SlideShare uma empresa Scribd logo

Blueprint-for-SecuringMobileBankingApplications-Whitepaper

B
Benjamin Wyrick
1 de 14
Baixar para ler offline
A Blueprint for Securing Mobile Banking Applications By Will LaSala and Benjamin Wyrick, VASCO Data Security
Copyright © 2015 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks’ proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Foreword by David Strom Research Findings: Current State of Mobile Banking The Scope of the Mobile Banking Problem Best Practices for Securing Mobile Banking Applications Summary About the Authors About VASCO 1 2 3 5 7 8 8 Table of Contents
1 Foreword by David Strom Mobile banking has the opportunity to become just as disruptive in the modern era as ATMs were back in the 1970s. From the convenience of our own homes, and with our own devices, we now have the opportunity to do just about everything except get cash from our bank. I have been a mobile banking customer for the past several years. As an independent businessman, I get paid with a lot of checks from my clients. It used to be a chore to walk on over to the ATM to wait for a free machine to deposit them. Now I rarely visit the ATM, and having my bank email me a receipt is a nice touch. Plus, I can quickly pay my bills from my mobile phone too, so I am using my Web-based online banking access less and less. Mobile banking is not just convenient; it’s a great time-saver! In this white paper, we see the results of some research around what consumers want from their mobile banking applications, discuss some of the current issues surrounding the evolution of mobile banking, and finally, review best practices that will help secure mobile banking apps without compromising user experience. David Strom is one of the leading experts on network and Internet technologies.
2 Research Findings: Current State of Mobile Banking A survey of 1600 consumers1 by the Tower Group found that price is paramount for a customer to use a mobile banking app. Almost half of those who answered want a clear understanding of what prices and fees they will be charged by their bank for mobile account access. But getting beyond price, security and ease of use and the reliability of the transactions were also important to at least a third of the respondents. Research [1] https://info.bai.org/Vasco_BAI_Banking_Strategies_Webinar_120914_Archive.html What do customers want? Price (example: fees/rates) Security and reliability of transactions Convenience of access and hours (example: branches, online) Safety of customer savings and investments Competence and helpfulness of employees Ease of product to understand and use Speed and effectiveness of problem resolution Simplicity and ease of purchase process Fit of products and services with my lifestyle Guidance on how to better manage my finances Unsure Guidance on how to best use my financial products or services Guidance on purchasing products or services 6.1 % 8.0 % 9.2 % 9.2 % 11.8 % 11.8 % 15.5 % 17.2 % 26.1 % 33.2 % 39.4 % 41.4 % 48.7 % Security Ease of Use
3 When it comes to consumers’ concerns, both identity theft and unauthorized use of their credit cards top the list. And while consumers have concerns about data breaches, they aren’t too worried about the consequences and are slow to take particular actions to protect their credit and accounts. Perhaps this is because they haven’t been educated in what they need to do, or because they are mostly complacent about their banking needs. And even the most proactive consumers still wonder what else they need to do to or what specific tools they should have in their arsenal. Identity theft tops list of consumer fears As a result of data breaches, have you ever done any of the following? Other people obtainin and using your credit or debit card details Unauthorized access to or misuse of your personal information The US’s national security in relation to war or terrorism The security of shopping or banking online Computer security in relation to viruses or unsolicited emails A serious health epidemic occuring in the U.S. Ability to meet essential financial obligations Overall personal safety over the next six months 25 % 30 % 34 % 36 % 37 % 47 % 57 % 59 % Checked your credit report Use cash instead of cards Requested a new card number from your bank Signed up for credit monitoring Shopped at different stores Changed password for online retailers Yes 41% 37% 69% 31% 66%66% 32% 61% 57% 80% 18% 29% No
4 The survey also found out that banks heavily rely on their customers to tell them when a breach or misuse occurs, with nearly two-thirds of them notifying their banks this way. More than half of the banks find out about the breach through automated data and transaction analysis systems. However, there is a big gap in knowing and identifying the fraud and what the user has to do to resolve fraudulent claims. And consumers still feel it is the bank’s responsibility to protect them in case of a data breach or theft of account credentials. Most common ways victims discovered identity theft Contacted by financial institutions about suspicious account activity Noticed fraudulent charges on account Contacted financial institutions to report a theft Credit card declined, check bounced, or account closed due to insufficient funds Noticed money missing from account Contacted by company or agency Existing Account misues Received a bill or contacted about an unpaid bill 0% 10% 20% 30% 40% 50% Other Identity Theft
5 The Scope of the Mobile Banking Problem Rising Threats Financial institutions are tremendous targets of opportunity for electronic thievery. Blended threats, improvements to man-in-the-middle/ browser exploits, and advances in malware have made threats more numerous and even more available to less-skilled cybercriminals. And historically, banks have purchased different systems to manage different risks, but the result is that they have too many different controls that don’t necessarily integrate or work well with each other. Banks typically have had different fraud prevention departments, and used different tools for each type of exploit. Further, as these exploits continue to blossom, regulators have struggled to figure out best practice recommendations. Payment Card Initiatives and other banking regulations are a great start, but they haven’t kept up with the threat. Increasing Complexity When it comes to mobile, it’s critical that we understand the complexity of the problem we are trying to solve. The number of connected devices has passed the total number of people on the planet. And there are more devices per person and this number is increasing. There are also many different types of passwords to secure these devices, and many different accounts across a variety of non-bank institutions and many different channels and methods to do the banking itself (ATM, phone, Web). On top of this, hackers are targeting everyone and using any method they can, making things increasingly difficult.
6 Mobile Banking Problem Evolving Environment Certainly the computing environment has evolved over the years, and while we have access to a great amount of information, we also have the opportunity to be exposed to more fraudulent activities. Phones now have multiple uses and functions with their data and Internet connections. Consumer attitudes towards security are also evolving as they become more familiar with a variety of mobile apps and not just for their banking needs. Look at the interest towards mobile payment mechanisms from Apple, MasterCard and others in the past year. However, adoption will always lag because of security perceptions, technology complexity, or other reasons. Advancements in Authentication There has also been an evolution in the use of authentication in online banking too. Back in the early days, if you wanted stronger authentication, you had to ask a user to change their behavior and carry something such as a one-time password (OTP) token. But some users were reluctant to do this. Ten years ago there weren’t a lot of other solutions that were very secure and convenient, but that has changed, thankfully for the better. There are more cryptographic apps that are cost effective and secure. According to the Federal Reserve, users expect the same level of functionality on mobile banking regardless of platform or device. Limiting functionality isn’t going to cut it. And many users didn’t want to limit their options by going with those early mobile banking apps, or because of perceived security concerns.
7 Evolution of Authentication in Online banking SecurityLevel Sophistication Level of Attacks Class 1 Class 2 Class 3 Class 4 Static Passwords Virtual keyboards Counter-based OTP Time-based OTP Electronic signature Meaningful User Prompts WYSIWYS Keyloggers Phishing Pharming MitM MitM with Social Engineering
8 Best Practices for Securing Mobile Banking Applications Now, let’s address some of the best practices that can be used to secure your mobile app both on the client and server sides, to try to fight some of these perceptions and also to make mobile banking easier and more productive. Adjust Authentication Methods to Meet User Demands It’s increasingly clear that some of the older methods just aren’t useful in today’s hyper-mobile world. The notion of using OTP tokens, or using voice prompts to deliver access codes aren’t very convenient when you want to do your banking on any device, wherever you might be. New technologies like visual transaction signing and risk-based authentication can enhance security while matching the new demands for user and device flexibility, making certain that mobile users have transparent authentication and signing methods and that these methods are implemented behind the scenes. Enhance Client-side Protections Simple authentication with a user and PIN combination is no longer good enough for mobile banking, because many users share these combinations with a variety of online services, making their authentication information subject to exploitation. When it comes to mobile applications and users, a better solution is to have a user’s PIN combined with other information to lock a phone and an account down. Best Practices
9 Further, employing a variety of risk-based methods to determine if a device is in an acceptable geolocation to conduct a transaction, or if it has been jailbroken or has malware present, can add additional layers of protection. And with mobile banking, you can also use strong OTPs behind the scenes so users don’t have to remember and type it in all those numbers. Strengthen Security for Client-Server Communications Beyond the mobile app, there are use cases where having multiple authentication factors makes sense. These devices (or software tools) can generate the OTP but can transmit the password via a Bluetooth connection as an example. This way an OTP fob can send the OTP directly to the app, so the user doesn’t have to type in the password. This is just one way that a Bluetooth device can secure a transaction and transmit the information to a more hardened environment for subsequent validation. Convenient Strong Authentication ATM Internet banking Mobile bankingMobile banking Fast login communicates directly with your authentication token by Bluetooth
10 Use a Variety of Risk-Based Methods Another issue is that users want to do more with mobile banking, not just replicate what they could have done inside the branch or their Web browsers. But that means banks have to meet the added risks for these tasks and scale up their security measures accordingly. One problem is that as cryptologic tools get better, hackers are getting better too – for example, using “man-in-the-middle” types of attacks to get around traditional defenses. This creates a requirement for stronger and more transparent signatures that can be sent digitally without worrying about these kinds of attacks. One potential solution is the use of encrypted signatures and public key cryptographic infrastructure, which haven’t been quite satisfactory up till now. These solutions are painful to manage, both for IT staff and banking customers. In the mobile world, we can cut out some of this pain and take better advantage of these technologies by making use of native security inside the device to sign particular encrypted data and digital signatures of the transaction. Get Proactive with Fraud Prevention Stopping potentially dangerous activity before it starts is critical in the new mobile world, especially when it comes to fraud. Managing risk as part of a self-protected application strategy is very different from a reactive security model, where the fraudulent activity can happen, but is stopped on the back end. With risk scoring capabilities built in to a mobile application, organizations can proactively stop fraudulent activity by creating a barrier that a hacker cannot easily circumvent, and further, can be done in a way that doesn’t impact the user experience. Risk scoring capabilities within the mobile application can limit risk on the client side before the transaction ever occurs, and if the transaction is still allowed to occur, tools like risk-based/adaptive authentication on the server side can help to further mitigate risk. Watch for Evolving Regulatory Requirements If banks are playing catch up when it comes to mobile security, banking regulators are playing catch up too. The FFIEC has issued guidelines that are still based on some historical usage patterns, and some of these guidelines don’t always apply to the new mobile world. Just as the banking technology is evolving, so do the regulations and compliance mechanisms. Regulators will need to augment the existing FFIEC rules and help banks prepare for more mobile users. Take a Comprehensive Approach to Mobile App Security No matter how secure you make the various communications channels, ultimately it comes down to how well a bank builds its apps and understands the inherent security weaknesses. You still have to balance security with ease of use, and you still have to ensure that your core business logic isn’t subject to any exploits too.
11 In the end mobile banking security is the combination of a secure application, running on a secure platform, over a secure communication channel (between the bank and the user), and then being able to gather and analyze user and session data to make real-time, risk-based decisions that can protect against account takeover and prevent fraud. Bringing these concepts together into a singular mobile banking security strategy can satisfy the high demands of banking organizations when it comes to security and service delivery, while also satisfying the mobile banking user demands for functionality, convenience, and data and identity protection. In order to enhance security, improve user experience, and drive more mobile banking usage, VASCO recommends that banks and financial institutions consider these key areas as they continue to build their mobile banking security strategies: • Better protect the client platform and continuously evaluate its security posture • Employ a variety of multiple-factor user authentication tools that can leverage mobile devices to make them less onerous • Use a variety of risk-based methods to evaluate transactions in near real time • Use these methods on both servers and core apps to enforce validation methods Summary ! Client Platform Evaluation & Security Device Binding, Jailbreak + Rootkit, Malware, LBS, Device Analysis, Score-BAse User Evaluation 2FA, LBS, User Behaviour Analysis Transaction Evaluation 2FA+/Signature, Adaptive Signing Validation Server Side validation (2FA/Sig) IntelligentSecurity Driving M obile Usage
12 About VASCO VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets. Learn more about VASCO at www.vasco.com or visit blog.vasco.com Benjamin Wyrick Benjamin Wyrick is Vice President of Sales and Business Operations at VASCO Data Security. Mr. Wyrick joined the company in 2005 and has been a key contributor to the overall growth of the VASCO strong authentication business in North America. Benjamin and his team have successfully managed strong authentication security projects with some of the largest financial institutions, enterprises, and online applications around the world. Benjamin is a frequent presenter at many banking and financial industry conferences and web seminars throughout North America on preventing cyber fraud, account and transaction security for online and mobile applications. Will LaSala Will LaSala is Director of Services, North America for VASCO Data Security. LaSala joined the company in 2001 and since then, has been involved in many aspects of product implementation, provisioning, and logistics. He also oversees the VASCO professional services group helping financial institutions in North America with custom two-factor authentication projects. Prior to joining VASCO, Will has worked as a Sr. Systems Engineer and Developer for a prominent consulting firm in New England. He brings over 20 years of software and cyber security experience, and his research interests are focused around the use of mobile and wireless technology to simplify security. David Strom David Strom (@dstrom, strominator.com) is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network security, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties in the enthusiast, gaming, IT, network, channel, and electronics industries, including the editor-in-chief of Network Computing print, DigitalLanding.com, and Tom’s Hardware.com. He began his career working in varying roles in end-user computing in the IT industry. He has a Masters of Science, Operations Research degree from Stanford University, and a BS from Union College. About the Authors

