Mobile banking, m-banking, or SMS banking refers to online banking that occurs via mobile phone or PDA rather than a PC. The earliest mobile banking services were offered over SMS, but with the introduction of smartphones and Apple iOS, mobile banking is being offered primarily through applications as opposed to text messages or a mobile browser.

Mobile banking reduces expenses by allowing customers to review transactions, transfer funds, pay bills, and check balances without relatively expensive phone calls to a bank’s customer service call center. More than half of all customer service calls already come from mobile phones, and studies show consumers are twice as likely to have a cell phone than cash when out and about. Younger consumers, who are most likely to carry cell phones, are also heavy debit card users who require frequent balance checks.

Enhanced security with SMS transaction notifications and the ability to turn card accounts on or off, and new technologies like mobile check deposit, in which you simply take a cell phone picture of the check, are contributing to the increasing popularity of mobile banking. Eventually, mobile phones may even replace ATMs and credit cards.

About 10% of U.S. households currently use mobile banking, according to market research firm Nielsen, and Forrester predicts that one in five adults in the U.S. will  be using mobile banking by 2015:

“Consumer adoption of smartphones and increasing use of the mobile Web will drive sustained growth of casual, informational use of mobile banking — to check balances, review transactions, or receive alerts. Creating preference for mobile banking broadly will require banks to deliver more obvious value and superior execution than other channels offer. Functionality like mobile remote deposit capture and contactless mobile payments alone, though, will not anchor mobile banking the way that bill payment and account transfers have done for online banking. Channel managers must address issues of duplicate functionality, marginal user experiences, and a general failure to exploit the most valuable aspects of the channel if mobile banking is to become a critical part of how consumers manage their accounts.”

Standard, PC-based online banking is holding steady at around 40%, banks like USAA and Bank of America are reporting big increases in mobile banking in the last two years.

Like regular online banking, mobile banking won’t be for everyone. But as more banks and credit unions recognize the financial efficiency of mobile banking, they will invest in applications that make banking that much more convenient for their customers. And as those customers take advantage of the timesaving features provided by their banks, mobile banking will grow exponentially.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto.

Mobile payments generally involve three participants: the mobile device, the merchant, and a financial service provider or trusted third party.

That trusted third party, or TTP, is an established, reputable fiduciary entity accepted by all parties to an agreement, deal, or transaction. A TTP authenticates and authorizes users in order to secure a payment transaction, and acts as an impartial intermediary for the settlement of payments and any problems that arise after the transaction has occurred.

There are various mobile payment delivery options. Near Field Communications is a contactless delivery system, involving a chip that is either built into the phone itself, into a card within the phone, or a sticker attached to the phone. There are also new applications that facilitate mobile payments, most of which involve a barcode that the user scans at the register.

The statistics for mobile payment are impressive. The U.S. mobile payment industry encompasses a number of categories, including mobile bill payment, mobile point of sale, m-commerce, and mobile contactless. Mobile bill payment, in which consumers pay bills via mobile phone, currently makes up the bulk of the U.S.’s mobile payment industry. Mobile point of sale, in which a consumer’s phone is used as a point of sale device, accounts for just over 5%, but is expected to grow by 127% in the next five years, to $54 billion in transactions. Mobile contactless is expected to grow 1,077% by 2015. The gross dollar volume of mobile payments overall is expected to grow 68% by 2015.

This is all very exciting, but the Payment Card Industry Standards Council is not yet granting approval to any mobile payment applications. With the explosive growth of the mobile payment industry, they are holding off and waiting to see which technologies rise to the top. This shouldn’t be a concern for mobile phone users, though, since the merchant, rather than the customer, undertakes the bulk of the risk.

Meanwhile, as you increasingly use your phone for mobile payments, be aware that the phone correspondingly increases in value to thieves and hackers. So keep track of your cell phone. You wouldn’t leave your wallet on a bar and walk away, and you shouldn’t do that with your phone, either. And be cautious when visiting websites on your phone’s browser, clicking on links, or responding to text messages.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America.

Regulatory compliance will be the top business issue affecting enterprise information technology (IT) in the next 12 to 18 months, according to a major new ISACA member survey of more than 2,400 IT, security, and audit and assurance managers from 126 countries worldwide.

