ISACA Journal
Volume 5, 2,017 

Features 

Factors to Consider to Minimize Identity Theft in Mobile Banking 

Adeniyi Akanni, Ph. D., CISA, CRISC, ISO 27001 LA, ITIL 

Using mobile devices to complete commercial transactions is a newer scientific advancement in the information and communication technology (ICT) sphere. Mobile banking makes banking customer-friendly and enhances socio-economic transactions. That being said, mobile banking has many security challenges, which can lead to identity theft. At every point in which transactions between mobile devices and banking applications occur, security officers need to consider safety actions to reduce the possibility of identity theft. This article presents the major factors that are necessary to implement in order to minimize identity theft in mobile banking.

Technology has greatly enhanced banking processes and activities. According to one study, banks that effectively harness their technological resources enjoy a real competitive edge among their peers.1 Mobile devices and mobile banking have experienced phenomenal changes recently. These changes include greater adoption and improvement of mobile technology. Mobile devices are used to make calls, surf the Internet, take pictures, store vital details and carry out e-commerce activities, among other uses. Because of their widespread use, there is a need to build in necessary safety measures, especially those that address security concerns in mobile banking around user identity.2, 3, 4

Mobile devices have become all-inclusive, housing many personal details, including bank account information. Losing a mobile device can lead to stored information becoming compromised. Any weak link in the chain can be exploited to carry out financial transactions as if the impostor is the authentic owner. This can lead to losses for the bank or the customer, depending on where the liability lies.5, 6, 7 Personal identification numbers (PINs) and, more recently, biometrics have been implemented to improve security. However, this may lead users to the false belief that mobile banking is safe except when end-to-end security is considered.

Mobile Banking Overview

Mobile banking is considered vital in countries whose residents are likely to have dissimilar cultural backgrounds. For instance, Nigeria, which runs a cash-based economy, introduced mobile banking to citizens to reduce the amount of cash in circulation. Because of this, Nigeria considers mobile banking a necessity and now has introduced a cash-lite economy.8 Similarly, M-PESA (M for mobile; pesa is Swahili for “money”) was introduced in Kenya and the effect has been quite impressive.9

A 2011 report maintained that mobile banking was gaining momentum across the globe at a remarkable speed.10 The report stressed that mobile banking will revolutionize the way banking is run in developed and developing nations. A 2010 publication saw mobile banking as a way of taking banking to people.11 While a vast majority of ordinary people remain unbanked, mobile banking is a means of achieving financial inclusion since the unbanked population utilizes mobile phones. A 2012 white paper saw mobile banking as an emerging channel with many benefits.12 However, lack of confidence in the security of services has been identified as a major challenge in customer adoption. Customers fear what happens when devices are lost or PINs are compromised.

Major Concepts

Identity theft in mobile banking is a crime and, as with any crime, preventing or solving it requires a profound understanding of who is likely to have perpetrated the crime and how it was committed. Any professional seeking to control mobile banking theft must understand what is being protected (information security), how it can be compromised (access control), who can have access and who cannot (identity management), and how to confirm the user’s identity (authentication and biometrics). With a sound grasp of those concepts, the professional can begin to build solutions that anticipate and mitigate vulnerabilities.

Information Security
Information is details about a resource or an asset. The resource can be a human or a computer. Information security, then, protects the details from unauthorized access. In other words, information security safeguards information assets such as confidentiality, integrity and availability (CIA) to prevent abuse.13

Access Control
Access to a resource describes the permission granted to use such a resource. Access control is the restriction of access to a place, facility or resource. Gaining access may, therefore, be by permission or authorization. An access control mechanism is a component that receives access requests from the subject and decides and enforces access decisions.14

Identity Management
Identity management (IDM) is a way of identifying individuals in a system such as a country, a network or an organization, and controlling the access to the resources in that system by placing restrictions on the established identities.15 Identity theft is a fast-growing criminal activity in which dishonest individuals illegally gain access to an unsuspecting person’s account as if they are the rightful owner.16 There are risk factors associated with mobile IDM similar to mobile devices. These include:

  • Identity theft
  • Eavesdropping
  • Spyware
  • Phishing
  • Lack of user awareness17

Authentication
Authentication is the process of ascertaining that the identified person is who he/she claims to be. Authentication, then, can be verified by “something you know,” such as a password; “something you have,” such as a token (soft or hard); or “something you are,” such as biometrics. Using only one of these verification methods is referred to as single-factor authentication. If two verification methods are used, then it is referred to as two-factor. If more than two verification methods are used, it is known as multifactor verification. In 2011, one study indicated that two-factor authentication is embraced by corporate bodies due to its relative ease of use.18

Biometrics
Biometrics measure and analyze unique physical or behavioral characteristics. They are usually used for verifying identity in genetic dispute resolutions or access control situations. A 2010 study explained biometrics as the use of physical characteristics, behavior or skills to identify a person.19 This includes palm prints, fingerprints, irises, voices, DNA and a host of other physical verifications. The idea behind using biometrics is that features such as palm prints and irises are permanent and unique to individuals so they cannot be shared with another person, as a password can be.

The Suggested Model: Hybrid Authentication Model

To effectively illustrate the essential factors that may threaten mobile banking security, a hybrid authentication model (HAM), using a combination of both PIN and fingerprints for authentication, is adopted, is shown in figure 1. The transaction carried out is selected from the application (app) installed on the mobile device. The customer is challenged to supply the PIN and his/her fingerprint. These verifications are previously captured and stored in a database for matching purposes. When they both match and the phone ID matches too, the transaction proceeds by checking the balance and updating the relevant database.

