Graduate School of Business Faculty of Business & Accountancy

CMGB6102 Management Information Systems

[Mini project report] How to solve fraud issues in Mobile Banking

Semester 1, 2010/2011

(Evening Class on Tuesday) CGA090055 CGA090085 CGA100015 CGA100045

1|Page

The Table of Contents

Abstract........................................................................................................................ 3 1. Introduction ........................................................................................................... 4

1.1Definition4 1.2 Mobile Banking History...6

2. Literature Review............................................................................................... 7
2.1 Mobile Banking........................................................................................................7 2.2 Fraud concerns associated to Mobile Banking....................................................11 2.3 Peculiarity of Mobile banking...............................................................................18 2.4 Customer Protection discussed up to date...........................................................20 2.4.1 Security in Mobile Banking ............................................................. .20 2.4.2 Regulation and Guideline of Security ................................................... 20 2.4.3 Authentication ....................................................................................... 23 2.4.4 Integrity ................................................................................................ 25 2.4.5 Customer awareness and perception ..................................................... 28

3. Challenges ........................................................................................................... 30
3.1 Challenges............30 3.2 Security30 3.3 Handphone Operability.32 3.4 Scalability and Reliability..32 3.5 Application Distribution33 3.6 Natural Limitations....33

4. Discussions ......................................................................................................... 34 5. Conclusions ......................................................................................................... 41 6. Recommendations ........................................................................................... 43 References ................................................................................................................. 45

2|Page

Abstract
Mobile banking is now spreading fast across the world, in developed and developing countries. The main purpose of this research is to identify the fraud and risk concerns associated to mobile banking, customer protections and the ways to solve it as well as different types of mobile banking services. It also discussed on Malaysia's mobile banking and the role of mobile operators in mobile banking world. This report was compiled on the
basis of published reports from various sources listed in the references. Result of the study

showed that the use of mobile phones for mobile financial services is relatively new in Malaysia. Our findings for this paper should be of interest to mobile Financial Service Providers, whether banks or non-banks, who are considering introducing mobile Financial Service, and financial regulators who are increasingly interested in the risks of mobile banking and the extent to which providers are understanding and managing these risks. This study hopes to provide them with an idea on the concerns and risks involved in implementing mobile banking projects. Furthermore, this paper may serve as a guide for managers in telecommunication and banking industry, also government agencies on possible threats in undertaking mobile banking projects. This paper faced time limitation as more time would be needed for a detailed and thorough study.

3|Page

1. Introduction
1.1 Definition Mobile Banking is the new facility in banking sector which allow customers to perform banking actions on his or her cell phone or other mobile device. This new method of banking, also known as M-banking and SMS banking, popular and frequently used by customers because its fits with a busy and technologically oriented lifestyle. Mobile banking is meant to be easier and convenient for the consumer than having to physically go to the bank, log on from their home computer, or make a phone call. Through this convenient facility, customers can log into his or her account from cell phone and then do the transactions such as make payments, check balances, transfer money between accounts, notify the bank of a lost or stolen credit card, stop payment on a check, receive a new PIN, or view a monthly statement and many more.

However, the amount of banking customers are able to do on their cell phone varies depending on the banking institution they use. Some banks just offer the basic mobile banking activities like text alerts, which are messages sent to the cell phone that alert customers to activity on their account such as deposits, withdrawals, and ATM or credit card use. Below are the popular transactions that can be performed through mobile phone, divided into two categories, account information and payments, deposits, withdrawals and transfers. Account information Mini-statements and checking of account history Alerts on account activity or passing of set thresholds

4|Page

Monitoring of term deposits Access to loan statements Access to card statements Mutual funds / equity statements Insurance policy management Pension plan management Status on cheque, stop payment on cheque Ordering cheque books Balance checking in the account Recent transactions Due date of payment (functionality for stop, change and deleting of payments) PIN provision, Change of PIN and reminder over the Internet Blocking of (lost, stolen) cards Payments, Deposits, Withdrawals and transfers Domestic and international fund transfers Micro-payment handling Mobile recharging Commercial payment processing Bill payment processing Peer to peer payments Withdrawal at banking agent Deposit at banking agent

5|Page

1.2 Mobile Banking History In past 30 years, financial institutions have been on a quest to satisfy their customers need for more convenience. The first came into the market is Automated Teller Machine (ATM) which New Yorks Chemical Banks introduced to the American public in 1969. It did little more than dispense cash at first, but following the evolved of banking sector, ATM now providing a full suite of financial transactions.

In the mid-1990s, internet banking was introduced which enabled consumers to access their financial accounts using a home computer with an Internet connection. However, this new banking facility has some serious limitations. Not all households have computer in their house, and some households only have computer without internet access, definitely impossible for them to use the internet banking. The biggest issue is mobility, where impossible for consumers to stay connected in virtually any location on the planet.