Recomendados

CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?- Mark - Fullbright
 
Fingerpay
FingerpayFingerpay
FingerpayAnand B
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015TransUnion
 
MBA Best Mobile Banking Presentation
MBA Best Mobile Banking PresentationMBA Best Mobile Banking Presentation
MBA Best Mobile Banking Presentationrajpatelplantemoran
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concernSyed Akhtar-Uz-Zaman
 
Mobile banking
Mobile bankingMobile banking
Mobile bankingvaibhav kubadia
 
Identity in the Internet Age
Identity in the Internet Age Identity in the Internet Age
Identity in the Internet Age Cartesian (formerly CSMG)
 
Secure Authentication for Mobile Banking Using Facial Recognition
Secure Authentication for Mobile Banking Using Facial RecognitionSecure Authentication for Mobile Banking Using Facial Recognition
Secure Authentication for Mobile Banking Using Facial RecognitionIOSR Journals
 

Recomendados

CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?- Mark - Fullbright
 
Fingerpay
FingerpayFingerpay
FingerpayAnand B
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015TransUnion
 
MBA Best Mobile Banking Presentation
MBA Best Mobile Banking PresentationMBA Best Mobile Banking Presentation
MBA Best Mobile Banking Presentationrajpatelplantemoran
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concernSyed Akhtar-Uz-Zaman
 
Mobile banking
Mobile bankingMobile banking
Mobile bankingvaibhav kubadia
 
Identity in the Internet Age
Identity in the Internet Age Identity in the Internet Age
Identity in the Internet Age Cartesian (formerly CSMG)
 
