.
Advanced handsets fall into two sub-types:
feature phones – handsets that have browsers and J2ME environments.
They are usually locked down, in that they do not have easily accessible programming
environments and often are MNO controlled in what software they may run. Typically
feature phones can be described as the high end mobile phones.
smart phones – handsets with programmable environments.
Operating systems such as Symbian, Windows Mobile and Mobile Unix (iPhone) and, in the
future, Android, are used. The environment on the handset resembles a small personal
computer and on most the user is free to choose and run whatever software they choose.
The handsets typically have large displays and can perform full function Internet browsing.
Examples of these phones are HTC, iMate, Apple iPhone and Nokia N95.
1
The Global System for Mobile Communications (GSM) is the most commonly used mobile standard in the
world today, especially in developing countries.
24 March 2008
Managing the Risk of Mobile Banking Technologies 15
Advanced handsets provide facilities to secure data before sending it to server-based
applications at mFSPs. This security is provided by the browsers and J2ME environments on
the phones.
Application based data security can also be provided on the advanced handset using the SIM.
Secure applications can be loaded into the SIM and accessed through SIM Toolkit.
2.2 Network
The mobile network comprises the components which carry a data message to and from the
handset to the mFSP. The features of the mobile channels used to carry those data messages are
summarized in Table 1 below.
A more detailed survey of the various mobile channel technologies is presented in Annex B -
Functional Survey of m-FS Technologies. The two tables in this Annex identify what can and
cannot be done with these technologies from both a customer and a security perspective.
The considerations in Annex B lead to the deployment of the technologies in what have been
defined in this paper as ?Use Cases (UC)?.
The nature and security of the mobile channel varies by these Use Cases.
Table 1 below depicts the relevant features of the mobile channel technologies, providing a
description and indicating important security attributes for each channel technology.
Type of handset that supports the technology
Whether the handset can secure the technology
If the technology provides end-to-end security
When using the technology if the mFSP can operate their service through multiple MNOs
Which Use Case the technology is assigned to
24 March 2008
Managing the Risk of Mobile Banking Technologies 16
Table 1: Mobile Channel Features
Channel
Technology
Description Supported
on
Handsets
Security of
transaction
on handset
End-to-
end
Security
Supports
Multiple
MNOs
Use
Case
Descriptive
Reference (3)
TroyTyla 2007
IVR
A call is made to (or from) an automatic system and
the user receives pre-recorded prompts and responds
by selecting keys
Standard
Handset
None No Yes UC1 Section 4.2
Structured
SMS
A SMS text message is sent to the mFSP. The
message is interpreted and acted upon and a
response SMS sent
None No Yes UC1 Section 4.1
USSD
A number is called from the handset and a menu then
displayed on the handset that the user navigates
through and selects options and enters data
None No Yes (1) UC1 Section 4.3
SIM toolkit
(WIB / SAT /
Java / custom)
Implemented within the SIM that is inserted in the
handset. The functionality appears as a set of
additional menu/s on the handset
Provided in
SIM
Yes
Possible
(2)
UC4 Section 4.6
J2ME Applications that can run on the handset
Advanced
Handset
Provided
within the
application
Yes Yes UC3 Section 4.5
WAP
Internet Browsing using a WAP protocol browser.
Same as browsing off a PC. WAP provides optimised
(data usage and size of screen presentation)
interaction for the mobile.
As provided
by the WAP
Browser
Yes –
SSL
Yes UC2 Section 4.4
HTTPS –
Internet
browser
Standard Internet browsing off the mobile to the bank‘s
web site. Mobile performs the function of a PC
As provided
by the
Internet
Browser
Yes - SSL Yes UC2 n/a
Note:
(1) Requires a common USSD short-code on every MNO
(2) Because of the need for access to the MNO SIM. Typically MNOs do not run common 3
rd
party applications (exceptions such as South Africa do exist).
(3) For a descriptive use of each technology option in mobile banking refer to the Troytyla (2007) report from Finmark Trust .
