Sunday, April 06, 2008

Security is in the eye of the bank

It is a common saying that security is only as secure as it is perceived to be. It is quite possible to develop many different security solutions that can protect what it is supposed to protect economically. (The cost of the system is less than the fraud that could be committed in the absence of the system)

Unfortunately this is not the criteria for a successful security solution that will be deployed and used. Rather it is if the security solution is perceived to be secure. In the case of mobile banking, the question should be asked "perceived by who?" and "what will convince them that it is secure enough?"

In the case of mobile banking, I would like to argue that it is not end-consumers that are the primary evaluaters of security. The key is not to ensure that end-consumers perceive mobile banking as secure, but rather bankers. In my experience, it is the banking fraternity that are uncomfortable with mobile banking security more often than not. Only if they are made to be comfortable with the security is it possible to launch a mobile banking solutions. Even when the end-consumer would have been happy long-ago, or even if the security solution can be proven to be economically sound, bankers will still resist.

So what is it that banks look for in a mobile banking solution:
  • Conforming to banking standards. Banks are comfortable if some-one else says something is secure (VISA or the PCI etc.) Problem is that few of these standards exists that can be applied directly to mobile banking. Also read this blog-entry.
  • Bankers like security if it looks like the security that they know and understand. They like PIN-blocks that are never stored and is never in the clear. They like digital security keys where the master keys are well-managed (preferably by a bank or a banking body)
  • Bankers like security where the liabilities are clearly defined in the case if something do go wrong.
  • Bankers like security systems where all of the functionality/components are under the direct control of the bank
Generally bankers are not enthused by maverick, sharp and innovative solutions to manage security, but rather using tried and tested approaches that can be mapped to existing procedures and internal banking rules.

In deploying mobile banking solutions, it is critical to keep this in mind.

No comments: