Mobile Financial Services Security: A New Ecosystem at Risk

Mercator Advisory Group is pleased to announce the release of its latest report, Mobile Financial Services Security: A New Ecosystem at Risk.

For C-level and operational leadership at financial institutions, payment processors and others considering rolling out mobile financial services, this new report reviews the current threat, the threats to come and what financial institutions, mobile operators and consumers need to do about them. In particular, the report reviews the vulnerabilities of mobile devices and the elements that connect them to financial institutions.

The report concludes with a series of recommendations for FIs, MNOs and consumers. Particular emphasis is placed on a proactive consumer education before the mobile channel becomes a greater target for cyber-criminals.

• The security vulnerabilities of the online world are shifting to the mobile phone.
• Today' s mobile threats are primarily social engineering attacks via phishing emails and its mobile variant via SMS. Known as "SMIShing" this practice may be especially effective as the sender may well be somewhat known to the receiver if the user' s mobile address book has also been hijacked.
• Mobile devices, especially their operating systems and applications, offer a broad "attack surface" of vulnerabilities for mobile malware to exploit.
• The US mobile ecosystem - mobile operators, FIs, software and network providers - has yet to prepare consumers for the Internet-like attacks to come.
• Mobile handsets have a potent two-factor authentication role to play in defeating online attacks.

"As mobile banking moves up in importance for FIs, so must concerns about the security of the mobile channel. While it has been uneventful to date, that peace is going to end," comments George Peabody, Director of Mercator Advisory Group' s Emerging Technologies Advisory Service. "The mobile ecosystem needs to educate the consumer about mobile security and to stop blaming the victims for their ignorance."

Companies mentioned in the report include Google, Apple, Microsoft, Verizon, AT&T, Sprint, T-Mobile, mFoundry, ClairMail, Symbian, RIM, Absa Bank, Citi, Bank of America, Globe Telecom, and Smart Communications.

• Introduction
  • Make No Mistake - Mobile Financial Services Will Be Under Attack
• Mobile Insecurity
  • The First Vector of Attack- MNOs Battle Spam
  • Costs are Adding Up
  • Mobile or Not, Here They Come
  • Targets of Opportunity- Mobile' s Broad “Attack Surface”
    • 1. Bluesnarfing - Exploiting Bluetooth Vulnerabilities.
    • 2. Transcoding Websites
    • 3. SIM Swapping
    • 4. Hacking Mobile Broadband Access.
    • 5. T9 and the User' s Dictionary
    • 6. Even Today' s Darling: the iPhone
• Mobile Banking Interface Methods and Security
  • One Interface Does Not Suit All
    • 1. SMS - Texting Your Bank
      • Mitigating the Risk.
      • Special Exposures
      • SMS Banking and Payments in the Philippines
    • 2. Browsing Your Bank
      • Mitigating the Risk.
    • 3. Mobile Applications
      • Mitigating the Risk.
  • Thick or Thin- The Interfaces of the Future.
    • The Shifting Risk Picture
      • Defense is Harder.
      • Breaking Down the Walled Garden.
      • Increased Complexity, Increased Risk.
    • Making Mobile Transactions Secure Today
      • Getting the Word Out.
    • What FIs Have to Do
      • Engage the Consumer
      • System Security Basics
    • What MNOs Have to Do
    • What Consumers Have to Do
  • Making Mobile Transactions Secure Tomorrow.
    • The Handset as Financial Communicator
  • Last Words
    • All in This Together.
    • There is a Better Way: South Africa' s Absa Bank
    • Leverage the Mobile Advantage

• Figure 1: Mobile Ecosystem Attack Surface Risks
• Figure 2: Transcoding Process - Decrypting Payment Data outside the FI Span of Control