24 March 2008
Managing the Risk of Mobile Banking Technologies 17
2.3 Technology-related Use Cases
Technology choices regarding handset and network define four main Use Cases which have
different risk characteristics. These Use Cases can be distinguished according to:
the level of handset functionality required: Standard or Advanced; and
the degree of independence from a MNO or many MNOs.
Table 2 shows how the four Use Cases are derived from these two factors.
Table 2: Use Cases
2
Mobile Handset Capability
Standard (all) Advanced
Independent
of MNO
Yes
Use Case 1:
Use what is there, existing
generic mobile bearer services
provided on all phones accessible
directly by user
Use Case 2:
Use mobile browsing services
that are provided on phones
Use Case 3:
Use advanced application
services provided on phones
No
Use Case 4:
Use a secure environment on
the mobile provided by the MNO
or MNOs
Use Case 4 prime:
Dedicated secure application
environment on a handset
The technologies associated with each of these Use Cases, along with some of the more
general associated risks, are seen in the following table (Table 3).
Table 3: Main Use Cases Identified By Technology
Use Case Approach Technologies
available
Associated Risk
1 "Use what is there" Use existing
generic mobile bearer services
provided on all phones accessible
directly by a user
SMS
Voice/IVR
USSD
There is no encryption of information so
the channel from the mobile to the
mFSP is open to monitoring, replay,
modification and impersonation
2 "Use mobile browsing services"
that are provided on phones - not
MNO dependent
HTTPS = normal
web browsing
WAP phase 1
WAP phase 2
Same risks as for a PC on the Internet.
Channel is less exposed than regular
Internet as much of it is within MNOs
2
Note: Use Case 4 prime (4‘) in the lower right hand quadrant of Table 2 (dedicated secure application
environment on a handset) has to date not been adopted in the GSM mobile environment because of the control
over the environment as well as the security available/provided. However, this Use Case may develop in future.
To date, an example of a secure, managed and controlled environment on a handset is the BREW environment
developed by Qualcomm for CDMA handsets. This Use Case is seen as a future extension of Use Case 4 and
has been called Use Case 4 prime for this reason.
24 March 2008
Managing the Risk of Mobile Banking Technologies 18
3 "Use advanced application
services" provided on phones -
not MNO dependent
J2ME Same as client side applications on
PCs. Mobiles less exposed to the
Internet and the threats. However
issues around the trust (integrity and
authenticity) of the applications exist
and need to be managed
4 ?Use a secure environment on
the mobile ? provided by the MNO
or MNOs
SIM Toolkit
WIB, S@T and
Java cards
The highest technical end-to-end
security as the application runs
securely within the SIM and the
encryption keys are kept within the
SIM.
Under Use Case 1, the usual practice is to combine the available technologies.
An example is the use of structured SMS messages which are sent to the mFSP. The
mFSP then prompts the user using a USSD prompt to enter their PIN.
For this report, five sub-use cases incorporating such combinations have been defined for
Use Case 1.
They are outlined in Table 4 below.
Use Case 1A is the only Use Case where the transaction and PIN are sent at the same time.
All the other Use Case 1s interactively ask for the PIN which reduces a number of risks and
thus makes the Use Cases (1B to 1E)more secure and less risky.
Table 4: Sub-Use Cases of Use Case 1
1A. Structured SMS
Send plaintext SMS with instruction mnemonic, value and PIN to the
mFSP number, the SMS content is processed and a response sent back
to the handset
1B. Structured SMS with
confirmation and PIN
authorisation via IVR
Send plaintext SMS with instruction mnemonic and value to the mFSP
number, the SMS content is processed. IVR calls back asking for
confirmation of transaction and PIN. PIN entered as DTMF. A SMS
response sent back to the handset
1C. Structured SMS with
confirmation and PIN
authorisation via USSD
Send plaintext SMS with instruction mnemonic and value to the mFSP
number, the SMS content is processed. USSD message sent back to
handset requesting confirmation of transaction and PIN. PIN entered in
USSD menu. A SMS response sent back to the handset
1D. IVR call to setup
transaction and IVR call-
back for PIN authorisation
Call in to IVR to setup transaction via IVR voice prompts and DTMF
responses. Transaction is processed and checked. IVR calls back
asking for confirmation of transaction and PIN. PIN entered as DTMF
1E. USSD menu with PIN
login
USSD shortcode entered by user to initiate a USSD session, prompt for
PIN sent from USSD server, PIN entered and session opened and menu
displayed. Follow menu to set up transaction and then submit it for
processing. USSD transaction confirmation and thereafter a
confirmatory SMS
24 March 2008
Managing the Risk of Mobile Banking Technologies 19
Table 5 below maps various current mFSP business models into these Use Cases,
indicating transformational models in red. Those interviewed for the purpose of this report
are marked with an asterisk (*).
