mobile banking: are we prepared?

Transcription

MOBILE BANKING: ARE WE PREPARED? END‐USER INFORMATION SECURITY AWARENESS FOR MOBILE BANKING Name: Nirul Balraadjsing MSc. StudentNr.: 1618792 Date: 26‐08‐2013 ThesisNr.: 1094 Page intentionally left blank
Information Security Awareness for Mobile Banking
P a g e |2
MOBILE BANKING: ARE WE PREPARED? END‐USER INFORMATION SECURITY AWARENESS FOR MOBILE BANKING VU University Amsterdam (VUA) Faculty of Economic Science and Business (FEWEB) Study: Postgraduate IT auditing De Boelelaan 1105, 1081 HV Amsterdam Supervisor VUA: Dr. Rene Matthijsse RE (Principal Consultant, KMPG Management Consulting) Corporate Supervisor: Andrea Craig CISA CISSP (Senior Manager, Ernst&Young Advisory) Author: Information Security Awareness for Mobile Banking
P a g e |3
Nirul Balraadjsing MSc. (Senior IT‐Auditor, Ernst&Young Advisory)
P a g e |4
Table of Contents: SECTION A: INTRODUCTION 1) INTRODUCTION: RESEARCH TOPIC AND RELEVANCE ..................................................................................... 7 2) RESEARCH SUB‐QUESTIONS AND METHOD ................................................................................................. 10 3) SCOPE ........................................................................................................................................................ 11 RECAP SECTION A .......................................................................................................................................... 11 SECTION B: MOBILE BANKING & INFORMATION SECURITY AWARENESS IN LITERATURE 4) MOBILE BANKING CHARACTERISTICS .......................................................................................................... 14 4.1) MOBILE BANKING VERSUS ONLINE BANKING ................................................................................................ 18 5) MOBILE BANKING INFORMATION SECURITY ............................................................................................... 20 5.1) MOBILE BANKING INFORMATION ASSETS ............................................................................................................. 21 5.2) MOBILE BANKING INFORMATION SECURITY VULNERABILITIES AND THREATS ................................................................. 23 5.2.1) The ‘PROCESS’‐aspect .......................................................................................................................... 24 5.2.2) TECHNOLOGY (App, website, browser, tablet, smartphone) ................................................................ 25 5.2.3) The ‘PEOPLE’‐aspect ............................................................................................................................ 27 6) INFORMATION SECURITY AWARENESS ....................................................................................................... 31 6.1) IMPORTANCE OF INFORMATION SECURITY AWARNESS FOR MOBILE BANKING ................................................................. 31 6.2) INFORMATION SECURITY AWARENESS: DEFINITION & CONCEPT ................................................................................. 32 6.3) ELEMENTS OF INFORMATION SECURITY AWARENESS ................................................................................................ 32 RECAP SECTION B ........................................................................................................................................... 34 SECTION C: AWARENESS IN PRACTICE 7) EMPIRICAL RESEARCH: METHOD AND DESIGN CONSIDERATIONS .............................................................. 36 8) RESEARCH FINDINGS ................................................................................................................................ 39 8.1) DEMOGRAPHICS ............................................................................................................................................. 39 8.2) RESPONDENTS’ BEHAVIOR WITH RESPECT TO SECURE SMARTPHONE HANDLING FOR MOBILE BANKING ................................ 41 8.3) RESPONDENTS’ AWARENESS ABOUT MOBILE BANKING INFORMATION SECURITY ............................................................. 42 8.4) RELATION BETWEEN AWARENESS AND BEHAVIOR ................................................................................................... 44 9) RESEARCH ANALYSIS ................................................................................................................................ 45 RECAP SECTION C ......................................................................................................................................... 47 SECTION D: CONCLUSION & RECOMMENDATIONS 10) CONCLUSION .......................................................................................................................................... 50 11) RECOMMENDATIONS ............................................................................................................................. 51 12) RESEARCH PROCESS: QUESTIONS AND ANSWERS .................................................................................... 53 13) SUGGESTIONS FOR FUTURE RESEARCH ................................................................................................... 55 APPENDICES ...................................................................................................................................................... 58
P a g e |5
SECTION A: INTRODUCTION  RESEARCH TOPIC AND RELEVANCE  RESEARCH QUESTIONS AND METHOD  RESEARCH SCOPE
P a g e |6
1) INTRODUCTION: RESEARCH TOPIC AND RELEVANCE After the introduction of internet, information technology became an important factor in the way we are doing business now and in the future. Within the financial services industry it led to the introduction of online banking as an answer to the growing international trading and problems in transferring money [1]. Besides a new distribution channel, online banking also introduced the need for a new set of control measures. Traditionally, control measures were designed and implemented within the banking industry to thwart the common problems related with online banking systems, however due to rapid development of information technology new risks could be introduced by applying these developments in the world of online banking. Besides that, the number of banks who offer online access to their banking systems is rapidly increasing [2]. This in combination with the growing number of transactions [3], makes online banking more and more attractive for people who continuously look for opportunities to exploit vulnerabilities in an online banking system. Moreover, the number of malware and exploits focused on online banking systems vulnerabilities has been growing steadily during the past years [4,5,6]. Another parallel development is the use of mobile phones. With the surpassing of the 6 billionth global mobile phone connection [8], it is hard to deny the success of mobile phones. Given the rapid growth during the last decade, mobile phones have become an influential factor in a wide range of day to day activities, from informal communication to information processing and doing business. In more recent years, (Online) Banking services have started to extend to the mobile platform. As mobile devices like tablets and smartphones are used increasingly more for several internet services, banks have joined this trend by offering their financial services through mobile platforms. The result is that Mobile Banking has shown to be an upcoming trend in doing financial transactions [11, 13, 84, 99]. Banks are pushing Mobile Banking services to customers from a marketing and cost efficiency point of view, while Customers are pulling Mobile Banking services through the use of mobile devices (smartphones) and the demand for efficient and user friendly banking services [67]. Because this platform is relatively new compared to the previously used methods (off–line at bank branch office, online banking with PC, etc.), this may pose additional challenges (e.g. device theft, mobile app security) with respect to the related information security risks on top of the existing challenges (e.g. phishing, malware) in the areas of People, Process and Technology. This actualizes the discussion around information security at supply side (Banks) and demand side (Customers) of Banking Services and the accountability for management of the underlying risks among these stakeholders. When these risks are not properly addressed through security controls and measures, the underlying threats could exploit the existing vulnerabilities (e.g. result in identity theft, privacy breaches) and compromise the confidentiality, integrity and availability (CIA) of the mobile security assets. These are the mobile device itself, as well as the applications and information within the device. Literature [6, 9, 12, 16, 29, 37, 38, 39, 41, 43, 44, 45, 46, 47, 70] has identified some of the major risks for mobile devices, which can compromise the information security. While on the one hand mitigating control measures are developed, new more enhanced threats also appear with roughly the same pace, forming a rat race on information security. Information Security Awareness for Mobile Banking
P a g e |7
Recognizing the risks, banks tend to place more and more of the responsibilities for information security at the end‐
user side [42, 50, 71, 72, 73, 74]. Some sources [14, 15, 73] question whether this development is logical and fair. They state that the risk should be managed for the most part where the expertise lies. Yet other sources [7, 10, 66] show that ‘awareness among customers’ is often one of the weaker links in Information Security, meaning that the effectiveness of other implemented controls may be undermined when the user is not sufficiently aware of (and able to deal with) the risks and information security policies and procedures. This means that while Mobile Banking technology is pushed more and more towards the Customer (and his mobile device) [67], his knowledge/experience about the related risks and controls does not increase with the same pace. Therefore, the current tendency to shift the responsibility and accountability (for the management of the risks) towards banking customers may not be sound from an end‐user information security point of view. This study aims to investigate the consequences of this development for banking customers by putting Information Security in the perspective of Mobile Banking services. This is done through a measurement of banking customers’ information security awareness with respect to Mobile Banking, specifically looking at the underlying vulnerabilities, threats, control measures and adherence to existing responsibilities (e.g. as described in the General Term & Conditions for the Mobile Banking service). Based on the outcome, the following main research question can be answered: Is the current shift of responsibilities to client‐side justified given their Information Security Awareness? This study serves a pilot for auditing the information security awareness for Mobile Banking among banking customers. Some of the key determining factors are identified and empirically measured among a limited number of banking customers. Based on the results of this study, tailored large scale research can be performed within banks’ customer base. Furthermore, recommendations are provided to further improve the effectiveness of efforts related to increasing the information security awareness in this area. Information Security Awareness for Mobile Banking
P a g e |8
Figure 1: Thesis Storyboard
P a g e |9
2) RESEARCH SUB‐QUESTIONS AND METHOD The main research question is subdivided into several sections with sub‐questions: 1) Which aspects are relevant to information security awareness, given the specific characteristics of Mobile Banking and Information Security? 2) What is the current state of Information Security Awareness for Mobile Banking among banking customers in practice? This research is subdivided in different sections with corresponding content and applied methods (refer to table 1 below) Each section answers one of the afore‐mentioned research sub‐questions: Research Section
Chapters
Section B:
4.
Mobile banking characteristics
Risk & Control Identification
5.
Mobile banking information security
6.
Information security awareness
Section C:
7.
Empirical Research: Method and Design Considerations
Awareness Measurement in Practice
8.
Research Findings
9.
Research Analysis
Method
Literature Study
Research Sub-Question 1
Empirical Research (through survey)
Research Sub-Question 2
Section D:
10. Conclusion
Research Conclusion and Recommendations
11. Recommendations
-
12. Research Questions and Answers
13. Suggestions for future research
Table 1: Thesis Structure and Coherence Information Security Awareness for Mobile Banking
P a g e | 10
3) SCOPE This thesis investigates mobile banking information security from a people perspective, as this has a close relation to the security awareness topic. Nevertheless, for sub‐question 1, mobile banking risks and controls with respect to the process and related technology will be discussed as well, since these impact people’s awareness (in)directly as will be clear from the literature study. However, controls discussed are related to consumer awareness. Technical controls implemented within the banks’ environment will not be the point of focus in this thesis. Figure 2: Mobile Banking with People focus The practical research with respect to sub‐question 2 will be further scoped down to banking customers rather than employees within the banks offering mobile banking services. Hereby, the aim is to specifically measure security awareness of the average banking consumer who is less likely to have the same information than professional employees within the banks. RECAP SECTION A Recognizing the risks related to mobile banking, banks tend to place more and more of the responsibilities for information security at the end‐user side. Some sources question whether this development is logical and fair given the fact that information security awareness among customers is often one of the weaker links in Information Security, meaning that the effectiveness of other implemented controls may be undermined when the user is not sufficiently aware of (and able to deal with) the risks and information security policies and procedures. Therefore, the current tendency to shift the responsibility and accountability (for the management of the risks) towards banking customers may not be sound from an end‐user information security point of view. The next section will elaborate on Mobile Banking and Information Security Awareness. Through a literature study, the related risks, controls and interdependencies are identified and discussed. Information Security Awareness for Mobile Banking
P a g e | 11
SECTION B: MOBILE BANKING & INFORMATION SECURITY AWARENESS IN LITERATURE  MOBILE BANKING CHARACTERISTICS  MOBILE BANKING INFORMATION SECURITY Information Security Awareness for Mobile Banking
P a g e | 12
 INFORMATION SECURITY AWARENESS
P a g e | 13
Section A described the provided a general introduction to the topic under investigation as well as the scope and outline of this study. This section describes Mobile Banking itself in more detail, specifically focusing on the process and the related information security characteristics to be considered in assessing information security awareness in the Mobile Banking area. 4) MOBILE BANKING CHARACTERISTICS DEFINITION Mobile Banking combines aspects of traditional banking with the characteristics of a mobile device. Barati and Mohammadi [18 p.1] define mobile banking as “an attempt to provide the needed added value for customers by offering more opportunities for conducting different banking actions. Mobile Banking is defined as the type of execution of financial services which the customer uses mobile communication techniques in conjunction with mobile devices. Moreover, it is defined as a channel whereby the customer interacts with a bank via a mobile device, such as a mobile phone or personal digital assistant”. As these definitions indicate, there are several aspects to Mobile Banking to take into account, related to the used medium, offered services and intended goal. INVOLVED ACTORS Different parties/actors are directly or indirectly involved on different levels of the Mobile Banking service. The involved parties typically consists of [23, 48]:  Financial Service Provider (FSP) The Financial Service Provider is required for back‐end processing and transaction settlement between the payer and the payee. The FSP‐role is usually fulfilled by a bank.  Mobile Network Operator (MNO) The Mobile Network Operator provides telecommunications infrastructure services which includes the mobile network required for the data traffic to pass through.  Payer/Payee These are the parties providing and obtaining a Mobile Banking payment. Since Mobile Banking services includes more than payments, a payer‐payee transactions is not necessarily present. PROCESS DECOMPOSITION Taking into account the abovementioned characteristics of Mobile Banking, the process can be pictured as follows. This depiction is based on the two forms of Mobile Banking under scrutiny in this research; (1) through the mobile Information Security Awareness for Mobile Banking
P a g e | 14
browser (going to the online banking website on a mobile phone1) and (2) through the mobile app. The decompositions are a simplified overview of the processes as followed by the 4 system banks in the Netherlands (ING, ABN‐AMRO, Rabo, SNS). System banks are banks which can potentially cause serious disruption of, and damage to the financial system if they go bankrupt (due to their size and social importance). These processes logically follow the customer initiation phase where individuals can apply for customership at a bank. Once an individual is a banking customer, he/she can apply for online banking services. This can of course also be initiated through the mobile browser. Below are the steps taken by banking customer and bank. Figure 3: Mobile Banking process using mobile browser Typically, mobile banking services through the mobile app are provided only to clients who are registered for online banking services at the same bank. Therefore, registration for the mobile app logically follows the Online Banking Process. This is reflected in figures 3 and 4 by the process reference 1 SNS and Rabobank also have a online banking environment tailored to a mobile browser.
P a g e | 15
Figure 4: Mobile Banking process using smartphone App 1.
Banking customer downloads the Mobile Banking app via the app store on the mobile device, using the mobile phone credentials (i.e. Apple ID, Samsung ID, etc). This currently is free of charge and requires an network connection (WiFi, 3G‐network, GPRS) to connect the app store 2.
After the download is completed, the Banking customer starts the Mobile Banking app on the mobile device. 3.
Within the Mobile Banking app, the Banking customer has to register for the Mobile Banking service through a series of steps. The number and order of steps deviates slightly per bank, but two main registration processes exist; registration with and without a security token (e.g. through SMS‐authentication with TAN‐code2). This is related to the way a mobile banking customer is authenticated. In both cases, banking data needs to be provided. 2 Transaction Authentication Number
P a g e | 16
4.
To finish the registration process, a personal PIN‐code3 has to be provided. This has to be a unique code. To prevent banking customers from using their bank card PIN‐code for the Mobile Banking service, a 5‐digit PIN is required instead of a 4‐digit code. After this step, the Banking customer can start using the Mobile Banking services made available through the app. 5.
The next time the Banking customer wants to access the Mobile Banking app, he/she has to login with the Mobile Banking PIN‐code. 6.
Several Mobile Banking services are offered through the available apps. These will be discussed in the next paragraph. Also, the settings for this service can be changed at this point. Next to changing the PIN‐code, other settings like transaction limit or applicable bank account can sometimes be changed as well. 7.
After use, the user has to log‐out of the Mobile Banking app. 8.
When a user wants to cancel the Mobile Banking services, he/she removes the app from the mobile device. This may, for example, be the case when a banking customer changes his/her phone number or mobile device. Hereafter one can re‐apply for Mobile Banking services through the abovementioned registration process. 9.
The Bank notices the removal of the Mobile Banking app and processes the deregistration of the customer for Mobile Banking services. MOBILE BANKING SERVICES Typically, Mobile Banking services via the mobile app consist of the following services. Again this overview is based on the mobile app functionalities offered by the Dutch system banks:  Overview of Balance and Direct Debit The ability to check an account’s current balance and recent mutations.  Managing Banking Address Book This is the ability to maintain a list of contacts (and their bank account number) with whom transactions have been conducted in the past and are likely to occur again.  Managing Savings Accounts The ability to maintain a separate savings account. Typically, clients can transfer funds from checking account to their savings account and vice versa. However, transfers to other bank accounts cannot be done directly from a savings account.  Money Transfer to Own Accounts The ability to transfer funds between accounts of the same client. Once accounts are recognized as belonging to the same client, money transfers can easily be conducted between these trusted accounts with higher transfer limits and a lower security threshold.  Managing Business Accounts The ability to maintain a separate account solely for business purposes. 3 Personal Identification Number
P a g e | 17
 Managing Investments The ability to build an investment portfolio and track the performance of current investments (like stocks). This service usually requires additional registration.  Managing Multiple Accounts The ability to manage multiple account of the a client through the Mobile Banking app. These accounts have to be registered separately in the Mobile Banking app.  Scanning, Managing and Payments of Bills The ability to scan bills on a smartphone or tablet. These bills can be managed in the mobile banking app (i.e. history log) and eventually paid to the attributable counterparty.  Search Option for Transactions The ability to perform searches in the transaction history log, based on certain information fields (e.g. bank account number, transaction amount, etc.)  Scheduling Payments The ability to schedule a financial transaction (payment or saving deposit) in time using the calendar function. 4.1) MOBILE BANKING VERSUS ONLINE BANKING Due to a number of differences and similarities, Mobile Banking and Online Banking are sometimes confused with each other. Online Banking can be broadly defined as the ability to make use of Banking Services through a network connection (Internet, Mobile Operator Network, etc.). As personal computers (PC’s) were one of the first commercially available hardware components through which these online services were distributed, PC’s traditionally come to mind when talking about Online Banking. However, during the past decade numerous hardware devices (including television sets, mobile phones, tablets, etc.) obtained the ability to connect to the internet. Therefore nowadays, Online Banking could be split up with respect to the specific hardware component used. In such a distribution, Mobile Banking is simply a specific form of Online Banking, namely on mobile hardware devices. Next to the similarities between Online Banking using the PC (hereafter; PC Banking) and Online Banking using mobile devices (Mobile Banking), several differences exist related to how the banking functionality is made available on the ‘new’ hardware medium.  Additional value is perceived for consumers’ banking transactions, due to mobile devices’ always‐on functionality and the ability to access banks anytime and anywhere [18]  Because of this, Mobile Banking users’ interaction style is unique, because of the constraints of PC Banking (e.g. mobile bankers tend to transfer funds from their checking account to their savings account as soon as their salary has been transferred) [18, 25]  However, due to device unfamiliarity, not all banking customer have yet (fully) accepted Mobile Banking. An important issue in this respect relates to information security of the features and characteristics of the browsers on the banking platforms. The differences between the mobile browser and ‘traditional’ browser may result in security risks which are often not familiar to mobile banking consumers [18,24,25] Information Security Awareness for Mobile Banking
P a g e | 18
Another difference between the two forms of banking services is the threshold for people to use these. This becomes quite clear when taking into account the ownership statistics of mobile phones and personal computers. The number of mobile phone owners is higher than the number of PC‐owners [8, 26]. Although the number of smartphones currently lies between 10 and 40 percent of the mobile phone population (depending on the geographical area), this percentage is expected to rapidly increase in the near future [27, 28, 98]. Therefore, while in the western world Mobile Banking will be an extension of the existing online banking services, in other parts of the world (e.g. large parts of Africa, Middle‐East, Asia‐Pacific) Mobile Banking has the potential of unlocking banking services to a large part of the population who currently do not have easy access to a bank branch office (for off‐line banking services) or a PC (for online banking services), but who do own a mobile phone. It is therefore, highly probable that the use of Mobile Banking will continue to grow and eventually surpass PC Banking in the near future [13, 17, 28, 29, 30]. Another adjacent area of Mobile Banking is Mobile Payments. In Appendix E, Mobile Payments are put in perspective to Mobile Banking. Information Security Awareness for Mobile Banking
P a g e | 19
5) MOBILE BANKING INFORMATION SECURITY Information security awareness with respect to Mobile Banking is related to the underlying information security risks. Mobile Banking is subject to several information security risks. According to the International Standard 27001 (Information Security Management System), ‘Information Security’ is defined as the “preservation of confidentiality, integrity and availability (CIA) of information assets…“ [33, p.8]. Confidentiality: “the property that information is not made available or disclosed to unauthorized individuals, entities, or processes” Integrity: “the property of safeguarding the accuracy and completeness of assets” Availability: “the property of being accessible and usable upon demand by an authorized entity” In addition to the CIA information properties, other properties can also be involved which are important due to the transactional nature of banking services: Non‐repudiation: “Non‐repudiation allows an exchange of data between two principals in such a manner that the principals cannot subsequently deny their participation in the exchange” [34]. In laymen terms; the inability to refute the integrity and origin of information. Authenticity: Ensuring a sufficient level of identification including verification of this identification In general, information assets possess inherent vulnerabilities (e.g. paper documents are inflammable). Threats are factors (e.g. fire) which can exploit these vulnerabilities. Information Security Risk is the likelihood that a threat exploits a vulnerability with respect to the information assets, thereby negatively affecting their properties (e.g. availability of paper documents is affected by fire). While threats are given, preventive controls can be implemented to mitigate existing vulnerabilities (e.g. fire extinguisher, fire‐proof cabinet, etc). Thereby the likelihood that a threat exploits a vulnerability is lowered thus reducing the risk (refer to figure 5). If risks do manifest themselves, detective controls can be put in place to identify and timely mitigate the risk exposure. Figure 5: Link between Vulnerabilities, Threats and Control Measures Based on the good practice for information security management, in order to determine the information security awareness for Mobile Banking, the related risks should first be identified. According to the ISO 27001 standard, the following steps have to be taken to identify risks in a proper information security management system; 1) Identify information assets, their owners Information Security Awareness for Mobile Banking
P a g e | 20
2) Identify the vulnerabilities to these assets and the threats which may exploit the vulnerabilities Based on the previous steps, the impact that losses of CIA may have on the assets is determined. For banking services this usually relates to the potential risk of financial fraud and/or theft of financial means. In the following paragraphs will elaborate in more detail on the assets, vulnerabilities and threats for the Mobile Banking service. 5.1) MOBILE BANKING INFORMATION ASSETS The information assets consist of all hardware, software, and (in)tangible information at client‐side and bank‐side required for the mobile banking service. Below, some of the key information assets at client‐side have been identified and described in more detail. MOBILE DEVICE As described earlier, several mobile hardware components are able to support online banking services. The term ‘mobile device’ can have multiple meanings to people, including [29, p.4]: 