Conducted by ISACA, a global association serving more than 95,000 IT governance, assurance and security professionals, the survey found that the business issues that traditionally challenge ISACA members—such as compliance, governance and information security management—continue to dominate the list, but the increase in regulations, data breaches and new technologies such as cloud computing and the rise of personal technology in the workplace are accelerating complexity and risk. The findings are available in Top Business/Technology Issues Survey Results, offered as a free download at www.isaca.org/toptech. 
 
"This year's survey shows more clearly than ever that information technology cannot be managed in a vacuum. From the growing number of government regulations to consumer privacy concerns to hacktivist attacks, enterprise IT assets are being challenged in ways that go far beyond the server room," said Tony Noble, CISA, a member of ISACA's Guidance and Practices Committee and vice president of IT audit at Viacom Inc. "The study also reveals a marked perception that the business side of the organization believes IT is managed in a silo, which indicates an opportunity for better aligning business with IT to unlock greater value."
 
Key business issues affecting IT, according to Top Business/Technology Issues Survey findings, along with their weighted scores,* are:

·         Regulatory compliance (Score: 4.6)
·         Enterprise-based IT management and governance (Score: 4.4)
·         Information security management (Score: 4.1)
·         Disaster recovery/business continuity (Score: 3.1)
·         Challenges of managing IT risks (Score: 2.5)
·         Vulnerability management (Score: 2.1)
·         Continuous process improvement and business agility (Score: 2.0)
 
Survey data reveal four areas that just missed the top seven this year, but are expected to rise in importance in future member surveys: cloud computing, mobile device management, virtualization and business intelligence.
 
Regulatory compliance is No. 1 concern
Enterprises are facing a need to manage growth in a challenging global economy while at the same time comply with a growing number of regulations and standards. New or changed regulations expected to impact enterprise IT in the next 12 to 18 months include Basel, Frank-Dodd, PII, Do Not Track, Solvency II and HITECH Meaningful Use, as well as an overall tightening of tax and privacy regulations worldwide. Within this topic, the top-ranked technology concern (chosen by 53 percent of respondents) was segregation of duties and privileged access monitoring.
 
Managing IT project risk is focus within governance of enterprise IT (GEIT)
The survey shows that there is a growing focus on enterprise-based IT management and IT governance. This finding aligns with the IT Governance Institute's global status report on GEIT , which showed that 95 percent of the C-level executives surveyed consider governance of enterprise IT important. According to the Top Business/Technology Issues survey, managing IT project risk tops the list of concerns within this area, rated as most important by 45 percent.
 
Growing number of security breaches highlight need for management
After many well-publicized data breaches and losses and massive spending on state-of-the-art security technologies, organizations are realizing that information security is about being able to manage information adequately. One of the top concerns expressed by ISACA members was the lack of senior management involvement in setting direction for information security, which was ranked as important or very important by a total of 80 percent of responses.
 
"Occurrences such as WikiLeaks, the Zeus botnet and an overall rise in identity theft show in 2010 that the variety and volume of threats is on the upswing. Security is everyone's business, not just IT's. This area will continue to be a losing battle if organizations don't get top-down commitment," noted Greg Grocholski, CISA, director at ISACA and corporate auditor at The Dow Chemical Co.
 
Lack of awareness among business management hinders disaster recovery 
From flooding to power outages to acts of terrorism and civil unrest, all business activity is at risk for disruption. Despite advances in software, continuity remains an elusive goal. According to the survey, the biggest problem (87 percent) is the lack of awareness among business managers that they are responsible for being able to maintain critical functions in the event of a disaster.
 
These business issues are among the topics that will be addressed at upcoming ISACA events. The North America Computer Audit, Control and Security (CACS) conference in Las Vegas, Nevada, USA, on 15-19 May 2011 will examine the human factors of IT and feature several sessions on advancements in social media, cloud computing and mobile devices. The World Congress, taking place in National Harbor, Maryland, USA, on 27-29 June 2011, provides high-level thought leadership across the complete range of ISACA disciplines: IT audit, governance, compliance, security and risk management. 
 
About ISACA
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations.
 
ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

* The weighted score is the average ranking multiplied by the number of responses, and the scoring gives weight to the degree of importance on which survey respondents ranked each issue. Higher scores indicate higher importance.

There are a number of mobile operating systems, but five major players have floated to the top, dominating a major chunk of the market. It used to be that people chose their phone only by their carrier and what brands they offered. Today many choose their phone based on the manufacturer and its operating systems features.