Table 5: Current examples of each Use Case scenario
Mobile Handset Capability
Standard (all) Advanced
M
N
O
i
n
d
e
p
e
n
d
e
n
t
Yes
Use Case 1:
G-Cash* (Ph)
Wizzit* (SA)
FNB* (SA)
ABSA* (SA)
Use Case 2:
Nedbank* (SA)
FNB* (SA)
ABSA* (SA)
Obopay* (US)
Use Case 3: J2ME
Obopay* (US)
Monitise* (UK)
No
Use Case 4:
G-Cash* (Ph)
Smart (Ph)
MTN Banking* (SA)
M-Pesa* (Ke)
Use Case 4 prime:
Obopay* (US)
Firethorn* (US)
Note: No one Use Case may totally fit the situation of an existing or prospective mFSP. Additionally a
mFSP may use multiple technologies and offer m-banking services under one or more of the Use
Cases. However, the Use Cases do represent the main technology related choices which affect the
risk environment of an mFSP.
Security by Use Case: The differences in the path and security associated with data
messages can be distinguished by the Use Cases. These are summarized in successive
figures below. Full description of the system linkages can be found in Annex C: Use Cases
– Definitions and Technology.
24 March 2008
Managing the Risk of Mobile Banking Technologies 20
Description of the Use Case Technologies
Figure 4.1: The mobile channel for SMS, USSD and IVR DTMF – Use Case 1
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
SMSC
USSD
IVR
mFSP
HLR
Radio
Interface
Enciphered
Secured link
Use Case 1
SSL
Secured link
Bearer
Servers
In this Use Case, the intrinsic security available in the network is used. This security is not
end-to-end but is instead built up of the security available at each of the individual elements
that make up the path that the transaction takes from the Mobile handset through to the
mFSP.
Thus, at insecure elements, the transaction can be copied, altered, resent (replayed) and or
destroyed.
The vulnerabilities of this Use Case are analysed in Section 3.
Figure 4.2: The mobile channel for IP Data Browsing – Use Case 2
Mobile
Handset
(MS)
BTS BSC
“web”
servers
Core
Telephony
network
HTTPS
mFSP
HLR
WAP
Use Case 2
SSL
Secured link
Mobile network
In this Use Case, because it is possible to run an explicit security program on the handset in
the form of a browser with SSL it is possible to secure the data link end-to-end from the
handset to the WAP or HTTPS Web Servers.
24 March 2008
Managing the Risk of Mobile Banking Technologies 21
Figure 4.3: The mobile channel for IP Data Applications – Use Case 3
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
mFSP
HLR
Use Case 3
SSL
Secured link
Application
Server
In this Use Case, because it is possible to run a program with explicit security on the
handset, in this case a J2ME application with a cryptographic capability, it is possible to
secure the data link end-to-end from the handset to the Application Server.
This handset based application secures all the data sent and received typically through a
SSL link (secure tunnel or ?pipe‘) that passes through the mobile network all the way to the
Application Server.
Figure 4.4: The mobile channel for SIM toolkit – Use Case 4
Wireless
Gateway
WIG/S@T
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
mFSP
HLR
Use Case 4
3DES
Secured link
SIM
HSM HSM
SMSC
In this Use Case an application is securely placed into the SIM. The handset communicates
with the SIM and thus the application using a set of commands called SIM Toolkit. The
communication allows the application on the SIM to appear as part of the cell-phone‘s menu.