Full‐featured mobile phones with personal computer‐like functionality, or “smartphones” Laptops and netbooks Tablet computers Portable digital assistants (PDAs) Portable Universal Serial Bus (USB) devices for storage (such as “thumb drives” and MP3 devices) and for connectivity (such as Wi‐Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards)  Digital cameras  Radio frequency identification (RFID) and mobile RFID (M‐RFID) devices for data storage, identification and asset management  Infrared‐enabled (IrDA) devices such as printers and smart cards In this study, we will narrow this down to smartphones and tablet computers (short tablets), because the banking sector is gradually deploying mobile solutions for these devices. While this development has already become noticeable on smartphones, tablets too have the potential to improve the high‐end customer experience with their greater screen size and enhance graphics [28]. MOBILE BANKING APP “A mobile application (or mobile app) is a software application designed to run on smartphones, tablet computers and other mobile devices. They are available through application distribution platforms, which are typically operated by the owner of the mobile operating system, such as the Apple App Store, Google Play, Windows Phone Store and BlackBerry App World. Some apps are free, while others have a price. Usually, they are downloaded from the platform to a target device, such as an iPhone, BlackBerry, Android phone or Windows Phone… “[31]. Information Security Awareness for Mobile Banking
P a g e | 21
While mobile apps were originally aimed at general information retrieval (e.g. weather, email), the popularity in combination with the relative ease of development of these apps lead to rapid expansion in other areas like gaming, news, social media, travel, shopping, etc. Banking was another area for which mobile apps were developed. In the Netherlands, the 4 system banks each have a Mobile Banking app available for their clients. These are free to download, but registration is required. Figure 6: Mobile Banking apps of the four Dutch system banks MOBILE BROWSER A mobile browser is a web browser designed for use on a mobile device such as a smartphone or tablet. Mobile browsers are optimized to display web content effectively for small screens on portable devices. Websites designed for access from these browsers may automatically create ‘mobile versions’ of each page [32]. Refer to figure 7 below. Mobile browsers are taken into account in this study especially since they are used for mobile banking as well (as an alternative for the mobile banking app). Figure 7: Website on desktop browser (left) and same website on mobile browser (right) MOBILE BANKING USER CREDENTIALS Given the sensitive nature of banking services, a private combination of user identity (ID) and password is issued during the registration for Mobile Banking. This combination forms a users’ credentials required to access Mobile Information Security Awareness for Mobile Banking
P a g e | 22
Banking services. Specifically for the mobile banking apps, a separate PIN‐code (Personal Identification Number) is required to enter the app. The customer‐side information assets for mobile banking discussed in this paragraph have certain vulnerabilities which can be exploited by information security threats. The next paragraph elaborates on these aspects in more detail, thereby stressing the importance of suitable security control measures. 5.2) MOBILE BANKING INFORMATION SECURITY VULNERABILITIES AND THREATS The customer‐side information assets for Mobile Banking described in the previous paragraph have different kinds of vulnerabilities, some of which are inherent to the medium or service and some of which are due to possible (human) design issues. A (non‐exhaustive) number of general vulnerabilities is presented below [12, 70, 75]: Vulnerability Weakness in the mobile operating system Weakness in the mobile app Insecure data storage Insufficient protection against Loss of mobile device Insufficient protection against Theft of mobile device Insecure disposal of mobile device Lack of security awareness among users Lack of skill among users Difficulty for users assess required app‐authorizations Lack of best‐practices for privacy Weak implementation of sandboxing Weak authentication mechanisms during app distribution Weakness allowing malware to be installed Weakness in encryption for network connections Insecure network connection Improper use of passwords Lack of Multi‐factor authentication Lack of thorough app testing Table 2: Vulnerabilities to Mobile Banking These and other vulnerabilities can be exploited by all kinds of threats. Since the dawn of the Internet era, the first cyber threats made their appearance. At first, these threats were more mischief than serious attacks. However, as the Internet grew larger and was used more professionally by the business world, threats also became more sophisticated and used for cybercrime purposes. The level of sophistication varies from hobbyists/amateurs targeting anyone with a vulnerability (often motivated by challenge or glory) to well‐organized criminal organizations forming an advanced persistent threat to socially important bodies like governments, financial institutions, etc [35]. Information Security Awareness for Mobile Banking
P a g e | 23
Figure 8: Cyber Threat – Target Landscape [35, p.2] Taking into account these sophistication levels, this paragraph elaborates on the abovementioned vulnerabilities and identifies the common threats which can exploit the vulnerabilities with respect to Mobile Banking information assets. This paragraph does not provide an exhaustive overview, but gives an indication of the current risk exposure relevant to Mobile Banking, ordered by the triangle of People, Process and Technology. 5.2.1) THE ‘PROCESS’‐ASPECT Although the Mobile Banking process is largely determined by the banks who offer these financial services, it is the banking customer who has to follow this process in practice and specifically cope with the underlying security considerations. Therefore, in this paragraph we look at some process design decisions from an information security point of view and the possible vulnerabilities for the end‐user. PROCESS DEPENDENCIES & RESPONSIBILITIES The Mobile Banking process relies on controls on the mobile device and controls on the user side to an increasing extent. This inherent reliance, based on the tendency to trust the owners of mobile devices to behave appropriately, is only realized when controls at customer‐side are in place and adhered to. However, vulnerabilities/threats related to the mobile device (refer to § 7.2.2) and/or malpractice by the banking customer (refer to § 7.2.3) may allow cyber‐criminals to bypass control measures [41]. Information security risks at customer‐level and device‐level require close monitoring and appropriate mitigating controls to be in place. The European Payment Council [21] stresses that information security should be embedded in the process. Information security management around mobile banking should at least include methods and Information Security Awareness for Mobile Banking
P a g e | 24
procedures to continuously monitor relevant risks and assign the corresponding responsibilities appropriately. While risk monitoring is largely embedded in the banks’ operational processes, the division of responsibilities is still subject to continuous discussion, both within the financial sector and on political level [14, 15, 42, 73]. MULTI‐FACTOR AUTHENTICATION One of the process design aspects is related to the authentication of customers in the mobile banking process. Given the inability to identify a banking customer physically in a bank’s branch office, remote financial services often require multiple factors for authentication purposes. Authentication is the process of determining whether an individual is who he/she claims to be. There are several authentication tools and methods banks can apply to authenticate customers. These include the use of personal user logon credentials, digital certificates, physical devices such as smart cards, database comparisons, biometric identifiers, and so on. The existing methods involve three basic factors [40, p32]:  Something the user knows (e.g. password, passphrase, PIN)  Something the user has (e.g. bank card, smart card)  Something the user is (e.g. biometric characteristics; fingerprint, retina) “Accordingly, properly designed and implemented multi‐factor authentication methods are more reliable indicators of authentication and stronger fraud deterrents. In general, multi‐factor authentication methods should be used on higher risk systems [40, p32].” Following this definition, Mobile Banking systems, which generate and process sensitive financial information, should apply multi‐factor authentication since the use of triangulation would make the system more difficult to compromise than single factor systems. An alternative is to use tiered single factor authentication (e.g. multiple passwords at different stages in the process) Online banking using a laptop or PC often uses two‐factor authentication. Next to users’ banking credentials (knowledge), a person security token or mobile phone (possession) is used as a second authentication factor. Mobile banking systems do not (always) require multiple factors in the authentication process. This absence may mean an increase in vulnerability. After all, banking customers use their mobile phones not only within the relative safety of their own home (e.g. physical safety, secure LAN), but especially outdoors or when traveling. Moreover, one could argue about the level of added security of multi‐factor authentication for mobile banking, since the mobile use introduces a higher risk of compromise 5.2.2) TECHNOLOGY (APP, WEBSITE, BROWSER, TABLET, SMARTPHONE) It is exactly the technology aspect that makes Mobile Banking services stand out from other existing banking services. Consequently, information security awareness for mobile banking is heavily influenced by the this aspect. This paragraph describes some of the technology related information security threats for the Mobile Banking process. These risks are related to the hardware and software information assets used in the process PHYSICAL DEVICE THREATS A certain level of mobile device threat is inherent to the intention developers have with the functional and physical design of these devices. This is first and foremost aimed at appeal to the consumer base rather than forming a Information Security Awareness for Mobile Banking
P a g e | 25
secure platform. On the opposite, the more popular a mobile device and underlying platform/OS, the more interesting it is for cyber attacks [41]. Recent stats [43, 44] show that iOS, Android OS, Blackberry OS, Symbian OS and Samsung OS are the most frequently used mobile operating systems around the globe. While the market share of BlackBerry and Symbian is declining, these stats also show that the Android OS and iOS are currently dominating the market. This ranking is not necessarily reflected in the related mobile OS security [45, 46, 47]. Below are some common threats known to compromise the security of the mobile device. Theft & Loss Smartphones and tablets are designed for mobile use. While this is perhaps the most important characteristic for this type of devices, it also leads to the inherent risk of theft and loss. Having access to mobile banking services outside the comfort of your own home or the bank office is considered a great advantage and gives the service its added value. Again, this is mainly reasoned from a usability/functionality point of view. From a security point of view, the lack of physical controls makes mobile devices vulnerable to these threats [41]. Combined with other threats (shoulder surfing, unsecured networks, etc.) the likelihood that these risks manifest themselves increases. Eavesdropping Several methods exist to eavesdrop mobile data traffic [39]. Sensitive personal and financial information can be obtained by eavesdropping on (1) phone calls, (2) text messages (SMS) and (3) other data traffic. Authentication data and bank account balance information are just examples of what cyber criminals are often after. By cracking mobile data traffic, it is possible for attackers to commit mobile identity theft; one device impersonating another device, thereby receiving its calls and messages. A frequently seen data traffic eavesdropping threat is the Man‐in‐
the‐Middle attack “in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker” [77]. Device Tampering Another way to eavesdrop mobile data traffic is to tamper with the mobile device, either physically or logically (through the software). Physical tampering or bugging requires the attacker to get hold of the device and is therefore quite laborious to apply on a large scale. This method is more used for tailored attacks. MOBILE BANKING APP & MOBILE BROWSER One level deeper than the mobile device are the programs which run on these devices. These programs or ‘apps’, as they are called on smartphones and tablets, are used to gain access to banking services and are vulnerable to several technical threats. While most of these are already known on the desktop/laptop platform, these threats are either designed differently or less easy recognizable on the mobile platform. Mobile Malware Malware is a concatenation of the words ‘malicious’ and ‘software’. Mobile malware is aimed at the software (operating system, application, data) of mobile devices and includes various types such as viruses, worms, trojan horses, rootkits, key loggers, spyware, malicious browser‐helper‐objects, and other forms of hostile or intrusive software [97]. An example of a mobile exploit is the Man‐in‐the‐Mobile attack. In this type of attack, malware is maliciously loaded on the mobile device. This forms a serious challenge for out‐of‐band authentication systems (like TAN used for mobile banking through mobile browser), as the malware can spy on the SMS one‐time‐passwords and relay Information Security Awareness for Mobile Banking
P a g e | 26
these back to the attacker. Man‐in‐the‐Browser attacks are another form in which a vulnerability in the web‐
browser is exploited [102]. Standardization within the mobile community (e.g. on OS‐level) and the increase in connection methods (3G, SMS, MMS, USB, Bluetooth, WiFi, NFC, RFID, etc.) means that the likelihood of encountering mobile malware will increase in the near future. Also, as the computing power (cpu) of smartphones and tablets is reaching equal levels compared to laptops/desktops, the expectation is that the difference between mobile operating systems and regular operating systems will fade. Therefore, the different threats coming from mobile malware will become similar to ‘regular’ malware [39]. Moreover, as financial services (including online authentication) are being extended to the mobile platform, these too face malware threats to an increasing extent. Mobile App Development The development process of mobile apps can be a vulnerability from a security point of view. This is due to the rate with which the developments take place; app releases follow each other frequently. Mobile apps are often developed through Agile methods with limited time for testing, and system deployment is usually determined by other economical and social factors than those related to the software itself. While being led by the whimsicalities of end‐users, app developers should try not to trade security entirely for functionality or a swift release [41, 78]. 5.2.3) THE ‘PEOPLE’‐ASPECT No matter how well designed the Mobile Banking process or the used mobile device, it is the end‐user who has to be able to follow the process and deal with the related security risks. This paragraph addresses some people‐