Secure Authentication for Mobile Banking Using Facial Recognition
Secure Authentication for Mobile Banking Using Facial RecognitionSecure Authentication for Mobile Banking Using Facial Recognition
Secure Authentication for Mobile Banking Using Facial RecognitionIOSR Journals
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Selecting and Successfully Marketing a Mobile Banking Service
Selecting and Successfully Marketing a Mobile Banking ServiceSelecting and Successfully Marketing a Mobile Banking Service
Selecting and Successfully Marketing a Mobile Banking ServiceKevin Lynch
 
American Banker Executive Summary - Digital Trust
American Banker Executive Summary - Digital TrustAmerican Banker Executive Summary - Digital Trust
American Banker Executive Summary - Digital TrustBenjamin Wyrick
 
Callcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit123
 
E banking and M-banking
E banking and M-bankingE banking and M-banking
E banking and M-bankingKishan Dholakiya
 
Internet banking
Internet bankingInternet banking
Internet bankingRanjeet Yadav
 
Callcredit's Fraud Summit 2016 - Plenary session
Callcredit's Fraud Summit 2016 - Plenary sessionCallcredit's Fraud Summit 2016 - Plenary session
Callcredit's Fraud Summit 2016 - Plenary sessionCallcredit123
 
E banking & security
E banking & securityE banking & security
E banking & securitySumeer Sharma
 
management issues in online banking
management issues in online bankingmanagement issues in online banking
management issues in online bankingRanjeet Patel
 
Internet Banking
Internet BankingInternet Banking
Internet Bankingguestf9788dc7
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer ExperienceTransUnion
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionEMC
 
Mobile based secure digital wallet for peer to peer payment system
Mobile based secure digital wallet for peer to peer payment systemMobile based secure digital wallet for peer to peer payment system
Mobile based secure digital wallet for peer to peer payment systemijujournal
 
Mobile Banking Case Analysis : Service Design for m-banking
Mobile Banking Case Analysis : Service Design for m-bankingMobile Banking Case Analysis : Service Design for m-banking
Mobile Banking Case Analysis : Service Design for m-bankingDevanshu Gupta
 
Callcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification streamCallcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification streamCallcredit123
 
E banking
E bankingE banking
E bankingAt home
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...Syeful Islam
 
Essay #2 ethical considerations
Essay #2 ethical considerationsEssay #2 ethical considerations
Essay #2 ethical considerationsjandrewsxu
 
E banking
E bankingE banking
E bankingMohammad Akteruzzaman(Nannu)
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGYSYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGYPARAMASIVANCHELLIAH
 
Enhancing security features
Enhancing security featuresEnhancing security features
Enhancing security featuresNana Kwame(Emeritus) Gyamfi
 

Mais conteúdo relacionado

Mais procurados

Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Selecting and Successfully Marketing a Mobile Banking Service
Selecting and Successfully Marketing a Mobile Banking ServiceSelecting and Successfully Marketing a Mobile Banking Service
Selecting and Successfully Marketing a Mobile Banking ServiceKevin Lynch
 
American Banker Executive Summary - Digital Trust
American Banker Executive Summary - Digital TrustAmerican Banker Executive Summary - Digital Trust
American Banker Executive Summary - Digital TrustBenjamin Wyrick
 
Callcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit123
 
Callcredit's Fraud Summit 2016 - Plenary session
Callcredit's Fraud Summit 2016 - Plenary sessionCallcredit's Fraud Summit 2016 - Plenary session
Callcredit's Fraud Summit 2016 - Plenary sessionCallcredit123
 
E banking & security
E banking & securityE banking & security
E banking & securitySumeer Sharma
 
management issues in online banking
management issues in online bankingmanagement issues in online banking
management issues in online bankingRanjeet Patel
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer ExperienceTransUnion
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionEMC
 
Mobile based secure digital wallet for peer to peer payment system
Mobile based secure digital wallet for peer to peer payment systemMobile based secure digital wallet for peer to peer payment system
Mobile based secure digital wallet for peer to peer payment systemijujournal
 
Mobile Banking Case Analysis : Service Design for m-banking
Mobile Banking Case Analysis : Service Design for m-bankingMobile Banking Case Analysis : Service Design for m-banking
Mobile Banking Case Analysis : Service Design for m-bankingDevanshu Gupta
 
Callcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification streamCallcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification streamCallcredit123
 
E banking
E bankingE banking
E bankingAt home
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...Syeful Islam
 
Essay #2 ethical considerations
Essay #2 ethical considerationsEssay #2 ethical considerations
Essay #2 ethical considerationsjandrewsxu
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 

Mais procurados (20)

Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee Seng
 
Selecting and Successfully Marketing a Mobile Banking Service
Selecting and Successfully Marketing a Mobile Banking ServiceSelecting and Successfully Marketing a Mobile Banking Service
Selecting and Successfully Marketing a Mobile Banking Service
 