The display and selection of menu items and the entry of data is then possible.
The SIM has a set of security keys stored within it that are linked to keys in the secure High
Security Module (HSM) attached to the Wireless Gateway. In this way the SIM can
communicate to the Wireless Gateway securely as the traffic between the two is enciphered
using these shared keys.
24 March 2008
Managing the Risk of Mobile Banking Technologies 22
2.4 M-banking compared to other e-channels
To put m-banking as described by these Use Cases into the proper context, it is helpful to
understand that it is one type of electronic banking. The following table provides a
comparison among the various e-channels used in banking.
Table 6: Comparing the different forms of e-banking
ATM EFT POS Internet
banking
m-Banking
Devices ATM POS device
Shop tills
PC
Advanced mobile
handsets
Mobile handset
Owned by Bank or third
party network
Acquiring bank or
merchant or ISO
Client Client
Common
functionality
Balance enquiries
Transfers
Payments
Cash in or out
Payments
Cash in or out
Balance enquiries
Transfers
Payments
Balance enquiries
Transfers
Payments
Cash in or out
Form of
authentication
2 factor (card +
PIN)
2 factor (card +
PIN/ signature)
1 or 2 factor
(with additional
token or OTP)
2 factor (MSISDN
+ PIN)
Encryption usage
for securing
communications
3DES common 3 DES common SSL in browsers 3DES when
available on
handset or in SIM
Communications Dedicated line
Mobile IP data
(GPRS/3G/HSDPA)
Dedicated line
Wifi
Mobile IP data
(GPRS/3G/HSDPA)
TCP/IP over:
Dedicated line
Wifi
Mobile IP data
(GPRS/3G/HSDPA)
IVR / DTMF
SMS
USSD
Mobile IP data
(GPRS/3G/HSDPA)
Client access to
Mobile Financial Service Provision
Internet banking and m-banking share many features. Figure 5 below illustrates the
similarity between Internet banking and certain m-banking technologies. It shows how the
SSL link through the mobile network (Use Cases 2 and 3) and the link through the Internet
both provide end-to-end security. Whether browsing on a mobile handset or off a PC, the
security is end-to-end. The vulnerabilities are at the ends of the secure SSL links.
24 March 2008
Managing the Risk of Mobile Banking Technologies 23
Figure 5 – Mobile Banking versus Internet Banking
Mobile
Handset
(MS)
BTS BSC
Mobile network
Core
Telephony
network
HTTPS
mFSP
HLR
WAP
Use Cases 2 and 3
SSL
Secured link
Application
Server
Personal
Computer
Core IP
network
HTTPS
Bank /
FSP
SSL
Secured link
Wireless
Interface
WAP
Personal
Computer
Internet
Internet
Mobile/wireless data connections are now widely used across the different banking
channels. For example, they are used to connect ATMs and portable POS devices to banks
and to connect PCs to the Internet for Internet banking.
In many developing communities, mobile data, or more accurately access to the Internet
over the mobile/wireless network, is becoming the predominant way of accessing the
Internet due to the lack of fixed line alternatives. In this role the data service provided over
the mobile network is not different from the Internet provided over fixed lines, wireless or
satellite connections.
A rapidly growing Internet banking sector uses Advanced mobile handsets, such as Apple
iPhones, to access banking web sites and perform Internet directly banking off the mobile.
This is both Internet banking and mobile banking. For the purposes of this paper, Internet
banking off a mobile device is considered as mobile banking and assigned to Use Case 3.
Browser based Internet banking whether from a PC or a mobile phone is technically identical
and the associated vulnerabilities are the same. However, there are differences in some of
the risks arising from these vulnerabilities. For example the malware threat is different.
While malware (viruses, Trojans key loggers and the like) is highly developed in the PC
environment, it is not yet so fully developed in the mobile handset environment. But with the
rapid growth of advanced handsets, it is expected that mobile malware will be on the rise in
the medium term.