oriented information security vulnerabilities and threats. SECURITY – USABILITY – BEHAVIOR The importance of people‐oriented security considerations for Mobile Banking has been stressed by literature [37, 64]. People‐oriented security considerations are mainly related to the trade‐off between security and usability. Although the design goals between these topics may conflict with each other, balance is the key word. “For instance, a password system can easily require its users to remember random passwords that are over fifty characters long. … Unless the user has photographic memory, the immediate reaction of everyone would be to write down the passwords and storing them in an accessible location, which is as good as not having the password protection. Security mechanisms cannot be effective without taking into account the users.” [37, p25] “People may divulge their passwords with someone they perceive trustworthy; ultimately, this action is sharing their authorization. From a security viewpoint, this is considered as an insecure practice; however, from a user perspective, sharing passwords helps users achieve the desired goal, i.e. retrieving the correct password when it is needed.” [37, p26] Yet another example is that of users who have engaged in logical tampering by hacking their smartphone operating system. Well‐know examples are the processes of ‘jailbreaking’ on the Apple iOS platform and ‘Android rooting’ on the Android OS platform. These last‐mentioned threats are typically caused by the device‐owners themselves. This method removes certain system limitations leading to increased usability and flexibility. On the other hand, by doing this, the built‐in security controls are also bypassed rendering the device more vulnerable to malicious attacks. Information Security Awareness for Mobile Banking
P a g e | 27
These examples indicate that overcompensating security for usability can lead to undesired behavior on the user side. Next to writing down passwords, users may also disclose classified information to perceived trusted parties or refrain from changing passwords periodically. Often, this insecure behavior is caused by a lack of information security awareness or simple carelessness. This behavior results in vulnerabilities to which (cyber‐)criminals apply malicious attacks. Some of these common people‐oriented threats are described below. IDENTITY FRAUD Identity Fraud is the umbrella term for threats aimed at capturing sensitive (financial) data from users by abusing their ignorance (lack of security awareness) or carelessness with respect to information security. Often, identity fraud is committed for financial purposes, making this threat especially relevant for banking services. The common threats associated with identity fraud are Identity Theft, Social Engineering and Phishing [39]. Identity Theft is the larceny of someone’s (digital) identity with the purpose of committing identity fraud. Social Engineering and Phishing are two of the frequently used methods related to identity theft [39]. Social Engineering consists of all techniques through which cyber criminals attempt to obtain personal data from banking customers. While the concept has been around for some time, social engineering has taken flight because of several developments in the digital world.  The speed with which digital communication occurs and the number of communication methods have increased rapidly over the past few years.  Digital communication has become ubiquitous; present everywhere and far less limited to a specific place and time.  People tend to share personal information via social media. Next to these developments, people’s natural curiosity is often exploited by cyber criminals. The obtained sensitive user information helps cybercriminals tailor other malicious attacks like phishing and malware exploits [39]. Phishing (short for ‘password harvesting fishing’) is a method through which cyber‐criminals attempt to obtain the login credentials and personal data of banking customers by using false information. Phishing is done through email, phone calls, chat programs, etc. Through the obtained banking customer data, frauds can either gain access to financial sources (bank accounts) or commit identity theft [38]. In the early days of the internet, phishing attempts were often unsophisticated (e.g. improper use of language, use of questionable URL links). As the awareness around this phenomenon grew, attackers professionalized their phishing attempts making them harder to recognize. A variation to phishing, specifically focused on mobile devices is called smishing. This is a form of criminal activity in which phishing messages are send using the short message service (SMS) on mobile phones [37]. As this is relatively new terrain, especially banking clients need to be cautions and exert a healthy suspicion towards possible smishing attempts. In general mobile phishing attempts are harder to recognize as mobile operating systems and browsers lack secure application identity indicators. Therefore, users are not always able to tell what mobile application or website he or she is interacting with, thereby exposing them to the risk of mistaking a malicious party for a trusted one. [58] LACK OF MONITORING Information Security Awareness for Mobile Banking
P a g e | 28
Whenever malicious individuals attempt to attack or abuse the mobile banking application, this may have bad consequences for the banking services and/or the individual banking customers under target. If detected in time, banking customers can call the bank for help or take corrective/mitigating measures themselves [75]. The likelihood of timely fraud detection is higher when banking customers frequently inspect the functioning of the mobile banking application as well as their personal transactions. Key aspect here is that they need to be able to recognize possible suspicious or fraudulent activity. This is where security awareness plays a crucial role. TIMELY SIGN‐OUT In the authentication process of banking services, significant attention is given to user sign‐in. In comparison, signing out is often underexposed. During sign‐out, a user’s session is ended and this limits the possibility for malicious individuals to intercept transaction data. Therefore, banking customers have to pay attention to timely sign‐out from the mobile banking application after usage [75]. OTHER PEOPLE‐ORIENTED THREATS Shoulder Surfing Shoulder surfing is the activity of watching over someone’s shoulder as they enter their password, thereby effectively capturing the user’s password. More sophisticated shoulder surfing attacks use recording equipment to capture passwords while not being detected by the user [37]. In the Netherlands, shoulder surfing was frequently used in combination with skimming attacks at Automated Teller Machine and Point of Sale (POS) terminals to obtain (copy) the debit card data from the magnetic strip. Since the introduction of the EMV‐chip (introduced by Europay‐Mastercard‐Visa) on Dutch debit cards, the sensitive information is stored on the chip instead of on the magnetic stripe. This makes skimming less straightforward for criminals and results in the steady decline in skimming attacks [76]. While skimming plays no role in Mobile Banking, shoulder surfing does. Criminals can capture the Mobile Banking password while the user is entering this on his/her mobile device. Moreover, the mobile device itself is easily lost or stolen adding to the threat of shoulder surfing. Money Laundering Financial transactions manipulated by cyber criminals have to be cashed in or anonymized at some point to prevent the crime from being traced back to the cyber criminal. One of the used methods is by working with so‐called money mules. These are banking customers who let cyber criminals make use of their bank account for money laundering. In return the money mules receive a small percentage of the transferred funds, although extortion is also common practice. While recent campaigns increased the awareness of banking customers around the consequences of these activities, other factors can potentially increase this threat [39]:  The current economic climate leads to a larger number of individuals in financial despair. These individuals may be tempted to act as a money mule for financial gain.  Cyber criminals are getting more knowledgeable with respect to the money laundering process and the different transaction routes.  The number of financial transactions is increasing by the year due to technical advances (online transactions, mobile transactions), social developments (24/7 economy) and (incr)ease of international payments (SEPA, IBAN, etc.) Information Security Awareness for Mobile Banking
P a g e | 29
In combination with faster transaction processing, these developments make it more difficult for banks to handle the treat of money mules and money laundering. The vulnerabilities, threats and corresponding controls discussed in this chapter have a strong relationship with the level of information security awareness of the banking customer. The next chapter will further elaborate on this concept and how this can be defined. Information Security Awareness for Mobile Banking
P a g e | 30
6) INFORMATION SECURITY AWARENESS 6.1) IMPORTANCE OF INFORMATION SECURITY AWARNESS FOR MOBILE BANKING The number of threats and vulnerabilities related to mobile banking (partially discussed in chapter 5) is considerably high and the ongoing progression (especially on technology side) is likely to cause a further increase in this area. On the other hand, mitigating controls are developed and implemented with the same pace. Financial institutions and organizations specialized in information security constantly try to handle the risks by actively implementing/offering mitigating measures. Cybercriminals on the other hand continuously look for security flaws to bypass current measures and try to abuse the weakest link in an information security control framework; the end‐user. Refer to examples below: Positive
Negative
Banks start offering their customers Trusteer security software (“Rapport”)
against banking malware [49]
Security experts find leaks in the security offered by Trusteer Rapport and rogue
apps of TrusteerMobile appear in the Android app store [50, 51].
Security organization RSA comes up with an Anti Rogue App Service [52].
Banks increase their security efforts by calling customers with malware
infection, by introducing additional authentication codes and continuously
communicating how to recognize the authentic banking environment [53, 54]
Cybercriminals may pose as the Certificate Authority (CA) and issue fraudulent
certificates for a mobile banking website. Mobile banking customers, who
usually trust the mobile banking website based on the issued certificate,
therefore run the risk of becoming the victim of a Man-in-the-middle attack
[55]
Banking customers run the risk becoming victim to the BEAST and CRIME
attacks which exploit internet browser vulnerabilities (man-in-the-browser
attack). The regular browser-checks advised by banks (check the ‘lock-icon’
and certificate, check the url) do not work against this threat [56].
Use of PAKE / SRP as double layer browser encryption [88]
Table 3: Some examples of the Rat Race for information security Consequently, this development of dynamic and ongoing nature can be described as a ‘rat race’ between cyber criminals (, security specialists) and banks [103, 104, 105, 106, 107, 108, 109, 110]. The question is whether the average banking customer can keep up with these developments with the same pace and extent. Because of this volatile nature of information security, users should be (made) aware that ‘information security’ does not have an end‐
state which can be reached by taking certain measures in the present. Instead, continuous efforts are required to keep information security at a satisfactory level [111]. Banking customers should especially get the security basics under control. “Currently, most data breaches on mobile devices are due to basic security failures – weak (or no) passwords, failure to encrypt data, falling victim to phishing or other social engineering and failure to update the device (making it vulnerable to simple attacks)” [57, p1]. Concluded, preventive measures against mobile device cyber‐attacks do not have the desired result if users ignore or are not able to deal with the security indicators. In order to change their attitudes and behavior with Information Security Awareness for Mobile Banking
P a g e | 31
respect to information security, it is important to raise their information security awareness [68].Without information security awareness, the required information security techniques, procedures and control measures can be misused or misinterpreted [66]. Therefore, awareness at banking end‐users can be considered one of the key factors for the information security of mobile banking [58, 66, 59, 41 p13]. 6.2) INFORMATION SECURITY AWARENESS: DEFINITION & CONCEPT Information Security is a broad term. Dictionaries define ‘security’ as “being protected against danger”. Even when narrowing this down to Mobile Banking information security, this definition links the term security to the familiarity with all possible threats customers face with mobile banking. According to Siponen [65] security awareness means that users should be aware of security objectives and show commitment to these objectives. He believes that next to the organizational viewpoint, the concept of information security awareness “should also constitute an integral part of the general knowledge of citizens in the information society. In other words, anyone who regards information in any form as an important asset should be aware of the threats related to it” [65 p.24]. This viewpoint is very fitting to the current day banking customer who is more and more involved in electronic forms of banking (i.e. online banking, mobile banking, etc.). Another, perhaps more structured definition of information security awareness can be derived from the ISO27001‐
framework (refer to chapter 5). If Information Security risk is related to the likelihood of threats exploiting vulnerabilities to affect the desired properties (e.g. confidentiality) of information assets (e.g. mobile banking password), then information security awareness is the extent to which banking customers are aware of the link between the threats, vulnerabilities, mitigating controls and own responsibilities regarding the security of their information assets to prevent risks from materializing. The issue here is that one cannot guarantee that all threats are known to professional organizations like banks, let alone to banking customers. Due to this information security asymmetry, security awareness at banking customers is usually based on an inherently incomplete amount of information and therefore involves the subjective element of security risk perception [62]. Security awareness can also be defined as the awareness of the extent to which security is required and the attitude with respect to these security requirements [60, 68]. The attitude is related to human behavior; both conscious (behavior intentions, cognitions) and unconscious (affective responses). Unconscious behavior is based on automatisms, emotions or ‘gut feelings’. Also, the perception a person has of the environment can trigger certain habits. Conscious behavior is related to intentions (planned actions) and cognitions (ideas, beliefs), there is a motivation to act in a certain way. This can be either intrinsic (internal motivation) or extrinsic (triggered by some kind of external reward) [60, 68]. The intrinsic motivation for secure behavior is sufficient in most individuals, provided that they perceive the related controls as reasonable [61]. 6.3) ELEMENTS OF INFORMATION SECURITY AWARENESS Based on the aforementioned definitions from literature, several elements (in bold) can be identified which help understand the relationship between information security awareness and users’ attitude and behavior with respect to information security. Linking these elements results in the following overview of dependencies. Information Security Awareness for Mobile Banking
P a g e | 32
Figure 9: Linking Information Security Awareness to Attitude and Behavior [60, 61, 66, 67, 68] Security perception can be seen as an important indicator of actual information security awareness. This is because in general, control measures make most sense if it is clear for the banking customer which vulnerability or threat the control measure helps to mitigate. Banking customers should be made aware of the related threats of mobile banking to their personal situation (privacy, finances, etc) and how adherence to security guidelines helps to prevent this from happening. This way security guidelines are better internalized; this means that intrinsic motivation is increased and that users are more likely to follow security guidelines [61, 66, 111]. Consequently, understanding the link between vulnerabilities, threats and controls influences the perception on the reasonableness/necessity of control measures and can therefore be seen as an important indicator of security awareness. Trust is another relevant concept. “Trust is a psychological state comprising the intention to accept vulnerability based upon positive expectations of the intentions or behavior of another” [69 p395]. In the context of this study this means that the banking customer may have a certain (negative) perception of the risk related to mobile banking, but is willing to accept vulnerabilities based on positive expectations (specific beliefs about the integrity, benevolence and competence) of their bank [37, 67]. In 2010 Wouda [36] showed that although the average level of cyber security awareness is relatively low, the perceived security and trust in banking services was still on the positive side. The progression since then has also resulted in a number of security incidents with mobile banking [e.g. 79, 80, 90]. As these incidents tend to stick to the mind, this may also reduce people’s trust in Mobile Banking [63]. Understanding the importance of security perception and trust, banks try to make mobile banking services appear as safe as possible [62, 63 p1427, 91]. If consumers are not convinced of the security, they are less likely to use these banking services. Therefore, banks benefit from presenting their services as secure as possible. On the other hand, this can lead to the situation in which banking consumers are less alert to relevant security threats and measures, since they may see mobile banking as a service which requires little security efforts on their side [111]. If their risk perception does not match with reality, banking customers may take too few or even incorrect security measures [61]. Thus, the challenge for banks with mobile banking is to present the service as secure as possible without compromising the security awareness of the banking customers. Information Security Awareness for Mobile Banking
P a g e | 33
RECAP SECTION B Although the Mobile Banking process is largely determined by the banks who offer these financial services, it is the banking customer who has to follow this process in practice and specifically cope with the underlying security considerations. The Mobile Banking process relies on controls on the mobile device and controls on the user side to an increasing extent. This inherent reliance, based on the tendency to trust the owners of mobile devices to behave appropriately, is only realized when controls at customer‐side are in place and adhered to. Properly managing the related information security risks requires close monitoring and appropriate mitigating controls to be in place. This should at least include methods and procedures to continuously monitor relevant risks and assign the corresponding responsibilities appropriately. On end‐user side this means frequent inspection of the functioning of the mobile device, the banking application as well as the transactions made. Key aspect here is that they need to be able to recognize possible suspicious or fraudulent activity. This is where security awareness plays a crucial role. Without information security awareness, the required information security techniques, procedures and control measures can be misused or misinterpreted. Therefore, awareness at banking end‐users can be considered one of the key factors for the information security of mobile banking. Given the current rat race for information security between cyber criminals (, security specialists) and banks, questions can be placed as to whether the average banking customer can keep up with these developments with the same pace and extent. Due to this information security asymmetry, security awareness at banking customers is usually based on an inherently incomplete amount of information and therefore involves the subjective element of security risk perception. Moreover, because of the volatile nature of information security, users should be (made) aware that ‘information security’ does not have an end‐state which can be reached by taking certain measures in the present. Instead, continuous efforts are required to keep information security at a satisfactory level. This concludes section B. In section C, the identified aspects of information security awareness for Mobile Banking are applied in practice among banking customers through a questionnaire survey. Information Security Awareness for Mobile Banking
P a g e | 34
SECTION C: AWARENESS IN PRACTICE  EMPIRICAL RESEARCH: METHOD AND DESIGN CONSIDERATIONS  RESEARCH FINDINGS  RESEARCH ANALYSIS
P a g e | 35
7) EMPIRICAL RESEARCH: METHOD AND DESIGN CONSIDERATIONS In Section B of this research, we have discussed what mobile banking is, which vulnerabilities and threats are related to this financial service and how information security awareness plays a crucial role in recognizing and mitigating the related information security risks. In this section of the research, information security awareness is measured among banking customers to determine the current state in practice. This corresponds to sub‐question 2 of this research: What is the current state of Information Security Awareness for Mobile Banking among banking customers in practice? In correspondence with the understanding of information security awareness (chapter 6), this sub‐question addresses two aspects: A) To what extent do banking customers understand the link between the Vulnerabilities, Threats and Control measures for Mobile Banking? B) To what extent do banking customers adhere to their responsibilities with respect to Mobile Banking (and follow good practices for the security of their mobile device to do so)? The combination of these aspects provides insight in the ability of banking customers to manage mobile banking security risks. The extent to which customers’ awareness and behavior are aligned indicates whether their actions are random/lucky or more likely to result from information conscious decision making. It is noted that other factors (than awareness) play a role in behavior as well, such as: 1. Factory settings on smartphones, through which certain security settings are applied by default 2. Certain smartphone or app functionality which requires smartphone security settings to be configured differently from good practice 3. People who accept a lower level of security settings (based on a risk‐assessment / good judgment / nonchalance) 4. People who configure their smartphones for maximum security out of precaution Taking into account these factors, the following awareness quadrants can be distinguished: Information Security Awareness for Mobile Banking
P a g e | 36
Figure 10: Quadrants ‐ Behavior vs. Awareness The respondents of the questionnaire survey will be reflected against this quadrant. In order to measure security awareness among banking customers, a questionnaire survey is used, since this a relatively inexpensive and efficient way to reach a large number of individuals with the same set of questions in order to get to comparable results. Target Respondent Group The target respondent group for the questionnaire survey consist of the population of banking customers who use a smartphone for activities including mobile banking. This may be through a dedicated app or through the mobile internet browser. Given the above defined respondent group, the following exclusion criteria apply:  Respondents under 15 years of age will be excluded from the results as they are not able to register for mobile banking services  Respondents without a smartphone will be excluded from the results as they are not able to use mobile banking services  Respondents who do not use their smartphone for mobile banking will be excluded from the results Therefore, in order to get a sufficient number of valid respondents, a convenience sample is used consisting of individuals from private and public sources (friends, colleagues, social media contacts, public media contacts, etc.) Survey Questions and Questionnaire Setup For the two aspects covered in the survey questionnaire, questions are formulated based on the vulnerabilities and threats identified in chapter 5, security developments in the media and available good practices. Since the security recommendations in banks’ general terms and conditions of mobile banking are often characterized by their principal based and generic nature (refer to Appendix B), the good practice security guidelines are used [10, 70, 75, 100, 101], since these are often more concrete and therefore better fit for purpose. Information Security Awareness for Mobile Banking
P a g e | 37
Additionally, the type of questions/statements to be used was discussed with knowledgeable individuals within the area of Payments (Currence) and Information Security (Ernst & Young). In the questionnaire setup, the following considerations are included:  The questionnaire survey is created through an online survey tool with easy distribution possibilities.  The behavior related statements precede the awareness questions, to prevent revealing information which could influence the answers on the behavior‐related statements.  The awareness questions are setup in such a way, that they cover different kinds of vulnerabilities and threats (device‐related, network‐related, software‐related, information‐related, etc.).  The mobile device security measures and the user‐side responsibilities for mobile banking through the dedicated app (as mentioned in the general terms and conditions are included in the behavior statements (refer to Appendix B).  The awareness questions are presented as a QUIZ with the possibility for respondents to view their score and the answers afterwards (increasing their awareness). This helps to increase the integrity of the provided answers (individuals are less likely to fool themselves) and creates an incentive for filling out the survey.  The questionnaire survey starts with an introduction and a short glossary of terms required to fill out the questionnaire. This is limited to only those terms required to fill the questionnaire without revealing any questions answers in advance.  Behavior questions include a ‘Do not know’‐option. This prevents respondents from guessing and therefore prevents the results from being skewed. This can also be interpreted as an indication that a respondent is not acting consciously with respect to a certain control or smartphone security setting.  Awareness questions are multiple choice and include the possibility to provide multiple answers. This helps correct for respondents guessing. Guessing is further discouraged by the quiz score system.  The limits for secure smartphone behavior and awareness are based on professional judgment taking into account the factor of answer guessing. For behavior, scores above 107 are considered sufficient. For awareness, scores above 7 are considered sufficient. Time Period / Interval The questionnaire has been active from April 15th 2013 to May 31st 2013. The required time for completion is approximately 10‐20 minutes, depending on the respondents’ familiarity with the topics and the choice of respondents to review their answers. Information Security Awareness for Mobile Banking
P a g e | 38
8) RESEARCH FINDINGS The questionnaire has been active from April 15th 2013 up to May 31st 2013. During this time a total of 162 respondents filled out the questions. After accounting for the exclusion criteria, 90 respondents remained who are at least 15 years of age, own a smartphone and use mobile banking. 8.1) DEMOGRAPHICS From the 90 respondents, the following demographics have been collected. For some demographics the distribution can be attributed to the fact that a convenience sample was used. Age Frequency Percent Valid
Cumulat ive
Percent Percent
Valid
<= 19
5
5,6
5,6
5,6
20 - 29
50
55,6
55,6
61,1
30,00 - 39,00 21
23,3
23,3
84,4
40 - 49
8
8,9
8,9
93,3
50+
6
6,7
6,7
100,0
Total
90
100,0
100,0
More than half of the respondents are in their twenties and a quarter is in their thirties. The age classes 40+ and teenagers form the remaining quarter of respondents and are somewhat underrepresented in the sample. Gender Frequency Percent Valid Cumulative Percent Percent Male Valid 68 75,6 75,6 75,6 Female 22 24,4 24,4 100,0 Total 100,0 100,0 90 Only a quarter of the respondents is female. Information Security Awareness for Mobile Banking
P a g e | 39
Educational Background Valid Frequency Percent Valid Cumulative Percent Percent IT‐related 39 43,3 43,3 43,3 Other 51 56,7 56,7 100,0 Total 90 100,0 100,0 Almost half of the respondents has an IT‐related educational background. Smartphone OS‐version Valid Frequency Percent Valid Cumulative Percent Percent Symbian OS 1 1,1 1,1 1,1
iOS 47 52,2 52,2 53,3
Android OS 40 44,4 44,4 97,8 Blackberry OS 1 1,1 1,1 98,9 Unknown 1 1,1 1,1 100,0 Total 90 100,0 100,0 Nearly all the respondents use a smartphone based on the iOS or Android operating systems. Bank Valid Frequency Percent Valid Percent Abn‐Amro bank 24 26,7 26,7 Rabobank 19 21,1 21,1 SNS bank 2 2,2 2,2 ING bank 43 47,8 47,8 Anders, nl: 2 2,2 2,2 Total 90 100,0 100,0 Cumulative Percent 26,7
47,8 50,0 97,8 100,0 Nearly half the respondents are customer of ING bank, while ABN‐AMRO and Rabobank account for approximately a quarter each. Refer to Appendix D for demographics before the exclusion criteria. Information Security Awareness for Mobile Banking
P a g e | 40
8.2) RESPONDENTS’ BEHAVIOR WITH RESPECT TO SECURE SMARTPHONE HANDLING FOR MOBILE BANKING A total of 27 behavior related statements were included in the survey. During statistical analysis two statements were dropped4 to get to a reasonable level of item homogeneity (measured by Cronbach’s Alpha). Case Processing Summary Cases Valid N 90 % 55,6 Excluded 72 44,4 Total 162 100,0 The number of respondents taken into account in the Alpha calculation (90) equals the total number of participants (162) minus the respondents without smartphones and minus smartphone‐owners who do not use mobile banking (72). Reliability Statistics Cronbach's Alpha N of Items ,704 25 Scale Statistics Mean Variance Std. Deviation N of Items 106,69 163,722 12,795 25
The behavior statements are based on the good practice of the Dutch Ministry of Security & Justice – department of Cyber Security. As this includes several smartphone‐related security aspects the overall consistency can vary between these, hence having a deflating effect on the Alpha. An alternative is to cluster questions in sub‐groups (e.g. physical security, network security, etc.) and calculate Alpha for these groups separately. While this is likely to increase the Alpha of the individual groups, this approach was not adopted, as this study looks at behavior in its entirety, rather than the differences between its components. By removing 2 out of 27 statements, we did inflate Alpha to an acceptable level (0,704) for the purpose of this study [81, 82]. Valid 90 Missing Mean Median Mode Std. Deviation Variance Range Minimum Minimum Possible Maximum Maximum Possible 25 72 106,69 104,50 104 12,795 163,722 58 78 25 136 150 96,75 Percentiles 50 104,50 75 117,00 N The behavior statements were recoded to account for negatively formulated statements and to give the ‘don’t know’ answer the lowest value in the ordinal scale. This is a conscious decision, as this indicates that respondents are not even aware of their own behavior. After recoding, the minimum possible sum of all behavior‐statements is 25 (25*1) and the maximum possible sum is 150 (25*6). In practice, the distribution among the respondents is as follows: When displayed in a histogram, it is noticeable that the distribution shows two peaks with the mean in between, possibly indicating two groups. 4 The following questions were dropped (Before removal of the two questions alpha was 0,678):