American Banker Executive Summary - Digital Trust
American Banker Executive Summary - Digital TrustAmerican Banker Executive Summary - Digital Trust
American Banker Executive Summary - Digital Trust
 
Callcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience stream
 
E banking and M-banking
E banking and M-bankingE banking and M-banking
E banking and M-banking
 
Internet banking
Internet bankingInternet banking
Internet banking
 
Callcredit's Fraud Summit 2016 - Plenary session
Callcredit's Fraud Summit 2016 - Plenary sessionCallcredit's Fraud Summit 2016 - Plenary session
Callcredit's Fraud Summit 2016 - Plenary session
 
E banking & security
E banking & securityE banking & security
E banking & security
 
management issues in online banking
management issues in online bankingmanagement issues in online banking
management issues in online banking
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer Experience
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud Prevention
 
Mobile based secure digital wallet for peer to peer payment system
Mobile based secure digital wallet for peer to peer payment systemMobile based secure digital wallet for peer to peer payment system
Mobile based secure digital wallet for peer to peer payment system
 
Mobile Banking Case Analysis : Service Design for m-banking
Mobile Banking Case Analysis : Service Design for m-bankingMobile Banking Case Analysis : Service Design for m-banking
Mobile Banking Case Analysis : Service Design for m-banking
 
Callcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification streamCallcredit's Fraud Summit 2016 - Identity verification stream
Callcredit's Fraud Summit 2016 - Identity verification stream
 
E banking
E bankingE banking
E banking
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
 
Essay #2 ethical considerations
Essay #2 ethical considerationsEssay #2 ethical considerations
Essay #2 ethical considerations
 
E banking
E bankingE banking
E banking
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 

Semelhante a Blueprint-for-SecuringMobileBankingApplications-Whitepaper

SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGYSYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGYPARAMASIVANCHELLIAH
 
Top 8 Mobile Finance Trends 2015
Top 8 Mobile Finance Trends 2015Top 8 Mobile Finance Trends 2015
Top 8 Mobile Finance Trends 2015DMI
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?VISTA InfoSec
 
Consumer awareness and usage of e
Consumer awareness and usage of eConsumer awareness and usage of e
Consumer awareness and usage of eajeccleton
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachJigisha Aryya
 
Challenges to consider in the mobile wallet space
Challenges to consider in the mobile wallet spaceChallenges to consider in the mobile wallet space
Challenges to consider in the mobile wallet spaceNikunj Gundaniya
 
The ‘Omnichannel’ Nirvana and the future of banking
The ‘Omnichannel’ Nirvana and the future of bankingThe ‘Omnichannel’ Nirvana and the future of banking
The ‘Omnichannel’ Nirvana and the future of bankingPhilip Brooks
 
Mobile infographic 2015_english
Mobile infographic 2015_englishMobile infographic 2015_english
Mobile infographic 2015_englisheasysolmaria
 
Four ways to secure banking transaction by biometrics
Four ways to secure banking transaction by biometricsFour ways to secure banking transaction by biometrics
Four ways to secure banking transaction by biometricsManzurul Hassan Zumman
 
Mobile banking
Mobile bankingMobile banking
Mobile bankingNalini K
 
The Impact of Customer Knowledge on the Security of E-Banking
The Impact of Customer Knowledge on the Security of E-BankingThe Impact of Customer Knowledge on the Security of E-Banking
The Impact of Customer Knowledge on the Security of E-BankingCSCJournals
 
9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by RegulaRegula
 
httpssquareup.comusentownsquaremobile-paymentshttpswww
httpssquareup.comusentownsquaremobile-paymentshttpswwwhttpssquareup.comusentownsquaremobile-paymentshttpswww
httpssquareup.comusentownsquaremobile-paymentshttpswwwLizbethQuinonez813
 
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersSecure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersCognizant
 
LD7028 Research Methods And Project Management.docx
LD7028 Research Methods And Project Management.docxLD7028 Research Methods And Project Management.docx
LD7028 Research Methods And Project Management.docxstirlingvwriters
 

Semelhante a Blueprint-for-SecuringMobileBankingApplications-Whitepaper (20)

SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGYSYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
SYSTEMATIC LITERATURE REVIEW ON BANKING INNOVATION THROUGH TECHNOLOGY
 
Enhancing security features
Enhancing security featuresEnhancing security features
Enhancing security features
 
Top 8 Mobile Finance Trends 2015
Top 8 Mobile Finance Trends 2015Top 8 Mobile Finance Trends 2015
Top 8 Mobile Finance Trends 2015
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
 
Consumer awareness and usage of e
Consumer awareness and usage of eConsumer awareness and usage of e
Consumer awareness and usage of e
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and Approach
 
Challenges to consider in the mobile wallet space
Challenges to consider in the mobile wallet spaceChallenges to consider in the mobile wallet space
Challenges to consider in the mobile wallet space
 
The ‘Omnichannel’ Nirvana and the future of banking
The ‘Omnichannel’ Nirvana and the future of bankingThe ‘Omnichannel’ Nirvana and the future of banking
The ‘Omnichannel’ Nirvana and the future of banking
 