The first mobile banking and payment initiatives were announced during 1999 by company named Paybox in Germany. Its evolved over time and now, this banking facility was used by millions of people around the globe. Suited with the new lifestyle where most of the people have mobile phone, this new technology also offered variety transactions that make banking activities can be performed anywhere and anytime.

6|Page

2. Literature Review
2.1 Mobile Banking Mobile Banking refers to the availability to access and execute banking and financial services through the use of mobile devices. The financial services offered include

administration revolving an account, access of customised information and executing banking and stock market transactions (Tiwari and Buse, 2007).

Mobile banking is a new emerging sector of mobile financial services by utilizing mobile telecommunication technologies. Mobile financial services can be divided into mobile payment and mobile banking. The cross-border can be drawn between the different domains while determining whether a banking activity or a sheer mobile payment is concerned or not (Rolf H. and Aline, 2010).

According to Rolf H. and Aline (2010), mobile payment has been widely and quickly expanded in industrialised up to now. Mobile payment typically implies a variety of financial services providers satisfying an intermediary function between demand and supply in order to facilitate the purchase of products or services with the help of mobile devices.

In contrast, mobile banking is growing now and is regulated more strictly than mobile payment, for mobile banking services mean that the transactions are always associated with a traditional banking activity (Rolf H. and Aline, 2010). Providers of mobile banking services are regarded as credit institutions required to obtain authorisation approval before starting their activities (Directive 2006/48/EC). 7|Page

At the same time, the issuance of electronic money also needs to be treated at the different sight, because it does not automatically correspond to a banking activity. (Rolf H. and Aline, 2010).

Mobile banking has gained popularity since year 2000 all over the world with customers willing to pay additional for the use of mobile banking services (Tiwari and Buse, 2006). Tiwari and Buse (2007) also gave an example where the in South Korea, the demand for mobile banking (or the number of registered users) rose by 108% from year 2004 to 2005. At the same time, the number of mobile banking transactions increase by 104% from year 2004 to 2005 with daily average transaction of 287 in 2005 (Korea Times, 2006).

The main contributors of the increasing demand of mobile banking worldwide are contributed by the following factors (Tiwari, 2006): The number of mobile phone users has increased tremendously to an all time high penetration. Globalisation has lead to the need for mobility, hence, mobile services is no longer a luxury service. Mobile services are now necessary for many people. The younger generations have been taught to use internet at a young age and these children seems to be attracted by modern technology and telecommunication services. Mobile communication devices have gained technology advancement to become a powerful tool when it put together with the introduction of faster data transmission with the launch of new standards, such as the Universal Mobile Telecommunications Systems.

8|Page

In the context of business opportunities, the broader usage of mobile telecommunication has motivated banks as well as non-banks to develop new payment services for their customers. The banking industry is not primary motivated by the opportunity for new profits resulting from the mobile financial services, but rather by an image management as an innovative bank (Rolf H. and Aline, 2010).

Mobile banking services may be categorised into the following (Georgi and Pikl, 2005; Rolf H. and Aline, 2010): 1) Mobile Accounting 2) Mobile Brokerage 3) Mobile Financial Information

Mobile Accounting Georgi and Pinkl (2005) defined Mobile Accounting as transaction-based banking services that revolve around a standard bank account and are conducted and/or availed by mobile devices (p. 57) (Rolf H. and Aline, 2010). Mobile Accounting can be categorised into two groups.

The first group is called Account Operation which involves monetary transaction activities. This includes using the mobile banking services to remit money such as paying bills and transfer of money; issue standard instruction for recurring bill payments such as monthly rental or telephone bill; transferring funds to and from sub-accounts such as transfer from savings account to current account and subscribing insurance policies such as purchase travel insurance policy in short notice. 9|Page

The second group is called Account Administration which refers to users using mobile banking services to maintain his/her own account. This include administrative matters such using changing use PIN number; change operative accounts such as creating subaccounts to allow users to utilise funds in a particular account without affecting the default account; blocking lost debit and credit cards regardless of the location of user and check book requests.

Mobile Brokerage Users can operate mobile banking facilities for intermediary services related to their securities account (Georgi and Pinkl, 2005, p. 57; Rolf H. and Aline, 2010). The main services are selling and buying of shares, bonds, funds, derivatives (such as futures, swaps, etc) and foreign exchange. The mobile brokerage can be categorised into two groups.

The first group of mobile brokerage is called Account Operation. Account operation means users uses mobile brokerage to buy and sell financial instruments. This includes buying securities, stocks and other financial instruments.