I configure my smartphone in such a way, that I can perform an unlimited number of login attempts (R_Behav_8)
I use Jailbreaking / Rooting to download free Apps (R_Behav_18)
P a g e | 41
Further statistical analysis (using the Mann‐Whitney U test) shows that this can be attributed to the main subgroups within the respondent group; respondents with and without IT‐related background education. Ranks Wat is uw educatieve achtergrond? IT‐related Sum of answers on Behavior Other questions Total a
Sum of answers on Behavior questions Mann‐Whitney U Wilcoxon W Z Asymp. Sig. (2‐tailed) 676,000 2002,000 ‐2,595 ,009 a. Grouping Variable: Wat is uw educatieve achtergrond? Mean Rank Sum of Ranks 39 53,67 2093,00 51 39,25 2002,00 90 It turns out that respondents with an IT‐related educational background show more secure smartphone behavior (Mean Rank 53,67) than respondents with another educational background (Mean Rank 39,25). This difference is significant (U = 676,0000; p < 0,01). Test Statistics N Other factors such as age or OS‐version showed to have no significant influence on the behavior (refer to Appendix D) 8.3) RESPONDENTS’ AWARENESS ABOUT MOBILE BANKING INFORMATION SECURITY Information Security Awareness for Mobile Banking
P a g e | 42
Although the awareness questions in the survey are multiple choice, they are setup in such a way that guessing is discouraged and accounted for in the scoring system: N Valid 90 Missing 0 6,76 7,00 11 5,124 26,254 25 ‐8 ‐30 17 20 Mean Median Mode Std. Deviation Variance Range Minimum Minimum Possible Maximum Maximum Possible 1.
The answer possibilities are randomized 2.
Questions may require multiple answers 3.
Respondents are informed that incorrect answer possibilities result in negative points (‐1), while a fully correct answer is granted 2 points.
This minimum possible score on the awareness questions is ‐30 and the maximum possible score is +20. In practice, the distribution among respondents is as follows: Statistical analysis (using the Mann‐Whitney U test) shows that respondents with an IT‐related educational background show a higher level of awareness with respect to the link between smartphone vulnerabilities, threats and controls (Mean Rank 53,62) than respondents with another educational background (Mean Rank 39,29). This difference is significant (U = 678,0000; p = 0,01). Awareness Question Score What is your educational background? N Mean Rank Sum of Ranks IT‐related 39 53,62 2091,00 Other 51 39,29 2004,00 Total 90 Information Security Awareness for Mobile Banking
P a g e | 43
a
Test Statistics Knowledge questions
Score Mann‐Whitney U Wilcoxon W Z Asymp. Sig. (2‐tailed) 678,000 2004,000 ‐2,584 ,010 a. Grouping Variable: Wat is uw educatieve achtergrond? Again, other factors such as age or OS‐version showed to have no significant influence on the level of awareness (refer to Appendix D) 8.4) RELATION BETWEEN AWARENESS AND BEHAVIOR Using Spearman’s rank correlation coefficient (rho) an assessment is performed on the extent to which awareness and behavior with respect to mobile banking security are related. Correlations Kennisvragen Score Sum of answers on Behavior questions Pearson Correlation
Kennisvragen Score Sum of answers on Behavior questions 1
Sig. (1‐tailed) ,118
,134
N Pearson Correlation
90
,118
Sig. (1‐tailed) ,134
N 90
90
1
90
There appears to be a weak positive correlation between the awareness level (with respect to the link between the vulnerabilities, threats and weaknesses of mobile banking) and the level of secure smartphone behavior shown by the users of mobile banking (Rs = 0,12; p > 0,01). This correlation is not significant. Information Security Awareness for Mobile Banking
P a g e | 44
9) RESEARCH ANALYSIS The weak positive correlation measured in the respondent group means that the shown behavior on smartphones cannot be fully attributed to the respondents’ awareness level. This is reflected in table 4 where more than half of all respondents do not show alignment between their behavior and awareness with respect to mobile banking security. Awareness Quadrant W – Ingorant / Unaware (Awareness ‐, Behavior ‐) Y – Random / Gut feeling / Scared (Awareness ‐, Behavior +) X – Aware, yet Indifferent / Higher risk propensity (Awareness +, Behavior ‐) Z – Aware and Secure Awareness +, Behavior + Table 4: Survey Respondents per Quadrant All Respondents (90) IT‐respondents (39) Non IT‐respondents (51) 27,78 % 25 7,69 % 3 43,14 % 22 25,56 % 23 30,77 % 12 21,57 % 11 27,78 % 25 35,90 % 14 21,57 % 11 18,89 % 17 25,64 % 10 13,73% 7 This was somewhat expected as some people tend to take security measures out of precaution or gut feeling (awareness quadrant Y) while others have a higher risk propensity although they are aware of the risks (awareness quadrant X). Next to the results for the entire respondent group, the respondents with and without an IT‐related educational background are also included in the table as these groups differ significantly from each other (refer to chapter 8) both on the level of awareness and behavior. This difference is especially striking in quadrant W related to individuals who showed insufficient scores on both awareness and behavior. Thus, the sub‐group of IT‐respondents has heavily skewed the overall survey outcome. This is one of the limitations of the convenience sample that was used in this study. Results put in Netherlands‐perspective Recently, large scale research among the European population revealed that the Netherlands has the highest percentage of Mobile Banking users (41%) given the internet penetration rate [84]. The level of awareness of these Dutch Mobile Banking users is most likely to be in line with the survey‐results as shown by the non‐IT educated respondents. This inference is based on the following considerations:  In contrast with the survey respondent group (43,3%; refer to §10.1), IT educated individuals make up 2% of the population of the Netherlands, at most [83].  Although the level of awareness differs significantly between IT educated individuals and non‐IT educated individuals, this significance does not seem to apply to the level of adoption of the Mobile Banking service. Information Security Awareness for Mobile Banking
P a g e | 45
In the survey, the ratio between the two groups did not change drastically (5%) due to the exclusion criteria (smartphone use and mobile banking use). This inference gives reasonable assurance that more than half (43,14% + 21,57% = 64,71%) of the Dutch population of Mobile Banking users is not sufficiently aware of the related information security risks (link between vulnerabilities, threats, controls). Out of this group, roughly two‐thirds (43,14%) does not configure their mobile device (smartphone) in a sufficiently secure manner for mobile banking services. Explanation found in Literature Although no studies with similar scope and setting have been found, parts of the outcome of this study can be explained by literature. Similar to the respondents in this study, previous studies [67, 84] also found that mobile banking users are relatively young, with the majority under the age of 35. This can be attributed to the fact that this part of the population (generation Y) takes a less conservative standpoint with respect to new technology than previous generations [36, 85]. They are often instinctive users of technology, but at the same time they lack awareness for security considerations [111]. The relatively low level of information security awareness is recognized as a common vulnerability mainly caused by the fact that the average consumer is less focused at security, than other aspects like functionality and design [2, 86]. In this study, this is reflected in the behavior of the respondents. For example, three‐quarters of the respondents never or only seldom reads the general terms and conditions for mobile banking. This can partly be attributed to the current day technoculture through which technology is saturated into cultural practices. This development makes people less patient when it comes to technology [86, 87]. Furthermore, information security awareness involves education and training to increase people’s insight and to answer the questions of ‘why’ and ‘how’. Especially explaining why certain information security decisions are taken is extremely important since users are not easily convinced with answers such as “this is the rule” or “this is our policy”. Therefore, simply “passing around security guidelines in a factual manner per se, for instance (i.e. presentation as normal facts, at the phrastic level), as is likely to be the case in most organizations, may be an inapt approach” to effectively increase information security awareness [66]. Information Security Awareness for Mobile Banking
P a g e | 46
RECAP SECTION C Section C attempts to provide an answer for sub‐question 2: What is the current state of Information Security Awareness for Mobile Banking among banking customers in practice? Through empirical research in the previous chapters, the extent to which the users of Mobile Banking understand and act upon the related information security risks was measured. Although no significant correlation was found between the awareness about and behavior related to information security for mobile banking, the results indicate that more than half of the Dutch mobile banking users do not show sufficient awareness to properly manage the information security risks. The relatively low level of information security awareness is recognized as a common vulnerability mainly caused by the fact that the average consumer is less focused at security, than other aspects like functionality and design. Moreover, the factual manner in which security guidelines are presented does help to shift this balance as the intrinsic focus on security is not triggered. This concludes section C. Section D presents the conclusion on whether it is justified to shift the responsibilities of mobile banking information security risk management more towards client‐side, given the outcome of empirical research. In addition, recommendations are provided to help ensure that mobile banking customers take the required information security measures. Information Security Awareness for Mobile Banking
P a g e | 47
SECTION D: CONCLUSION & RECOMMENDATIONS  CONCLUSION  RECOMMENDATIONS Information Security Awareness for Mobile Banking
P a g e | 48
 LIMITATIONS OF RESEARCH AND SUGGESTIONS FOR FUTURE RESEARCH
P a g e | 49
10) CONCLUSION Given the current level of information security awareness for mobile banking, it is currently not fully justified to shift increasingly more of the related responsibilities towards client‐side. The pace with which new technological developments follow each other and the relatively fast adoption of these services does not necessarily go hand in hand with an equally developed understanding of the required information security considerations. This study investigated this phenomenon for the relatively new service called Mobile Banking. Mobile Banking combines banking services with increased availability through online access on a smartphone or tablet. While this development has obvious advantages, part of the information security risk is now shifted towards the mobile device and the information on this device. As clients carry around their mobile device (and sensitive information) with them, banks tend to shift part of the responsibilities for information security risk management towards the client‐side. Literature study showed that proper management of the information security risks for mobile banking requires a good understanding (awareness) of the link between the related vulnerabilities, threats and control measures. Given the current rat race for information security between cyber criminals (, security specialists) and banks, questions can be placed as to whether the average banking customer can keep up with these security developments with the same pace and extent. Due to this information security asymmetry, security awareness at banking customers is usually based on an inherently incomplete amount of information and therefore involves the subjective element of security risk perception. Empirical research on a population sample showed that more than half of the Mobile Banking users in the Netherlands currently do not have a sufficient level of awareness to manage the related risks. While a third of the individuals partly make up for this lack of awareness by taking precautionary security measures, the majority does not and are therefore dealing with a higher risk exposure. Therefore, while a shift of information security management responsibilities towards client‐side makes sense from a risk management point of view, it may not be fully justified from an information security awareness point of view. Moreover, as mobile banking in the Netherlands is at a critical point in term of adoption and acceptance it is also in the banks’ interest to temporize the pace with which this responsibility shift is applied. Part of the solution can be found in having banks specifying security measures in more detail and explicitly educating customers how the certain measures add to their own security. However, because of the volatile nature of information security, mobile banking users should be (made) aware that ‘information security’ does not have an end‐state which can be reached by taking certain measures in the present. Instead, continuous efforts are required to keep information security at a satisfactory level. Information Security Awareness for Mobile Banking
P a g e | 50
11) RECOMMENDATIONS With the current level of information security awareness and behavior for mobile banking in mind, this chapter presents a few possible recommendations for dealing with the related impact on mobile banking information security. PROVIDE INSIGHT IN REASON BEHIND SECURITY REQUIREMENTS An important reason for the insufficiently secure smartphone behavior is that people do not fully understand the link between vulnerabilities, threats and controls. In other words, the underlying reason for certain security requirements is often unclear. Although knowledge about technical threats is not strictly necessary for the use of mobile banking services, it does help to see the added value of the required and obligatory security measures, hence stimulating secure behavior [111]. Siponen [65] too recognized that without a moral consensus, laws, regulations or in this case general terms and conditions tend to be ignored, regardless whether these are considered important. This is a lesson that the information age needs to learn. He recognized that arguments appealing purely to legislation (e.g. "because this is the law or rule"), are not sufficient per se to qualify peoples actions. Therefore, from an information security point of view, banks should include the provision of persuasive arguments for end‐user security considerations in the general terms and conditions. MEASURES TO MAKE MOBILE BANKING BULLET‐PROOF Banks can use or suggest additional security measures to help make the mobile banking service and/or the mobile device ‘bulletproof’ against (cyber)threats. A few examples of possible measures are [88]: 