Credit checking
Credit checkingCredit checking
Credit checking
 
Mobile infographic 2015_english
Mobile infographic 2015_englishMobile infographic 2015_english
Mobile infographic 2015_english
 
Four ways to secure banking transaction by biometrics
Four ways to secure banking transaction by biometricsFour ways to secure banking transaction by biometrics
Four ways to secure banking transaction by biometrics
 
Mobile banking
Mobile bankingMobile banking
Mobile banking
 
The Impact of Customer Knowledge on the Security of E-Banking
The Impact of Customer Knowledge on the Security of E-BankingThe Impact of Customer Knowledge on the Security of E-Banking
The Impact of Customer Knowledge on the Security of E-Banking
 
9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula9 Trends in Identity Verification (2023) by Regula
9 Trends in Identity Verification (2023) by Regula
 
httpssquareup.comusentownsquaremobile-paymentshttpswww
httpssquareup.comusentownsquaremobile-paymentshttpswwwhttpssquareup.comusentownsquaremobile-paymentshttpswww
httpssquareup.comusentownsquaremobile-paymentshttpswww
 
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersSecure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
 
LD7028 Research Methods And Project Management.docx
LD7028 Research Methods And Project Management.docxLD7028 Research Methods And Project Management.docx
LD7028 Research Methods And Project Management.docx
 