The second group is called Account Administration. The mobile banking services allow users to administer or manage an account such as changing of PIN number. It also allows users to manage their order books such as changing the purchase of stocks instruction, placing new standing orders to buy or sell a particular stock upon the stock price reaching a specified value.

10 | P a g e

Mobile Financial Information Mobile Financial Information refers to non-transaction based banking services (Georgi and Pinkl, 2005, p. 57; Rolf H. and Aline, 2010). This can also be categorised into two groups.

The first group is called Account Information. Here, users can access their accounts to check their account balances, request a list of latest transactions performed, generate a statement for a given period, receive alert SMS from bank whenever transactions exceeding a certain amount are done on the account, receive alert SMS from bank when specified stocks fall or jump to a predefined value and receive information if cheque received has not been honoured, find the nearest ATM machine or bank branches and receive latest product offers from the bank.

The second group is called Market Information. The information here is not directly related to the users account. The request is customised according to users need and preferences and the information would be sent to the users mobile phone. Examples of market information are requests for foreign exchange rates, interest rates, mortgage rates, and stock market news and commodity prices.

2.2 Fraud concerns associated to Mobile Banking Mobile banking has developed new opportunities for consumers and criminals alike, and some of the greatest vulnerabilities can be derived from the same factors that make banking by mobile device so attractive (Rapport, 2010).

11 | P a g e

Moreover, the notable thing is that the logical process and business concept of mobile banking follows that of internet banking, but only wireless space is combined to the mobile banking (Digital Times, 2009). Hence, mobile banking exposes to all fraud of internet banking and a variety of web-based fraud. At the same time, the review of the frauds in internet banking and web-based scams must be on the same line with mobile banking, for mobile device offers almost same financial functions.

Fraud is a million dollar business and it is increasing each year.

The PwC global

economic survey 2007 suggests that almost 50% of companies worldwid e reported fallen victim to fraud in the past two years.

Fraud involves one or more people who intentionally act to secretly deprive someone else of something of value, for their own advantage. Fraud can be formed in unlimited ways. In recent years, the advance technology and information system has given unscrupulous people more ways to commit fraud (Bolton and Hand, 2002). Traditional methods of data 12 | P a g e

analysis as a way to detect fraud have been used for a long time. This method required detailed investigation and analysis of financial, economics, legal and corporate practises.

Although frauds may be similar in content and appearance, each fraud committed is usually not identical to the other (Palshikar, 2002). The first industry that attempted to detect and prevent fraud was the telephony companies, the insurance companies and banks (Decker, 1998). One successful example is the data analysis technique called the Falcon fraud assessment system developed by the banks, based on a neural network shell (Brachman et al, 1996).

Todays financial frauds have many faces. It can involve credit card fraud, real estate fraud, money laundering, deceptive telemarketing, etc. Specifically related to mobile banking, Tom Vander and Annelies (2006) described the cloning of SIM cards in terms of criminal activities. The cloning of SIM cards for the use of unique person mobile phone for criminal purposes is a case that happens quite often. SIM cards include the information required for banks to identify the unique customer.

According to McAfee report, in year 2008, the United States online business recorded losses worth US$4bil due to fraud. The following are the types of frauds (McAfee): 1) Identity theft A persons identity in the real world is protected by law. In the virtual world, a persons identity outline is less clear. Some digital data with an individuals identity (such as his user name, password, and account number) can provide access to his personal data. A workstation is the target spot for cyber criminals. 13 | P a g e

2) Carding and skimming Many carding sites can be easily found on the internet where buyers are buying or sell access to bank accounts, stolen card numbers, dumps from magnetic strips and even entire personal profiles.

3) Phishing or pharming Phishing is done by getting confidential information from a user by posing as a trusted authority. This is usually done using a cleverly deceptive email; the criminal redirects users to a mirror site. Victims who believe that they are browsing legitimate sites, would continue to enter their personal information not realising that the bank emails are fraudulent. At the report of RSA (2009), fraud state by phishing is the following:

Figure1: Phishing attacks per month

Figure 2: Top ten countries hosting phishing attacks

14 | P a g e

4) Crime ware These crimes include password stealing and key loggers, which log keystrokes, take screen captures, and sell all data to the collector sites. Crime ware is often associated with root kits, stealth programs that enable crime ware to be completely hidden to many security tools.

5) Money Laundering The traditional money laundering activities include electronic funds transfer, fictional companies with foreign banks, cash smuggling, bank fraud and informal money exchange brokers. Modern day money laundering includes mules and virtual casinos. Mules are individuals recruited over the Internet who serve as intermediaries for recovering cash in funds that were illegally acquired through phishing, key logging and other scams. For each transaction, the mule deducts between five percent to ten percent of the committed amount, forwarding the balance via an anonymous transfer service, such as WebMoney, egold or Western Union. Virtual casinos are online gambling sites which operate without a license. According to McAfee report, of around 15,000 active online gambling sites available in year 2006, only 1,766 of these sites are operating with a license. This means more than 87% of the online gambling sites are illegal.