Using device identification or voice identification in the transaction process for mobile banking. This allows for strong authentication during logon or transaction processing. Use of an additional encryption layer within SSL against Man‐in‐the‐Browser attacks (e.g. Password‐
Authenticated Key Management) Use of methods against reverse engineering of mobile banking apps like (e.g. code‐obfuscation, anti‐debugger controls and checksum‐calculations) At the same time, it should be recognized that ‘bulletproof’ does not exist (or is temporary at most) given the continuous rat race between information security threats and controls. PERIODIC SECURITY CHECK Banks could have their customers oblige to a periodic device check (e.g. annually) on several key security aspects of their mobile devices, before they can make use of (or continue using) mobile banking services. This can be Information Security Awareness for Mobile Banking
P a g e | 51
compared with the periodic safety check on your automobile (MOT test or APK in Dutch). The ability to do this remotely will be key for the success of such a control. An option related to the outcome of this periodic check is to distinguish different customer groups depending on their security risk profile. For each customer group a different approach (e.g. informing, training and/or periodically device checking) towards mobile banking information security can be taken [89]. Another option that could make this control more effective is a bonus system (comparable to a no‐claim discount with insurance companies). This measure creates an incentive for secure behavior, but may not necessarily increase information security awareness. Spruit [60] too indicates that rewarding the desired behavior is generally more effective than penalizing undesired behavior. Whether this is financially sound (the costs of the measure vs. the benefit of reduced financial damage related to mobile banking) from a banks perspective should be calculated. Information Security Awareness for Mobile Banking
P a g e | 52
12) RESEARCH PROCESS: QUESTIONS AND ANSWERS This chapter provides an overview of the research process through which this thesis is realized. Research Section
Chapter Coherence
Section A:
Introduction
Research Q&A
Main Research Question: Is the current shift of responsibilities to client-side justified
given their Information Security Awareness?
Mobile Banking combines banking services with increased availability through online
access on a smartphone or tablet. While this development has obvious advantages,
part of the information security risk is now shifted towards the mobile device and the
information on this device. As clients carry around their mobile device (and sensitive
information) with them, banks tend to shift part of the responsibilities for information
security risk management towards the client-side. As this requires sufficient
awareness with respect to the information security considerations, one can question
whether this development is justified.
Section B:
Risk & Control
Identification:
Influential factors from
literature
Sub Question 1: Which aspects are relevant to information security awareness, given
the specific characteristics of Mobile Banking and Information Security?
Method: Literature Study
Offering banking services on the mobile platform introduces new and changed security
considerations. Properly managing the related information security risks requires close
monitoring of the vulnerabilities and threats and making sure to have appropriate
mitigating controls to be in place. Key aspect here is the ability to recognize these
indicators of possible suspicious or fraudulent activity. Without information security
awareness, the required information security techniques, procedures and control
measures can be misused or misinterpreted. Given the current rat race for information
security between criminals and banks, average banking customers not likely to keep
up with the security developments with the same pace and extent.
Section C:
Sub Question 2: What is the current state of Information Security Awareness for Mobile
Awareness
Measurement in
Practice
Method: Empirical Research (Survey)
Banking among banking customers in practice?
The results of a survey questionnaire indicate that more than half of the Dutch mobile
banking users do not show sufficient awareness to properly manage the information
security risks. The relatively low level of information security awareness is recognized
as a common vulnerability mainly caused by the fact that the average consumer is less
focused at security, than other aspects like functionality and design. Moreover, the
factual manner in which security guidelines are presented does help to shift this
balance as the intrinsic focus on security is not triggered.
P a g e | 53
Section D:
Conclusion on Main Research Question:
Research Conclusion
and
Recommendations
While a shift of information security management responsibilities towards client-side
makes sense from a risk management point of view, it may not be fully justified from
an information security awareness point of view. Mobile banking users are not (yet)
sufficiently aware of the link between the related security aspects in order to effectively
manage the risks. Part of the solution can be found in having banks specifying security
measures in more detail and explicitly educating customers how the certain measures
add to their own security. However, because of the volatile nature of information
security, mobile banking users should be (made) aware that ‘information security
management’ is a continuous process.
P a g e | 54
13) SUGGESTIONS FOR FUTURE RESEARCH Partly due to the nature of this study (graduation thesis), several research limitations are recognized which can be taken into account in future research. Research Actuality As indicated before, information security in general (as well as mobile banking specific security) is a rat race between cybercriminals, banks and customers trying to adapt. Moreover, as Mobile Banking services are currently subject to continuous improvements, it puts limitations to the actuality of the findings in this thesis. Future research on a recurring basis would help to maintain insight in this topic. Survey Limitations The following limitations in the used research survey are recognized:  Limited respondent size. Given the estimated population of Dutch mobile banking users, a sample size larger than 90 may be required to better approach the information security awareness of the population.  The ratio IT professionals vs. non‐IT individuals in the respondent group does not correctly reflect the Dutch population of mobile banking users. This is caused by the convenience sample that was used in this study. A more representative sample should be used to provide more accurate results.  Although the awareness questions in this study’s survey are tailored to mobile banking, the number of questions is limited. A more extensive set of questions would help increase the predictive value of the survey outcome.  Margins for sufficient/insufficient awareness and behavior are not yet scientifically tested, but based on professional judgment and literature review. This includes a correction for answer guessing.  Information security management often results in a patchwork of security measures to get to the required level of security. Therefore, it is not the number of controls that determines secure behavior, but the combination of certain controls. This aspect has not been included in this study and is therefore a suggestion for future research. This could be accomplished by assigning a weight/priority to security measures. Information Security Considerations for Mobile Payments Next to banking, mobile payments is another big development on the mobile platform. As these services involve more parties and a wide variety of digital environments, it is worthwhile to investigate the common information security considerations for end‐users. Moreover, the anticipated implementation of the SEPA services SCT (SEPA Credit Transfer) and SCP (SEPA Card Payments) adds to the importance of such an investigation [21]. SEPA (Single European Payments Area) should “…allow users to make payments in euro throughout Europe from a single bank account, using a single set of payment instruments, as easily and securely as in the national context today” [3, p188]. Information Security Awareness for Mobile Banking
P a g e | 55
Mobile Payments using NFC Another interesting mobile development is the use of Near Field Communication (NFC) for mobile payments. Near Field Communication is an existing technology used for contactless information transfer within a short range (several centimeters) [21]. This technology is currently used in the cards of the Dutch transport system (OV Chipkaart). More recently, three Dutch system banks have begun a trial with NFC‐based mobile payments in the Netherlands [92]. Although this development has some advantages to banks (reduction in issuance of expensive debit cards) and clients (time saving through faster payments), new and/or different information security risks may be introduced. Information Security Awareness for Mobile Banking
P a g e | 56
APPENDICES  A – BIBLIOGRAPHY  B – MOBILE BANKING SECURITY CONTROLS & CUSTOMER RESPONSIBILITIES  C – SURVEY CODE BOOK  D – OUTPUT STATISTICAL ANALYSIS SPSS Information Security Awareness for Mobile Banking
P a g e | 57
 E – MOBILE BANKING VS. MOBILE PAYMENTS APPENDIX A: BIBLIOGRAPHY [1] Laerte Peotta, M. D. (Feb 2011). A formal classification of internet banking attacks and vulnerabilities. International Journal of Computer Science & Information Technology (IJCSIT) , p 186 – 197. [2] M.Moga, L. (Sept 2010). The adoption of e‐banking: An application of theories and models for technologies acceptance. Development, Energy, Environment, Economics . [3] Kokkola, T. (September 2010). The payment system: payments, securities and derivates and the role of the eurosystem. European Central Bank. [4] Chien, N. F. (2009). Zeus: King of the bots. [5] European payments council. (March 2009). customer‐to‐bank: security good practices guide. [6] Niels Provos, D. M. (2007). The ghost in the browser analysis of web‐based malware. Google Inc. [7] Balraadjsing, N., Drost, L., & Sehgal, J. (2011, April). Are Banks in Control of Online Banking. Amsterdam. [8] GSM Association. (2012). Security Advice for Mobile Phone Users. Retrieved 2012, from http://www.gsma.com: http://www.gsma.com/technicalprojects/fraud‐security/security‐advice‐for‐mobile‐phone‐users/ [9] Hollestelle, G. (2012, January 30). Auditing Mobile Devices (25D). Amsterdam. [10] Jansen, Wayne; Scarfone, Karen. (2008 (Oct)). Guidelines on Cell Phone and PDA Security (800‐124). Gaithersburg: National Institute of Standards & Technology (US Dpt. of Commerce). [11] Global mobile transaction value to grow 42% annually: Gartner. (PTI May 29, 2012, 05:28PM IST). Retrieved August 1, 2012, from The Economic Times: http://articles.economictimes.indiatimes.com/2012‐05‐
29/news/31888025_1_mobile‐devices‐mobile‐internet‐transaction [12] Hogben, Giles; Dekker, Marnix. (2010 (Dec.)). Smartphones: Information Security Risks, Opportunities and Recommendations for Users. European Network and Information Security Agency. [13] Berg Insight. (2010, May 4). 894 million m‐bankers by 2015. Mobile Payments World , p. 19. [14] Verhoef, C. (2012, April 12). Internet Babbeltrucs. Automatisering Gids , p. 38. [15] Prast, H. (2007). Complexe producten: wat kunnen ze betekenen en wie moeten ze begrijpen? Amsterdam: Universiteit van Tilburg. [16] Ashraf, I. (2012). Mobile Banking Security. Amsterdam: Vrije Universiteit. [17] Forrester. (2012, August 14). Report: 46% Of U.S. Bank Account Holders Will Use Mobile Banking By 2017. Retrieved August 17, 2012, from TechCrunch: http://techcrunch.com/2012/08/14/report‐46‐of‐u‐s‐bank‐account‐
holders‐will‐use‐mobile‐banking‐by‐2017/ [18] Barati, S., & Mohammadi, S. (2009). An Efficient Model to Improve Customer Acceptance of Mobile Banking. Proceedings of the World Congress on Engineering and Computer Science 2009 Vol II, (p. 5). San Francisco. Information Security Awareness for Mobile Banking
P a g e | 58
[19] Sahut, J.‐M. (2008). Internet Payments and Banks. International Journal of Business, Vol. 13, No. 4, 2008 , 21. [20] Pernet‐Lubrano, S. (n.d.). Mobile Payments: Moving towards a Wallet in the Cloud. COMMUNICATIONS & STRATEGIES, 79, 3rd Q. 2010, p. 63. , 9. [21] European Payments Council. (2010). White Paper Mobile Payments. Brussels. [22] European Commission. (2012). Towards an integrated European market for card, internet and mobile payments. Brussels. [23] Agarwal, e. a. (2008). Security Issues in Mobile Payment Systems. [24] Niu, Y., Hsu, F., & Chen, H. (2008). iPhish: Phishing Vulnerabilities on Consumer Electronics. Usability, Psychology and Security 2008 (UPSEC '08) (p. 8). San Francisco: University of California, Davis. [25] Bremmer, D. (2012, December 28). Bankieren met mobiel neemt enorme toevlucht. Amsterdam: Algemeen Dagblad. [26]. (2012, September). Device Ownership | Pew Research Center's Internet & American Life Project. Retrieved January 11, 2013, from Pew Internet: http://www.pewinternet.org/Trend‐Data‐(Adults)/Device‐Ownership.aspx [27]. (2011, August 5). Internet access passes PC ownership for the first time. Retrieved December 17, 2012, from broadbandchoices.co.uk: http://www.broadbandchoices.co.uk/news/2011/08/internet‐access‐passes‐pc‐
ownership‐for‐the‐first‐time‐050811 [28] Burelli, Francesco; Clarke, Roger; Clifford, Edward; Weston, Mark. (December 2012). Mobile Financial Service Report. London: Value Partners Management Consulting Ltd. [29]. (2010). Securing Mobile Devices. Rolling Meadows, Illinois, USA: ISACA. [30] Lien, Marc; Sjöberg, Sebastian; Vlaar, Radboud. (2011). The current state and future of mobile banking in Europe. McKinsey & EFMA. [31]. (2013, January 9). Mobile App. Retrieved January 13, 2013, from Wikipedia ‐ The Free Encyclopedia: http://en.wikipedia.org/wiki/Mobile_app [32]. (2013, January 11). Mobile Browser. Retrieved January 13, 2013, from Wikipedia: The Free Encyclopedia: http://en.wikipedia.org/wiki/Mobile_browser [33]. (2005, October 15). International Standard ISO/IEC 27001:2005. Information technology — Security Techniques — Information Security Management Systems — Requirements . Geneva, Switzerland: International Standardization Organization. [34] Coffey, T., & Saidha, P. (1996, January). Non‐repudiation with mandatory proof of receipt. ACM SIGCOMM Computer Communication Review , 6 ‐ 17. [35]. (2011). Countering Cyber Attacks. Ernst & Young. [36] Wouda, A. (2011). Beheersing van cybercrime bij Nederlandse "klein" banken. Amsterdam. [37] Chong, M. K. (2009). Usable Authentication for Mobile Banking. Cape Town. Information Security Awareness for Mobile Banking
P a g e | 59