Figure 1

Essential Factors to Minimize Identity Theft

There are five factors to consider to minimize the chance of identity theft. These five factors are:

  1. Access rights—Access rights should be granted on a need-to-have or need-to-know basis. Access to sensitive areas, databases and apps should be restricted to ensure that read, write or modification capabilities are secure.
  2. Enrollment—The enrollment stage is very important to avoid a high false acceptance rate (FAR) and high false rejection rate (FRR). The enrollment detail database should be secured for integrity.
  3. Encryption—While data are transmitted, they should be protected from unauthorized views or modifications. End-to-end encryption is necessary to ensure that this is achieved.
  4. Necessary certification—Where cloud services are involved (irrespective of adopted models of Information as a Service [IaaS], Platform as a Service [PaaS] or Software as a Service [SaaS]), certification of the cloud service provider (CSP) is very important. This ensures that the CSP knows the expectations and adheres to necessary safeguards.
  5. Effective monitoring—Effective monitoring of the enrollment through the storage or retrieval process should be in place. Monitoring may require an audit trail review and physical access register perusal or routine examination of entrance locks.

Conclusion

Mobile banking promises the world financial ease and, when securely executed, can elevate the world’s banking, regardless of location. Security officers such as chief information officers, chief security officers and chief risk officers need to consider in-depth safety measures before implementing mobile banking. This article highlights five factors that can mitigate major risk and should be practiced by the appropriate security professionals.

Endnotes

1 Anyasi, F.; P. Otubu; “Mobile Phone Technology in Banking System: Its Economic Effect,” Research Journal of Information Technology, vol. 1, iss. 1, 2009, p. 1-5
2 Bamoriya, P. S.; P. Singh; “Issues and Challenges in Mobile Banking in India: A Customer’s Perspective,” Research Journal of Finance and Accounting, vol. 2, iss. 2, 2011
3 Higgins, K.; “Weak Security in Most Mobile Banking Apps,” InformationWeek Dark Reading, 12 December 2013, www.darkreading.com/vulnerabilities---threats/weak-security-in-most-mobile-banking-apps/d/d-id/1141054
4 Siciliano, R.; “What Is Mobile Banking? Is it Safe?,” The Huffington Post, 25 July 2013, www.huffingtonpost.com/robert-siciliano/what-is-mobile-banking-is_b_3652771.html
5 Akash, K.; “Ten Risks of Mobile Banking Transactions,” Business Standard, 29 June 2015, www.business-standard.com/article/pf/10-risks-of-mobile-banking-transactions-115062900574_1.html
6 Kim, J.; S. Hong; “A Method of Risk Assessment for Multi-Factor Authentication,” Journal of Information Processing Systems, vol. 7, iss. 1, 2011
7 Kossman, S.; “10 Dangers of Mobile Banking,” US News and World Report, 24 July 2013, http://money.usnews.com/money/personal-finance/slideshows/10-dangers-of-mobile-banking/2
8 Odumeru, J.; “Going Cashless: Adoption of Mobile Banking in Nigeria,” Arabian Journal of Business and Management Review, vol. 1, iss. 2, 2013
9 Ayo, C.; W. Ukpere; A. Oni; U. Omote; D. Akinsiku; “A Prototype Mobile Money Implementation in Nigeria,” African Journal of Business, vol. 6, iss. 6, 2012, p. 2,195-2,201
10 Klein, M.; C. Mayer; “Mobile Banking and Financial Inclusion: The Regulatory Lessons,” World Bank Group: Open Knowledge Repository, 1 May 2011, https://openknowledge.worldbank.org/handle/10986/3427?show=full
11 Ondiege, P.; “Mobile Banking in Africa: Taking the Bank to the People,” African Development Bank, vol. 1, iss. 8., December 2010, https://www.afdb.org/fileadmin/uploads/afdb/Documents/Publications/John%20brief%201_John%20brief%201.pdf
12 Pegueros, V.; “Security of Mobile Banking and Payments,” SANS Institute InfoSec Reading Room, 1 November 2012, https://www.sans.org/reading-room/whitepapers/ecommerce/security-mobile-banking-payments-34062
13 Pesante, L.; “Introduction to Information Security,” United States Computer Emergency Readiness Team, January 2008, https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf
14 Hu, V.; D. Ferraiolo; R. Kuhn; A. Schnitzer; K. Sandlin; R. Miller; K. Scarfone; “Guide to Attribute Based Access Control (ABAC) Definition and Considerations,” National Institute of Standards and Technology, USA, http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
15 Gunjan, K.; G. Sahoo; R. Tiwari; “Identity Management in Cloud Computing—A Review,” International Journal of Engineering Research and Technology, vol. 1, iss. 4, 2012
16 Social Security Administration, “Identity Theft and Your Social Security Number,” USA, https://www.ssa.gov/pubs/EN-05-10064.pdf
17 Papadopouli, M., et al.; Mobile Identity Management, European Network and Information Security Agency, 13 April 2010, https://www.enisa.europa.eu/publications/Mobile%20IDM
18 Symantec Analyst Relations, “Two-Factor Authentication: A Total Cost Ownership Viewpoint,” Symantec, 14 June 2011, https://www.symantec.com/connect/blogs/two-factor-authentication-total-cost-ownership-viewpoint
19 Jacobs, B.; E. Poll; “Biometrics and Smart Cards in Identity Management,” 15 February 2010, www.cs.ru.nl/~erikpoll/papers/biometrics.pdf

Adeniyi Akanni, Ph. D., CISA, CRISC, ISO 27001 LA, ITIL
Is a manager at First Bank of Nigeria Ltd. He has 20 years of banking experience that cuts across operations, internal control and internal audit.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.