Mobile Banking: Security is in the eye of the bank

Sunday, April 06, 2008

Security is in the eye of the bank

It is a common saying that security is only as secure as it is perceived to be. It is quite possible to develop many different security solutions that can protect what it is supposed to protect economically. (The cost of the system is less than the fraud that could be committed in the absence of the system)

Unfortunately this is not the criteria for a successful security solution that will be deployed and used. Rather it is if the security solution is perceived to be secure. In the case of mobile banking, the question should be asked "perceived by who?" and "what will convince them that it is secure enough?"

In the case of mobile banking, I would like to argue that it is not end-consumers that are the primary evaluaters of security. The key is not to ensure that end-consumers perceive mobile banking as secure, but rather bankers. In my experience, it is the banking fraternity that are uncomfortable with mobile banking security more often than not. Only if they are made to be comfortable with the security is it possible to launch a mobile banking solutions. Even when the end-consumer would have been happy long-ago, or even if the security solution can be proven to be economically sound, bankers will still resist.

So what is it that banks look for in a mobile banking solution:

Conforming to banking standards. Banks are comfortable if some-one else says something is secure (VISA or the PCI etc.) Problem is that few of these standards exists that can be applied directly to mobile banking. Also read this blog-entry.
Bankers like security if it looks like the security that they know and understand. They like PIN-blocks that are never stored and is never in the clear. They like digital security keys where the master keys are well-managed (preferably by a bank or a banking body)
Bankers like security where the liabilities are clearly defined in the case if something do go wrong.
Bankers like security systems where all of the functionality/components are under the direct control of the bank

Generally bankers are not enthused by maverick, sharp and innovative solutions to manage security, but rather using tried and tested approaches that can be mapped to existing procedures and internal banking rules.

In deploying mobile banking solutions, it is critical to keep this in mind.

No comments:

Post a Comment

Disclaimer

This is my personal blog. It is not my intention to distribute news that is available elsewhere, but rather comment on it or provide the reader with my own thoughts. Unless otherwise stated, the views expressed on this blog are mine alone. I expressly disclaim any and all liability of any kind or nature with respect to any act or omission based wholly or in part in reliance on anything contained on this blog. Any links that appear on this blog are purely for your information. I'm not making any representations as to their content or, in fact, any other matter concerning them. Follow all links at your own risk.

Mobile Banking

Sunday, April 06, 2008

Security is in the eye of the bank

No comments:

What some of the readers said:

Blog Archive

News Links

Followers

About Me

Disclaimer