Symbian: 31% of all mobile phones run this open-source operating system, most of which are “feature phones,” otherwise known as dumb phones, as opposed to smartphones. Nokia is the largest shareholder and customer. Other brands whose phones run Symbian include Fujitsu, Samsung, Sharp, and Sony Ericsson.

Symbian’s worldwide market share has declined from over 50% in 2009 to about 30% in 2010. Last month, Nokia announced a partnership with Microsoft, which will replace Symbian OS with Windows’ operating system.

Windows Mobile 7: Less than 5% of all mobile phones run Windows Mobile 7, which took over where Windows Mobile left off. This is a closed-source operating system that can be managed through Microsoft Exchange. Microsoft’s mobile industry market share has recently slipped quite a bit, leaving the future of Windows Mobile 7 uncertain.

BlackBerry RIM: BlackBerrys running this closed-source operating system make up 15% of all mobile phones. BlackBerry RIM began as an enterprise solution, and still is for the most part, but a consumer base has developed. Businesses like BlackBerry RIM because enhanced end-to-end encryption is standard with BlackBerry Enterprise Server. BlackBerry RIM meets the Department of Defense’s requirements, and it’s good enough for the President. This system supports over 15,000 applications, and over two million are downloaded daily.

Apple iOS: 16% of all mobile devices are iPhones or iPads running Apple iOS. This is a closed-source operating system. Currently, Apple iOS supports over 400,000 applications, including third party applications as of July 2008, which have been downloaded over 10 billion times.

Google Android: 33% of all phones run Google Android, an open-source, Linux-derived operating system backed by Google, along with major hardware and software developers that form the Open Handset Alliance. (Intel, HTC, ARM, Samsung, Motorola, and eBay, to name a few.) Google operates the official Android Market, which contains over 150,000 applications, with an estimated 3.7 billion downloads.

In summary, I’ve had plenty of Symbian-based phones, but at this point, I’ll may never have one again mainly because they are more feature than smart. I’ve never had the type of job that requires a BlackBerry. Many love the Android operating system, and though it has its detractors, I do love Google and may consider Android. But for now, I’m still in awe of my iPhone.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto.

More consumers than ever before are buying smartphones. A smartphone is an Internet-enabled mobile phone with the ability to purchase and run applications. Smartphones are generally equipped with voice, data, Wi-Fi, Bluetooth, and GPS functions. Operating systems include Google’s Android, Apple’s iOS and Windows’ Mobile 7. Most function on a 3G wireless connection and can switch to Wi-Fi when it’s available. Newer models are being built to accommodate the upcoming nationwide deployment of 4G wireless networks.

“Worldwide mobile phone sales to end users totaled 417 million units in the third quarter of 2010, a 35 percent increase from the third quarter of 2009, according to Gartner, Inc. Smartphone sales grew 96 percent from the third quarter last year, and smartphones accounted for 19.3 percent of overall mobile phone sales in the third quarter of 2010.”

In the U.S, there are 293 million cell phone subscribers and cell phone penetration is  over 93%. In 2010, more than one in four households had cell phones and no landlines, which is an increase of 2.1% over 2009. Almost one in six households use cell phones exclusively, despite having a landline. Wordwide, there are 5 billion  smartphones in use.

The number of mobile broadband subscriptions surpassed the half billion mark in 2010, and in 2011 broadband subscriptions are expected to exceed one billion. As more and higher speed networks are built, more consumers will gravitate toward the mobile web. Smartphone users are downloading billions of apps and spending millions via mobile payments. In fact, for the younger generation, smartphones are used for a majority of ecommerce transactions. Many of these people haven’t been inside a bank in years!

Taking Security Measures.

As more people switch to smartphones, mobile security concerns increase. Here are a few reminders to help keep your data secure on your phone:

1) Use a PIN to lock your phone: 55% of consumers do not use a PIN to lock their phones. Mobile content is especially vulnerable to hackers and thieves.

2) Don’t store banking passwords on your phone: 24% of consumers store computer or banking passwords on their smartphones. 40% of consumers say losing their phone would be worse than losing their wallet, and two million mobile phones are lost or stolen every year. That’s one every fifteen seconds.

3) Register for a service that can remotely locate, access and wipe your phone: There are services that can remotely access a lost phone, pinpoint its location, and, if necessary, wipe the data from the phone. Now is the time to consider investing in one, before you lose your phone.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto.