[38] Cheung, K. (2008). Veiligheid Internetbankieren. Amsterdam. [39] Meeuwisse, C; Kers, L; Samwel, P; Den Boer, J. (2012). Financial Institutes Information Threat Monitor (FI‐ITM) 2012. Financial Institutes Information Sharing and Analysis Centre (FI‐ISAC). [40]. (2003). E‐Banking IT‐Examination Handbook. Federal Financial Institutions Examination Council. [41] . (2012). Mobile Device Security ‐ Understanding vulnerabilities and managing risks. Ernst & Young. [42] Dijsselbloem, J. (2012, November 26). Beantwoording Kamervragen inzake vergoeding schade bij fraude. Den Haag, Zuid‐Holland, Nederland: Ministerie van Financiën. [43] iCrossing. (n.d.). Mobile Operating System Market Share 2011‐2012. Creative Commons Attribution 3.0. [44]. (n.d.). Hoe veilig zijn je smartphone apps? [45] Wijkstra, Jelle. (2012, Mei 23). Afwijzing antivirus‐app voor iPad en iPhone frustreert Kaspersky. Retrieved Mei 23, 2012, from Automatiseringgids: http://www.automatiseringgids.nl/nieuws/2012/21/afwijzing‐antivirus‐app‐
voor‐ipad‐iphone‐frustreert‐kaspersky [48] Agarwal, S., Khapra, M., Menezes, B., & Uchat, N. (2007). Security Issues in Mobile Payment Systems. Bombay: Computer Society of India. [49] Nap, Chris. (2012, October 8). ING helpt klanten beter beveiligen. Retrieved October 8, 2012, from Automatiseringgids: http://www.automatiseringgids.nl/nieuws/2012/41/ing‐helpt‐klanten‐beter‐beveiligen [50] de Horde, Cor. (2012, October 24). ING vraagt internetklant speciale software tegen fraude te installeren ondanks kritiek. Amsterdam, Noord‐Holland, Netherlands: Financieel Dagblad. [51]. (2012). About Rapport. Retrieved November 2012, from Trusteer ‐ building trust online: http://www.trusteer.com/support/nl/about‐rapport [52]. (2012). RSA Fraudaction ‐ Anti Rogue App Service. [53]. (2012). Extra veiligheid met de PAC code. Retrieved 2012, from ING: http://www.ing.nl/de‐ing/veilig‐
bankieren/veilig‐internetbankieren/extra‐veiligheid‐met‐de‐PAC‐code/ [54]. (2012, September 9). ABN‐AMRO belt klanten met besmette computer. Retrieved September 9, 2012, from Security.nl: https://www.security.nl/artikel/43049/1/ABN_AMRO_belt_klanten_met_besmette_computer.html [55] Sehgal, J., & Craig, A. (2012). The previously unseen risks associated with internet transactions and certificate authorities. De IT‐Auditor , pp. 36‐43. [56]. (2012, October 30). Nederlandse banken kwetsbaar voor BEAST‐aanval. Retrieved October 31, 2012, from Security.nl: https://www.security.nl/artikel/43715/Nederlandse_banken_kwetsbaar_voor_BEAST‐aanval [57] Lyne, James. (2011). What senior managers need to know about mobile device security. Boston: Sophos ltd. [58] Porter Felt, A., & Wagner, D. (2012). Phishing on Mobile Devices. Berkley (USA): University of Berkley. [59]. (2010). Managing Mobile Devices and Relevant Framework Processes. Retrieved 2012, from ISACA: www.isaca.org/riskit Information Security Awareness for Mobile Banking
P a g e | 60
[60] Spruit, M. (2010 (4th Edition)). Bewust Veilig? De IT‐Auditor , pp. 15‐21. [61] Spruit, M. (2012 (1st Edition)). Informatiebeveiliging en bewustzijn. De IT‐Auditor , pp. 24‐27. [62] Ying, L., Dinglong, H., Haiyi, Z., & Rau, P. (2011). Users’ Perception of Mobile Information Security. Pittsburgh, USA: Carnegie Mellon School of Computer Science. [63] Chou, Y., Lee, C., & Chung, J. (2004 (57)). Understanding m‐commerce payment systems through the analytic hierchy process. Journal of Business Research , pp. 1423 ‐ 1430. [64] Adams, A., & Sasse, M. A. (1999 (Vol.42, Nr.12), December). Users are not the enemy. Communications of the ACM , pp. 40‐46. [65] Siponen, M. (2001). Five Dimensions of Information Security Awareness. Computers and Society , 24‐29. [66] Siponen, M. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security , 31‐41. [67] Luo, X., Li, H., Zhang, J., & Shim, J. (2010 (49)). Examining multi‐dimensional trust and multi‐faceted risk in initial acceptance of emerging technologies: An empirical study of mobile banking services. Decicion Support Systems , 222‐234. [69] Rousseau, D., Sitkin, S., Burt, R., & Camerer, C. (1998 (23)). Not so different after all: A cross‐discipline view of trust. Academy of Management Review , 393‐404. [70] Nationaal Cyber Security Centrum. (2012). Beveiligingsrichtlijnen voor mobiele apparaten ‐ Deel 2. Den Haag: Ministerie van Veiligheid & Justitie. [71] Security.NL. (2012, November 15). Britse banken straffen klanten met zwakke pincode. [72] Security.NL. (2013, April 5). Banken minder gul bij oude virusscanner. [73] Automatiseringgids. (2013, January 22). Bewijslast voor fraude online bankieren is voor bank. [74] Security.NL. (2012, November 12). Rabobank vaag bij schade internetbankieren. [75] GovCert.NL. (2009). Raamwerk Beveiliging Webapplicatie. Den Haag. [76] Balraadjsing, S. (2013, January 20). Shoulder Surfing & Skimming. (N. Balraadjsing, Interviewer) [77]. (2013, April 12). Man‐in‐the‐Middle Attack. Retrieved May 27, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Man‐in‐the‐middle_attack [78] Teuben, R. (2012, Maart 28). Ontwikkelen mobiele applicaties vereist verbreding en herpositionering testactiviteiten. Automatisering Gids , p. 2. [79]. (2011, March 22). Internetbankieren ING niet waterdicht. Retrieved Oktober 20, 2012, from Automatiseringgids.nl: http://www.automatiseringgids.nl/nieuws/2011/12/internetbankieren‐ing‐niet‐waterdicht [80]. (2010, September 28). Trojaans paard steelt mobiele TAN‐codes. Retrieved September 2, 2012, from Security.nl: https://www.security.nl/artikel/34585/1/Trojaans_paard_steelt_mobiele_TAN‐codes.html Information Security Awareness for Mobile Banking
P a g e | 61
[81] George, D., & Mallery, P. (2003). SPSS for Windows step by step: A simple guide and reference. Boston: Allyn & Bacon. [82] Kline, P. (1999). The handbook of psychological testing. London: Routledge. [83] Bakker, H. (2012, April 5). Tekorten op de ICT arbeidsmarkt‐verklaard. Netherlands: ICT~Office. [84] Bright, Ian. (2013 (July)). Controle over je geld in het digitale tijdperk. Amsterdam: ING / Ipsos. [85] Ester Schop. (2012, September 25). Smartphone belangrijker dat portomonnee. Retrieved September 25, 2012, from Automatisering Gids: http://www.automatiseringgids.nl/nieuws/2012/39/smartphone‐belangrijker‐dan‐
portemonnee [86] Jeroen Segenhout. (2012, September). Blijven zoeken naar de App van Columbus. Amsterdam: FD Outlook. [86] Steven Blum. (2012, March 23). How Technology Is Making Us Impatient. Retrieved July 27, 2013, from AndroidPIT: http://www.androidpit.com/network‐speed [87] Cheryl Stritzel McCarthy. (2012, April 10). Does technology make us lose patience? Retrieved July 27, 2013, from Chicago Tribune: http://articles.chicagotribune.com/2012‐04‐10/features/sc‐fam‐0403‐patience‐technology‐
20120410_1_impatience‐technology‐young‐people [88] Covers, O., & Doeland, M. (2013, Februari 11). Mobile Banking Threats and Technology. (N. Balraadjsing, Interviewer) [89] Peter Wilson. (2011 (October, 11)). Who's who in the world of risk? eFraud Network Forum (p. 12). London: RSA. [90] Houtenbos, T., Kloosterman, J., Vlaszaty, B., & De Koning, J. (2012 (December 23rd)). Security in Mobile Banking. Amsterdam: University of Amsterdam ‐ System & Network Engineering. [91] Automatisering Gids. (2013, March 15). Opstelten: 'banken nemen cybercrime niet serieus'. Retrieved March 16, 2013, from Automatisering Gids: http://www.automatiseringgids.nl/nieuws/2013/11/opstelten‐banken‐nemen‐
cybercrime‐niet‐serieus [92] Smit, R. (2013, July 30). Drie grote banken starten proef met mobiel betalen. Retrieved July 31, 2013, from FD: http://fd.nl/ondernemen/693737‐1307/drie‐grote‐banken‐starten‐proef‐met‐mobiel‐betalen [93] ING. (2013, May). Voorwaarden Mobiel Bankieren. Amsterdam, Netherlands: ING. [94] Rabobank. (2013). Algemene voorwaarden voor betaalrekeningen en betaaldiensten van de Rabobank 2013. Utrecht, Netherlands: Rabobank. [95] ABN‐AMRO. (2012, September). Voorwaarden Identificatiecode. Amsterdam, Netherlands: AMN‐AMRO. [96] SNS Bank. (2013, January 15). Voorwaarden SNS Mobiel Bankieren. Nederland: SNS Bank. [97] Lookout Mobile Security. (2011, August). Lookout Mobile Threat Report . [98] Spanjaard, Thierry. (2012, September 12). One billion smartphones by 2016. Smart Insights , p. 8. [99] Ernst & Young Advisory. (2012). Overview of mobile phone‐based financial services. Information Security Awareness for Mobile Banking
P a g e | 62
[100] Emerging Technologies, PCI Security Standards Council. (2012). PCI Mobile Payment Acceptance Security Guidelines. September. [101] SANS. (2012). Twenty Critical Security Controls for Effective Cyber Defense. SANS Institute. [102] Gühring, P. (2006). Concepts against Man‐in‐the‐Browser attack. [103] Security.NL. (2012, Augustus 21). ABN AMRO en Rabobank favoriete doelwit malware. Retrieved Augustus 22, 2012, from Security.NL: https://www.security.nl/posting/37724/ABN+AMRO+en+Rabobank+favoriete+doelwit+malware [104] Wijkstra, Jelle. (2013, July 25). Android 4.3 ‐ Sneller, Gelikter en vooral Veiliger. Retrieved July 25, 2013, from Automatiseringgids.nl: http://www.automatiseringgids.nl/nieuws/2013/30/android‐4.3‐sneller‐gelikter‐en‐vooral‐
veiliger [105] Keijzer, Richard. (2013, July 25). Chinese hackers nemen Android te grazen. Retrieved July 25, 2013, from Automatiseringgids.nl: http://www.automatiseringgids.nl/nieuws/2013/30/chinese‐hackers‐nemen‐android‐te‐
grazen [106] Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., & Verdult, R. (2012 (Vol. 7617)). Designed to Fail: A USB‐
Connected Reader for Online Banking. Lecture Notes in Computer Science , 1‐16. [107] Zaal, Rolf. (2013, Augustus 1). 'Linke‐lader' zet malware op iPhone. Retrieved Augustus 1, 2013, from Automatiseringgids.nl: http://www.automatiseringgids.nl/nieuws/2013/31/linke‐lader‐zet‐malware‐op‐iphone [108] Wijkstra, Jelle. (2013, Augustus 12). Saffieren Home‐knop van iPhone 5s neemt vingerafdruk. Retrieved Augustus 12, 2013, from Automatiseringgids.nl: http://www.automatiseringgids.nl/nieuws/2013/33/home‐knop‐
van‐iphone‐5s‐neemt‐vingerafdruk [109] Redactie AD.nl. (2012, November 21). Steeds meer fake webshops. Retrieved November 21, 2012, from AD.nl: http://www.ad.nl/ad/nl/5601/TV‐Radio/article/detail/3351515/2012/11/21/Steeds‐meer‐fake‐webshops.dhtml [110] Kurtz, A., Freiling, F., & Metz, D. (2013 (June)). Usability vs. Security: The Everlasting Trade‐off in the Context of Apple iOS Mobile Hotspots. Nürnberg: University of Erlangen, Dept. of Computer Science. [111] Furnell, S. (2010, June). Jumping Security Hurdles. Computer Fraud & Security , pp. 10‐14. Information Security Awareness for Mobile Banking
P a g e | 63
APPENDIX B: MOBILE BANKING SECURITY CONTROLS & CUSTOMER RESPONSIBILITIES 5 General Controls Take measures to increase the ability and awareness regarding information security (e.g. training, information) Gain insight in which privacy sensitive or confidential data is being processed by the app Take measures to sufficiently protect privacy sensitive and confidential data Take measures to limit the number of vulnerabilities to a minimum Use existing security features as much as possible Never Jailbreak or Root the device Access Controls Encrypt stored data where possible Use different access codes for the mobile device, the different services and apps Regularly change the access codes for the mobile device, the different services and apps Configure an access code to (un)lock the mobile device Make sure passwords are a combination of alphabetical, numerical and non‐alphanumerical characters Limit the number of invalid logon attempts Enable SIM‐card locking Enable automatic device lock after idle session time‐out Do not allow apps to access stored certificates, access codes and other credentials Disable visibility during password entry Disable message preview on the home screen Disable features meant for app‐development Make use of tracking software App‐related Controls Limit the number of installed apps to a minimum Only install apps when the app and it’s developer are known and trusted Limit the authorizations of installed apps to an absolute minimum Configure the mobile browser in a sufficiently secure manner:  Disable JavaScript  Enable fraud messages  Disable automatic population of web‐forms  Enable privacy mode / incognito mode  Disable the acceptance of cookies  Enable the display of security warnings Timely update software and apps with the latest versions / security patches Disable location services as much as possible Only install apps from trusted sources Network Controls Encrypt sent data where possible Disable network connections as much as possible when not used  Disable mobile internet connections (mobile data) when not used  Disable data roaming when not used  Disable the personal hotspot when not used  Disable WiFi when not used 5 Based on good practice [10, 70, 75, 100, 101]
P a g e | 64
 Configure the mobile device in such a way to forget WiFi networks previously connected to  Disable automatic WiFi connection requests  Configure the mobile device in such a way to prevent automatic connection to a WiFi network  Disable Bluetooth when not used  Disable Near Field Communication (NFC) when not used  Enable flight mode when no wireless network connections are required Make use of VPN connections where possible BANKING APP SPECIFIC CONTROLS Anticipating the threats related to mobile banking, banks discourage mobile banking through the mobile browser and included several controls during the development of their banking apps on mobile devices. Some of these controls can be configured by the end‐user, while others are fixed by the bank6. Mobile Banking App Controls [93,94,95,96] I A R S App Password     Comment I: 5 digits A: 5 digits R: 5 digits S: 5 digits Automatic App block after X I: After 3 attempts, re‐registration is required invalid logon attempts A: After 3 attempts, re‐registration is required R: After 3 attempts, the pass code has to be reset using the Random reader     S: After 3 attempts, the account is locked for 24 hours I: N/A A: e.dentifier R: Random reader transactions S: Digipas Max. limit (in euro’s) with MFA I: N/A (see limit without MFA) A: 3.000 (per individual transaction) R: 50.000 (combined limit for Rabo Mobielbankieren, IDEAL and Rabofoon) Use of MFA (token with bank card reader) for high amounts / unknown bank account         Max. limit (in euro’s) without MFA     Daily Limit (in euro’s) between own accounts    Transactions to Dutch bank accounts only     Idle session time‐out     S: 25.000 (daily with digipas) I: 1000 (daily limit, configurable) A: 750 (daily limit, configurable) R: 1000 (weekly limit, configurable) S: 500 (daily limit, configurable) I: 5000 (deposits to savings account only are unlimited) A: 250.000 R: 50.000 S: 250.000 I: ‐ A: N/A R: ‐ S: ‐ I: ‐ A: 5 minutes R: ‐ 6
Legend: I=ING Bank, A=ABN-AMRO Bank, R=Rabobank, S=SNS Bank
P a g e | 65
S: ‐ Automatic App block after I: 24 months period of non‐use A: N/A R: N/A S: 24 months Other Controls     ING: When the online banking account is blocked, the mobile banking account will be blocked as well. This is control is put in place, as the registration goes through the online banking environment instead of using a MFA token which is the case with the other system banks. MOBILE BANKING APP – USER RESPONSIBILITIES78 Mobile Banking App – User Responsibilities [93,94,95,96] Make sure access code is not too easy Keep access code confidential Use a unique access code not used for other purposes Do not let anyone see you enter your access code Make sure your device contains the original OS Make sure to have the most recent OS‐version on your device I A R S Comments 
 