Blueprint-for-SecuringMobileBankingApplications-Whitepaper

  • 1. A Blueprint for Securing Mobile Banking Applications By Will LaSala and Benjamin Wyrick, VASCO Data Security
  • 2. Copyright © 2015 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks’ proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Foreword by David Strom Research Findings: Current State of Mobile Banking The Scope of the Mobile Banking Problem Best Practices for Securing Mobile Banking Applications Summary About the Authors About VASCO 1 2 3 5 7 8 8 Table of Contents
  • 3. 1 Foreword by David Strom Mobile banking has the opportunity to become just as disruptive in the modern era as ATMs were back in the 1970s. From the convenience of our own homes, and with our own devices, we now have the opportunity to do just about everything except get cash from our bank. I have been a mobile banking customer for the past several years. As an independent businessman, I get paid with a lot of checks from my clients. It used to be a chore to walk on over to the ATM to wait for a free machine to deposit them. Now I rarely visit the ATM, and having my bank email me a receipt is a nice touch. Plus, I can quickly pay my bills from my mobile phone too, so I am using my Web-based online banking access less and less. Mobile banking is not just convenient; it’s a great time-saver! In this white paper, we see the results of some research around what consumers want from their mobile banking applications, discuss some of the current issues surrounding the evolution of mobile banking, and finally, review best practices that will help secure mobile banking apps without compromising user experience. David Strom is one of the leading experts on network and Internet technologies.
  • 4. 2 Research Findings: Current State of Mobile Banking A survey of 1600 consumers1 by the Tower Group found that price is paramount for a customer to use a mobile banking app. Almost half of those who answered want a clear understanding of what prices and fees they will be charged by their bank for mobile account access. But getting beyond price, security and ease of use and the reliability of the transactions were also important to at least a third of the respondents. Research [1] https://info.bai.org/Vasco_BAI_Banking_Strategies_Webinar_120914_Archive.html What do customers want? Price (example: fees/rates) Security and reliability of transactions Convenience of access and hours (example: branches, online) Safety of customer savings and investments Competence and helpfulness of employees Ease of product to understand and use Speed and effectiveness of problem resolution Simplicity and ease of purchase process Fit of products and services with my lifestyle Guidance on how to better manage my finances Unsure Guidance on how to best use my financial products or services Guidance on purchasing products or services 6.1 % 8.0 % 9.2 % 9.2 % 11.8 % 11.8 % 15.5 % 17.2 % 26.1 % 33.2 % 39.4 % 41.4 % 48.7 % Security Ease of Use
  • 5. 3 When it comes to consumers’ concerns, both identity theft and unauthorized use of their credit cards top the list. And while consumers have concerns about data breaches, they aren’t too worried about the consequences and are slow to take particular actions to protect their credit and accounts. Perhaps this is because they haven’t been educated in what they need to do, or because they are mostly complacent about their banking needs. And even the most proactive consumers still wonder what else they need to do to or what specific tools they should have in their arsenal. Identity theft tops list of consumer fears As a result of data breaches, have you ever done any of the following? Other people obtainin and using your credit or debit card details Unauthorized access to or misuse of your personal information The US’s national security in relation to war or terrorism The security of shopping or banking online Computer security in relation to viruses or unsolicited emails A serious health epidemic occuring in the U.S. Ability to meet essential financial obligations Overall personal safety over the next six months 25 % 30 % 34 % 36 % 37 % 47 % 57 % 59 % Checked your credit report Use cash instead of cards Requested a new card number from your bank Signed up for credit monitoring Shopped at different stores Changed password for online retailers Yes 41% 37% 69% 31% 66%66% 32% 61% 57% 80% 18% 29% No
  • 6. 4 The survey also found out that banks heavily rely on their customers to tell them when a breach or misuse occurs, with nearly two-thirds of them notifying their banks this way. More than half of the banks find out about the breach through automated data and transaction analysis systems. However, there is a big gap in knowing and identifying the fraud and what the user has to do to resolve fraudulent claims. And consumers still feel it is the bank’s responsibility to protect them in case of a data breach or theft of account credentials. Most common ways victims discovered identity theft Contacted by financial institutions about suspicious account activity Noticed fraudulent charges on account Contacted financial institutions to report a theft Credit card declined, check bounced, or account closed due to insufficient funds Noticed money missing from account Contacted by company or agency Existing Account misues Received a bill or contacted about an unpaid bill 0% 10% 20% 30% 40% 50% Other Identity Theft
  • 7. 5 The Scope of the Mobile Banking Problem Rising Threats Financial institutions are tremendous targets of opportunity for electronic thievery. Blended threats, improvements to man-in-the-middle/ browser exploits, and advances in malware have made threats more numerous and even more available to less-skilled cybercriminals. And historically, banks have purchased different systems to manage different risks, but the result is that they have too many different controls that don’t necessarily integrate or work well with each other. Banks typically have had different fraud prevention departments, and used different tools for each type of exploit. Further, as these exploits continue to blossom, regulators have struggled to figure out best practice recommendations. Payment Card Initiatives and other banking regulations are a great start, but they haven’t kept up with the threat. Increasing Complexity When it comes to mobile, it’s critical that we understand the complexity of the problem we are trying to solve. The number of connected devices has passed the total number of people on the planet. And there are more devices per person and this number is increasing. There are also many different types of passwords to secure these devices, and many different accounts across a variety of non-bank institutions and many different channels and methods to do the banking itself (ATM, phone, Web). On top of this, hackers are targeting everyone and using any method they can, making things increasingly difficult.
  • 8. 6 Mobile Banking Problem Evolving Environment Certainly the computing environment has evolved over the years, and while we have access to a great amount of information, we also have the opportunity to be exposed to more fraudulent activities. Phones now have multiple uses and functions with their data and Internet connections. Consumer attitudes towards security are also evolving as they become more familiar with a variety of mobile apps and not just for their banking needs. Look at the interest towards mobile payment mechanisms from Apple, MasterCard and others in the past year. However, adoption will always lag because of security perceptions, technology complexity, or other reasons. Advancements in Authentication There has also been an evolution in the use of authentication in online banking too. Back in the early days, if you wanted stronger authentication, you had to ask a user to change their behavior and carry something such as a one-time password (OTP) token. But some users were reluctant to do this. Ten years ago there weren’t a lot of other solutions that were very secure and convenient, but that has changed, thankfully for the better. There are more cryptographic apps that are cost effective and secure. According to the Federal Reserve, users expect the same level of functionality on mobile banking regardless of platform or device. Limiting functionality isn’t going to cut it. And many users didn’t want to limit their options by going with those early mobile banking apps, or because of perceived security concerns.
  • 9. 7 Evolution of Authentication in Online banking SecurityLevel Sophistication Level of Attacks Class 1 Class 2 Class 3 Class 4 Static Passwords Virtual keyboards Counter-based OTP Time-based OTP Electronic signature Meaningful User Prompts WYSIWYS Keyloggers Phishing Pharming MitM MitM with Social Engineering