A recent study of more than 150 organizations conducted by Aberdeen Group⁽¹⁾ found that the average total cost to remediate a single application security incident is approximately $300,000. As security incidents can happen at any point in the application life cycle, modernization initiatives can prove especially costly if they are not proactively secured from development to operations.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. This costs companies big bugs when a security incident arises.

While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them.

HP today announced the first application security analysis solution that discovers the root cause of software vulnerabilities by observing attacks in real time.

HP Fortify Real-Time Hybrid Analysis, used in concert with the new HP Fortify 360 v3.0 and HP Application Security Center 9.0, helps organizations proactively reduce business risk and protect against malicious software attacks.

Enterprises using the new HP offerings can deliver the application security intelligence required to effectively manage risk across the life cycle. By taking a pragmatic approach that secures applications from development to operations, organizations can develop a scalable, repeatable and cost-effective security assurance program to further reduce risk.

“The traditional approach of single-point security solutions helps secure parts of a business, but limits enterprises from making informed decisions,” said Joseph Feiman, vice president and fellow, Gartner. “To make optimal security and risk management decisions, enterprises must move from technological security silos to enterprise security intelligence. This can be achieved through the interaction of different technologies as well as contextual analyses of integrated security and business information.”

Based on advanced application security technologies, the new solutions help clients:

—  Immediately respond to business threats: With new technology that correlates code-level analysis, HP Fortify Real-Time Hybrid Analysis allows organizations to observe security attacks as they happen to identify the point of vulnerability in code;

—  Manage enterprise risk from applications: Proactively protect against threat risks and address compliance requirements through HP Fortify 360 Server, which detects security vulnerabilities across architectural layers and prioritizes remediation;

—  Accelerate innovation with the latest technologies: Through expanded automation and web services testing capabilities, HP WebInspect 9.0 and HP Assessment Management Platform 9.0 increase security testing coverage of complex Web 2.0 applications;

—  Enhance productivity through greater collaboration: With new features that centralize vulnerability and remediation issues, HP WebInspect 9.0 reduces the time to recreate and fix security defects, allowing developers, quality assurance and security teams to cover more applications with fewer resources; and

—  Protect the integrity of the enterprise: Providing new programming language support and integrations with HP WebInspect, HP Fortify On Demand tests the security of all applications quickly, accurately and affordably.

“Applications bring new enterprise opportunities, but the threat landscape is constantly evolving,” said John M. Jack, vice president, HP Fortify business unit, Software, HP. “With new advanced real-time security technologies, HP is delivering the application security intelligence needed to drive innovation while lowering the enterprise risk associated with it.”

These new security solutions are key elements of the HP Security Intelligence and Risk Management Framework, which helps businesses and governments in pursuit of an Instant-On Enterprise. In a world of continuous connectivity, the Instant-On Enterprise embeds technology in everything it does to securely serve customers, employees, partners and citizens with whatever they need, instantly.

The new HP Fortify releases, part of HP Hybrid Delivery, are offered through multiple delivery models, including on-premise, on-demand software-as-a-service and managed services.

Robert Siciliano is an Identity Theft Expert. See him discussing identity theft on YouTube. 

If you’ve been reading my blog, you probably think I’m convinced ISO 27001 is the most perfect document ever written. Actually, that’s not true – working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them:

Ambiguous terms

Some of the requirements in the standard are rather unclear:

• Clause 4.3.1 c) requires that ISMS documentation must include… “procedures and controls in support of the ISMS” – does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary – I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.
• (Un)documented policies and procedures – in many controls from Annex A, policies and procedures are mentioned without the word “documented”. In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.
• External parties / third parties – these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.

Organization of the standard

Some of the requirements in the standard are either scattered, or unnecessary duplicated:

• Some controls are simply located in a wrong place – for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.
• Issues related to external parties are scattered around the standard – in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.
• Employee awareness and training is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion – theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.
• Some of the controls from Annex A can be applied really broadly, and they can include other controls – for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.

Problems or not?

Here are a few issues that are usually brought to attention as problematic, however I disagree with them:

• The standard is too vague, it does not go into enough detail – if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and/or organizational solutions, it wouldn’t be applicable to all sizes and types of organizations – a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.
• The standard allows too much flexibility – by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask – “How would it be possible to exclude backup or anti-virus protection?” Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)

Now what?

This standard will certainly need to change – the current version of ISO/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.

Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.

Cross posted from ISO 27001 & BS 25999 blog - http://blog.iso27001standard.com