  

 
  

 
  

 
  
I: Only download the App from official App stores only on website A: only on website A: only on website I: App Store, Market Place, App World, Google Play, Windows Store     A: No stores mentioned R: App Store, Market Place, App World, Google Play S: App Store, Market Place, App World, Google Play Periodically check your transactions through the App     I: once every two weeks S: once every week     Always make sure to log‐out after using the App 



Before downloading the app, check the version, size and 







Notify the bank immediately in case of possible security issues, such as: 
Amounts have been withdrawed without you initiating this transaction 
You think someone knows your app pin code 
You have lost your mobile device 
Your device is infected with a virus deployment date against the information on the bank website Only use secure WiFi networks Deregister your device from the MB‐service before disposing of the device Make sure to configure an access code for the mobile device as I: Only on website A: Only on website S: Only on website 







7
8
User responsibilities are based on the general terms and conditions only (unless a reference is made to another source such as the bank website)
Legend: I=ING Bank, A=ABN-AMRO Bank, R=Rabobank, S=SNS Bank
P a g e | 66
well File a report with the police authorities in case of fraud and handover a copy of the report to the bank 



If the above responsibilities are not adhered to, banks do not cover possible financial loss due to security incidents. Moreover, SNS Bank uses a policy excess (Dutch: ‘eigen risico’) of €150 and Rabobank uses a maximum amount of €225 per demerit or chain of demerits. Information Security Awareness for Mobile Banking
P a g e | 67
APPENDIX C: SURVEY CODE BOOK Variable Description Coding
Awareness_Score (Scale) Total combined score of the 10 awareness questions
Smartphone_Use (Nominal) Indication of whether respondents use a smartphone, and if so, which OS. MobileBanking_Use (Ordinal) Indication of whether respondents use Mobile Banking, and if so, through which manner. MB_NonUse_Expl (Ordinal) Indication of why respondents with smartphones do not use Mobile Banking Behavior_1 t/m Behavior_27 (Ordinal) Questions related to how respondents operate on their smartphone Gender (Nominal) Gender of respondent
Age (Scale) Education (Nominal) Age of respondent Educational background of respondent
Bank (Nominal) Bank of respondent PCbanking_Use (Nominal) Indication of whether the respondent has experience with banking on the PC/laptop Range: ‐30 ≥≤ 20 ‐30  0 = Insufficient 1  7 = Moderate 8  14 = Sufficient 15  20 = Good 1 = No
2 = Yes, Symbian OS 3 = Yes, iOS 4 = Yes, Android OS 5 = Yes, Blackberry OS 6 = Yes, Windows Phone OS 7 = Other 8 = Don’t know 1 = No
2 = Yes, only through the mobile internet browser 3 = Yes, only via the mobile banking app 4 = Yes, both through the mobile internet browser as well as via the mobile banking app 1 = Use of mobile banking not yet considered
2 = Not interested in mobile banking 3 = Mobile banking considered not safe enough 4 = Not able to handle mobile banking services 1 = Never
2 = Usually not 3 = Sometimes 4 = Usually so 5 = Always 6 = Don’t Know 1 = Male
2 = Female 15 ≥≤ ∞
1 = IT‐related
2 = Other 1 = ABN AMRO Bank 2 = RaboBank 3 = SNS Bank 4 = ING Bank 5 = Other 1 = No
2 = Yes Information Security Awareness for Mobile Banking
P a g e | 68
APPENDIX D: OUTPUT STATISTICAL ANALYSIS SPSS FREQUENCIES FOR SMARTPHONE AND MOBILE BANKING USE Frequencies for Smartphone Use Do you use a smartphone, and if so; with which operating system?
Valid Frequency
Percent
Valid Percent
Cumulative Percent No 21 13,0
13,0
13,0
Yes, Symbian OS 1 ,6
,6
13,6
Yes, iOS 65 40,1
40,1
53,7
Yes, Android OS 58 35,8
35,8
89,5
Yes, Blackberry OS 9 5,6 5,6 95,1 Yes, Windows Phone OS 3 1,9 1,9 96,9 Yes, but don’t know which operating 5 system 3,1 3,1 100,0 Total 100,0 100,0 162 Information Security Awareness for Mobile Banking
P a g e | 69
Do you use Mobile Banking through the mobile internet browser and/or via the mobile banking App? No Valid Valid Percent Cumulative Percent 51 36,17 36,17 Yes, only through the mobile 8 internet browser on my smartphone 5,67 41,84 Yes, only through the mobile banking App 55 39,01 80,85 27
141
19,15
100
100,00
Yes, in both ways Total Frequency Information Security Awareness for Mobile Banking
P a g e | 70
Reasons for NOT using Mobile Banking Valid Frequency
Valid Percent
Cumulative Percent
I have not yet considered using mobile banking 13 25,49 25,49 I am not interested in mobile banking as a service 8 15,69 41,18 I believe mobile banking is not yet secure enough 30 58,82 100,0 Total 51
100,0
DEMOGRAPHICS BEFORE EXCLUSION CRITERIA Information Security Awareness for Mobile Banking
P a g e | 71
Age Frequency Percent Valid
Cumulative
Percent Percent
Valid
<= 19 11
6,8
6,8
6,8
20 - 29 71
43,8
43,8
50,6
30 - 39 33
20,4
20,4
71,0
40 - 49 22
13,6
13,6
84,6
50+
25
15,4
15,4
100,0
Total
162
100,0
100,0
Gender Frequency Percent Valid Cumulative Percent Percent Male Valid 104 64,2 64,2 64,2 Female 58 35,8 35,8 100,0 Total 100,0 100,0 162 Educational Background Frequency Percent Valid Cumulative Percent Percent IT‐gerelateerd 61 37,7 37,7 37,7 Anders 101 62,3 62,3 100,0 Total 162 100,0 100,0 Information Security Awareness for Mobile Banking
P a g e | 72
POSSIBLE INFLUENTIAL FACTORS ON BEHAVIOR STATEMENTS Respondents of different banks (Kruskal‐Wallis test) Ranks Sum of answers on Behavior questions Bij welke instelling doet u voornamelijk uw dagelijkse bankzaken N
Mean Rank
Image:Abn amro bank
24
45,63
Image:Rabobank 19 56,37 Image:Sns bank 2 44,25 Image:Ing bank 43 38,86 Anders, nl: 2 84,75 Total 90 a,b
Test Statistics Sum of answers on Behavior questions Chi‐Square df Asymp. Sig. 10,598 4 ,031 a. Kruskal Wallis Test b. Grouping Variable: Bij welke instelling doet u voornamelijk uw dagelijkse bankzaken The survey results indicate that there’s a difference in behavior between the respondents of different banks. Respondents of ING Bank show the lowest score on behavior. Respondents of banks other than the Dutch system banks show the highest score on behavior. The difference between the banks is significant (Kruskal‐Wallis test Chi2 = 10,598; df = 4; p < 0,05). Respondents’ smartphone OS‐version vs. Behavior (Kruskal‐Wallis test) Ranks Sum of answers on Behavior questions SMARTPHONE OS‐version N Mean Rank Symbian OS 1 83,00 iOS 47 41,18 Android OS 40 50,01 Blackberry OS 1 51,50 Unknown 1
24,50
Total 90
a,b
Test Statistics Sum of answers on Behavior questions Chi‐Square df Asymp. Sig. 5,244 4 ,263 Information Security Awareness for Mobile Banking
P a g e | 73
a. Kruskal Wallis Test b. Grouping Variable: SMARTPHONE OS‐
version The survey results indicate that there’s a difference in behavior between the respondents using different mobile operating systems. This difference is not significant (Kruskal‐Wallis test Chi2 = 5,244; df = 4; p > 0,05) Respondents’ Age versus Behavior (scatter diagram) The correlation value can vary from ‐1 to +1. ‐1 is a perfect negative correlation between the two variables and +1 is a perfect positive correlation. Before performing a statistic test for correlation, a scatter diagram can provide a valuable insight in the extent to which the variables are correlated. In this case, the variables ‘behavior’ and ‘Age’ show a very weak positive correlation that is close to zero. This indicates that for the respondent group in this study, there is practically no correlation between their age and extent to which they use the smartphone in a secure way. POSSIBLE INFLUENTIAL FACTORS ON AWARENESS QUESTIONS Information Security Awareness for Mobile Banking
P a g e | 74
Respondents of different banks (Kruskal‐Wallis test) Kennisvragen Score Bij welke instelling doet u voornamelijk uw dagelijkse bankzaken N
Mean Rank
Image:Abn amro bank 24 49,52 Image:Rabobank 19 51,58 Image:Sns bank 2 51,75 Image:Ing bank 43 41,51 Anders, nl: 2 19,00 Total 90 a,b
Test Statistics Kennisvragen Score Chi‐Square df Asymp. Sig. 4,798 4 ,309 a. Kruskal Wallis Test b. Grouping Variable: Bij welke instelling doet u voornamelijk uw dagelijkse bankzaken The survey results indicate that there’s a difference in awareness between the respondents of different banks. This difference is not significant (Kruskal‐Wallis test Chi2 = 4,798; df = 4; p < 0,05). Respondents’ smartphone OS‐version vs. Awareness (Kruskal‐Wallis test) Ranks Kennisvragen Score (Binned) SMARTPHONE OS‐version
N
Mean Rank
Symbian OS 1
25,50
iOS 47
45,59
Android OS 40
47,40
Blackberry OS 1
25,50
Unknown 1
5,50
Total 90 a,b
Test Statistics Kennisvragen Score (Binned) Chi‐Square df Asymp. Sig. 4,375 4 ,358 a. Kruskal Wallis Test b. Grouping Variable: SMARTPHONE OS‐
version The survey results indicate that there’s a difference in awareness between the respondents using different mobile operating systems. This difference is not significant (Kruskal‐Wallis test Chi2 = 4,375; df = 4; p > 0,05) Information Security Awareness for Mobile Banking
P a g e | 75
Respondents’ Age versus Awareness (scatter diagram) The correlation value can vary from ‐1 to +1. ‐1 is a perfect negative correlation between the two variables and +1 is a perfect positive correlation. Before performing a statistic test for correlation, a scatter diagram can provide a valuable insight in the extent to which the variables are correlated. In this case, the variables ‘awareness’ and ‘Age’ show a very weak negative correlation that is close to zero. This indicates that for the respondent group in this study, there is practically no correlation between their age and their awareness with respect to the link between threats, vulnerabilities and control measures for mobile banking. Information Security Awareness for Mobile Banking
P a g e | 76
APPENDIX E: MOBILE BANKING VS. MOBILE PAYMENTS As early as in 2008, Sahut [19] recognized that mobile payments was at a critical point of development within the overall classification of Internet Payments Systems. Because of the information intensiveness and connectivity requirements (e.g. Internet, Information device), mobile banking can also be seen as a variant of E‐banking, called ‘Home Banking’ [2]. This type of banking consists of “services which retail customers of credit institutions can access using various kinds of telecommunication device (e.g. telephones, mobile phones, television sets, terminals or personal computers)” [3 p.355]. It is therefore not strange to learn that Mobile Banking services show a certain overlap with the previous‐
mentioned an other forms of internet payments [20]. Mobile Payments can be defined as “the act of paying for goods or services with a mobile device” [20 p.1] or “payments for which the payment data and the payment instruction are initiated, transmitted or confirmed via a mobile phone or device. This can apply to online or offline purchases of services, digital or physical goods.” [22 p.5]. Sahut distinguishes different Mobile Payments methods based on location: Remote Payments Purchasing digital or physical goods by using the mobile phone over a network (i.e. Internet, Mobile Operator Network) Figure 11: Example of a remote payment using a smartphone
Proximity Payments Engaging in mobile payments in which the mobile device is equipped with contactless capabilities (i.e. Near Field Communications) and the payment is made as the user passes the mobile device next to the receiving terminal [20 p.65]. Figure 12: Examples of proximity payments The European Payments Council [21] recognizes this division and distinguishes Mobile Payments further based on the involved parties9 in the transaction:  Contactless Card Payments: P2B and B2B; 9 P2B = Person‐to‐Business, P2P = Person‐to‐Person, B2B = Business‐to‐Business Information Security Awareness for Mobile Banking
P a g e | 77
 Remote Card Payments: P2P, P2B and B2B;  Remote Credit Transfers: P2P, P2B and B2B. Remote Payments using banking services directly (such as iDeal in the Netherlands) can be considered to show the most overlap with Mobile Banking services. Figure 13: Example of Remote Payment on smartphone using the iDeal Banking service This specifically holds for Remote Credit Transfers in which credit transfers are made between the banks of the sending and receiving parties. This can be done on the mobile platform through the dedicated mobile banking app or through the mobile browser. Figure 14: Remote Credit Transfer through mobile browser (left) and the mobile banking app (right) Next to the actors introduced in the Mobile Banking process, for mobile payments so‐called Payment Service Providers (PSP’s) are required [48]. Mobile payments on web‐stores often use Payment Service Providers to facilitate the communication between the web‐merchant, the customer and their respective banks through dedicated payment software and user interfaces. Typical examples of PSP’s are PayPal and Amazon Payments. Information Security Awareness for Mobile Banking
P a g e | 78

mobile banking: are we prepared?

Transcription

Similar documents

Time to go banking? The electric is off. The phones are dead. The

Company Fact Sheet

Please tag my deposit account to my new card.

On-the-Go Banking - Bank of Hampton Roads

Credit Cards - General Electric Credit Union

money matters

MoneyViewandMoneyDesktop!

Young Professionals Private Banking

Fall - IRCO Community Federal Credit Union

Ebank - Febea