  • 10. 8 Best Practices for Securing Mobile Banking Applications Now, let’s address some of the best practices that can be used to secure your mobile app both on the client and server sides, to try to fight some of these perceptions and also to make mobile banking easier and more productive. Adjust Authentication Methods to Meet User Demands It’s increasingly clear that some of the older methods just aren’t useful in today’s hyper-mobile world. The notion of using OTP tokens, or using voice prompts to deliver access codes aren’t very convenient when you want to do your banking on any device, wherever you might be. New technologies like visual transaction signing and risk-based authentication can enhance security while matching the new demands for user and device flexibility, making certain that mobile users have transparent authentication and signing methods and that these methods are implemented behind the scenes. Enhance Client-side Protections Simple authentication with a user and PIN combination is no longer good enough for mobile banking, because many users share these combinations with a variety of online services, making their authentication information subject to exploitation. When it comes to mobile applications and users, a better solution is to have a user’s PIN combined with other information to lock a phone and an account down. Best Practices
  • 11. 9 Further, employing a variety of risk-based methods to determine if a device is in an acceptable geolocation to conduct a transaction, or if it has been jailbroken or has malware present, can add additional layers of protection. And with mobile banking, you can also use strong OTPs behind the scenes so users don’t have to remember and type it in all those numbers. Strengthen Security for Client-Server Communications Beyond the mobile app, there are use cases where having multiple authentication factors makes sense. These devices (or software tools) can generate the OTP but can transmit the password via a Bluetooth connection as an example. This way an OTP fob can send the OTP directly to the app, so the user doesn’t have to type in the password. This is just one way that a Bluetooth device can secure a transaction and transmit the information to a more hardened environment for subsequent validation. Convenient Strong Authentication ATM Internet banking Mobile bankingMobile banking Fast login communicates directly with your authentication token by Bluetooth
  • 12. 10 Use a Variety of Risk-Based Methods Another issue is that users want to do more with mobile banking, not just replicate what they could have done inside the branch or their Web browsers. But that means banks have to meet the added risks for these tasks and scale up their security measures accordingly. One problem is that as cryptologic tools get better, hackers are getting better too – for example, using “man-in-the-middle” types of attacks to get around traditional defenses. This creates a requirement for stronger and more transparent signatures that can be sent digitally without worrying about these kinds of attacks. One potential solution is the use of encrypted signatures and public key cryptographic infrastructure, which haven’t been quite satisfactory up till now. These solutions are painful to manage, both for IT staff and banking customers. In the mobile world, we can cut out some of this pain and take better advantage of these technologies by making use of native security inside the device to sign particular encrypted data and digital signatures of the transaction. Get Proactive with Fraud Prevention Stopping potentially dangerous activity before it starts is critical in the new mobile world, especially when it comes to fraud. Managing risk as part of a self-protected application strategy is very different from a reactive security model, where the fraudulent activity can happen, but is stopped on the back end. With risk scoring capabilities built in to a mobile application, organizations can proactively stop fraudulent activity by creating a barrier that a hacker cannot easily circumvent, and further, can be done in a way that doesn’t impact the user experience. Risk scoring capabilities within the mobile application can limit risk on the client side before the transaction ever occurs, and if the transaction is still allowed to occur, tools like risk-based/adaptive authentication on the server side can help to further mitigate risk. Watch for Evolving Regulatory Requirements If banks are playing catch up when it comes to mobile security, banking regulators are playing catch up too. The FFIEC has issued guidelines that are still based on some historical usage patterns, and some of these guidelines don’t always apply to the new mobile world. Just as the banking technology is evolving, so do the regulations and compliance mechanisms. Regulators will need to augment the existing FFIEC rules and help banks prepare for more mobile users. Take a Comprehensive Approach to Mobile App Security No matter how secure you make the various communications channels, ultimately it comes down to how well a bank builds its apps and understands the inherent security weaknesses. You still have to balance security with ease of use, and you still have to ensure that your core business logic isn’t subject to any exploits too.
  • 13. 11 In the end mobile banking security is the combination of a secure application, running on a secure platform, over a secure communication channel (between the bank and the user), and then being able to gather and analyze user and session data to make real-time, risk-based decisions that can protect against account takeover and prevent fraud. Bringing these concepts together into a singular mobile banking security strategy can satisfy the high demands of banking organizations when it comes to security and service delivery, while also satisfying the mobile banking user demands for functionality, convenience, and data and identity protection. In order to enhance security, improve user experience, and drive more mobile banking usage, VASCO recommends that banks and financial institutions consider these key areas as they continue to build their mobile banking security strategies: • Better protect the client platform and continuously evaluate its security posture • Employ a variety of multiple-factor user authentication tools that can leverage mobile devices to make them less onerous • Use a variety of risk-based methods to evaluate transactions in near real time • Use these methods on both servers and core apps to enforce validation methods Summary ! Client Platform Evaluation & Security Device Binding, Jailbreak + Rootkit, Malware, LBS, Device Analysis, Score-BAse User Evaluation 2FA, LBS, User Behaviour Analysis Transaction Evaluation 2FA+/Signature, Adaptive Signing Validation Server Side validation (2FA/Sig) IntelligentSecurity Driving M obile Usage
  • 14. 12 About VASCO VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets. Learn more about VASCO at www.vasco.com or visit blog.vasco.com Benjamin Wyrick Benjamin Wyrick is Vice President of Sales and Business Operations at VASCO Data Security. Mr. Wyrick joined the company in 2005 and has been a key contributor to the overall growth of the VASCO strong authentication business in North America. Benjamin and his team have successfully managed strong authentication security projects with some of the largest financial institutions, enterprises, and online applications around the world. Benjamin is a frequent presenter at many banking and financial industry conferences and web seminars throughout North America on preventing cyber fraud, account and transaction security for online and mobile applications. Will LaSala Will LaSala is Director of Services, North America for VASCO Data Security. LaSala joined the company in 2001 and since then, has been involved in many aspects of product implementation, provisioning, and logistics. He also oversees the VASCO professional services group helping financial institutions in North America with custom two-factor authentication projects. Prior to joining VASCO, Will has worked as a Sr. Systems Engineer and Developer for a prominent consulting firm in New England. He brings over 20 years of software and cyber security experience, and his research interests are focused around the use of mobile and wireless technology to simplify security. David Strom David Strom (@dstrom, strominator.com) is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network security, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties in the enthusiast, gaming, IT, network, channel, and electronics industries, including the editor-in-chief of Network Computing print, DigitalLanding.com, and Tom’s Hardware.com. He began his career working in varying roles in end-user computing in the IT industry. He has a Masters of Science, Operations Research degree from Stanford University, and a BS from Union College. About the Authors