As convergence continues to take place where the number of smart phones that have direct
access to Internet banking grows, the distinction between Internet banking and mobile
banking will continue to reduce. To the extent that mobile banking converges with Internet
banking, the existing, well-developed e-banking security procedures apply.
As a result, the focus of this paper is particularly on those Use Cases (1 and 4) not covered
by the existing e-banking security measures. These require particular attention as they are
the leading edge of mobile banking expansion, especially in developing countries.
24 March 2008
Managing the Risk of Mobile Banking Technologies 24
SECTION 3. VULNERABILITIES, RISKS & CONTROLS
3.1 Structured process of risk evaluation
In order to evaluate risks and choose the controls to manage them, the structured approach
laid out in Table 7 was followed for each Use Case. It is important to note that what may
well be a high risk for an individual customer may not be a risk to the business (and visa
versa) so the business and individual risks have to evaluated separately.
The process can be represented graphically as follows:
Figure 6: Structured Risk Evaluation Process
Identify each
VULNERABILITY
Result if
VULNERABILITY is
EXPLOITED
What is the THREAT that the
exploited VULNERABILITY
will bring?
How will this threat
IMPACT on each of the
mFSP’s CUSTOMERs?
(H,M,L)
How will this threat
IMPACT on the mFSP
BUSINESS? (H,M,L)
What is the LIKELIHOOD
of this happening – how
FEASIBLE? (H,M,L)
What is the LIKELIHOOD
of this happening – how
FEASIBLE? (H,M,L)
The RISK to the CUSTOMER
( IMPACT x LIHELIHOOD ) of
the VULNERABILITY
(H,M,L)
The RISK to the BUSINESS
( IMPACT x LIHELIHOOD ) of
the VULNERABILITY
(H,M,L)
Decide on a RESPONSE
for INDIVIDUAL related risk
Decide on a RESPONSE
for BUSINESS related risk
The metrics used in this paper to allocate the risk ratings of High (H), Medium (M) and Low
(L) to the impact, likelihood and resulting risk of specific vulnerabilities are defined in Table
7. The explanation for each term and a worked example are also given.
24 March 2008
Managing the Risk of Mobile Banking Technologies 25
Table 7: Process and Risk Metrics
Analysis Item Explanation Metric used Example using plaintext
SMS messages (UC1A)
Vulnerability The weakness
identified
Description of the
weakness
SMSC not protected
Result What happens if
the vulnerability
can be exploited
Identification of the result
if the vulnerability
materialises
The traffic through the
SMSC can be logged
and MSISDN and PIN
harvested
Threat to the
business
What is the
resultant threat to
the business if
the vulnerability is
exploited
Indication of how a threat
to the business would
materialise – as a:
Fraudulent transaction
Error transaction
Loss of data privacy
(exposure of
information)
Denial of service
Fraudulent transactions
can be initiated and
access to personal data
obtained
Impact The magnitude of
the event if it
occurs
There are two
ways to look at
the impact:
On the
business as a
whole
and
On the
individual
customer
Business:
High Impact – the
result of an event that
will disrupt the
business to the extent
that it‘s existence may
be threatened
Medium Impact – the
result of a non-routine
event that will
seriously disrupt the
business
Low Impact – a
routine event that is
handled by the day-
today management
processes and whose
impact is absorbed in
the operational
expenditure
Individual:
High Impact – loss of
all funds and/or
reputation
Medium Impact – loss
that can be remedied
but that seriously
affects the individual‘s
financial position
Business:
Mass attack is possible
through the bulk
harvesting of credentials
(MSISDN and PIN) and it
would have a major
impact on the business
due to bulk account
compromise therefore
Mass Impact is High
Individual:
the impact is High as the
individual‘s account could
be emptied of funds
24 March 2008
Managing the Risk of Mobile Banking Technologies 26
Low Impact – loss that
can be recovered
using operational
process of the mFSP
Likelihood /
feasibility.
Probability of the
event happening
– namely the
probability that an
attacker will be
able to actually
exploit the
vulnerability
Business and Individual
High – likely in the
course of business in
the short term