6) Pump and dump This is a manipulation of low-prices (penny) stock usually from unattractive companies. After purchasing a large number of shares at low price, the manipulating purchase would use spam techniques to send out enthusiastic messages that artificially inflate the stock

15 | P a g e

price. Several days later, after an increase in the stock price in the market, the spammer would dump the stock and reap a nice profit.

7) Auctions Auction frauds are one of the biggest concerns among authorities. This was found in eBay, Amazon.com and Overstock.com where users never received the goods they bid and paid for or the good that arrived are not in usable condition. According to RSA report 2009, fraud is a non-stop threat to individual and organization around the globe, and cyber criminals have increased in more accelerate pace. In fact, fraudsters continue to continuously develop their technology, carry out increasingly sophisticated attacks, and deceive online users into falling for scams. Also, global situations, such as the economy and vulnerability in financial markets, seem to make an impact on the evolution of cybercrime.

RSA report 2009 suggested that the new fraud technologies are already prevalent like the followings: 1) The Use of Fast-Flux Botnets RSA has seen the creation of several sophisticated fast-flux network hosting services which were both launched by fraudsters and provided for a fee for use by other online criminals. And those fast-flux networks are observed at online criminals who were using them to launch phishing and other wrongful content such as money mule recruitment sites. Fast-flux is an advanced Denial of Service (DNS) technique that recruits a network of compromised computers to deliver and host phishing and malware websites. The compromised computers act as an agent, or middleman, between the target and the 16 | P a g e

website. It is difficult to uncover and shut down fast-flux networks as malicious content servers in that hosting phishing and malware websites are hidden behind a cloud of compromised machines whose addresses change very quickly in order to avoid detection.

2) Money Muling Money mule recruitment networks and "mule herdersmanagers who control the network of mules is a professional fraud cash-out service that is operated within the fraud underground. In 2008, RSA observed a number of mule recruitment scams delivered via spam attacks that directed advertised allegedly jobs to conduct money transfers. Websites allured people to apply for a job described as a "money transfer agent" or "regional manager. This is the part of the supply chain for fraud where sheer and innocent people who are not fraudsters can be recruited to become part of the fraudsters money laundering. Mules transfer cash that originates from compromised bank accounts, from one criminal account to the other. A mule will get a small percentage of reward depending on the amount of money laundered.

Figure 3: Correspondence between an online criminal and a potential mule

Source: RSA Online Fraud Report May 2009 17 | P a g e

3) The Consolidation of "Traditional" Phishing and Malware Attacks In April 2008, RSA uncovered a new two-fold technique that combined both classic phishing and malware content. The Rock Phish group was the first to pioneer this double vector attack as they used both phishing sites and the Zeus Trojan, software to snoop information, to attack and infect online users. Upon receiving the fraudulent correspondences, victims of these attacks were directed to phony websites created by fraudsters to solicit personal information. Concurrently, the Zeus Trojan infected their computers. As a result, if the legitimate Internet user did not fall for the phishing scam and divulge personal details on the website, the Trojan would later steal information that was transmitted while the victim interacted with other websites.

The volume of phishing attacks detected during 2008 increased by 66 percent over those detected throughout 2007. Even though awareness of fraud in developed countries has been heightened among online users, phishing still remains a popular ground for fraudsters because it has a very low effort, can reach broad ranges of users, and requires not high technical expertise to set up.

2.3 Peculiarity of Mobile banking Now, this will try to shed light to mobile banking closely. Credit Union (July 2010) reported that while interest in mobile banking is growing, the monitoring of fraud is a biggest challenge in payment or transfer processing. And also there was a specific live survey during a recent client conference for Fundtech, Ltd in U.S.A.: 39% of respondents will be deploying mobile business banking services within six to 12 months. 18 | P a g e

 5.3% said fraud monitoring is their biggest challenge in payment processing. 23% think adding social networking to business banking is a "ridiculous idea." 10% said they have already deployed mobile business banking services. 57% of American banks are expected to offer a solution by the end of 2010. 26% of respondents said that there is strong interest in mobile business banking services among their clients

According to the survey, not less both businesses and banks have a plan to launch mobile banking services sooner or later. However, some of them are concern about fraud monitoring, namely business side, not only customer. Next, when it turns to consumers, the more concern about mobile banking rise up as the following:

From the above, 44% of respondents have concern about identity theft or fraudulent activities and so they have not access mobile banking. Another concerning voice is regarding the lost of mobile device. Mobile phones are small relatively compare to PC and easily lost and stolen, having their stored credentials and text 19 | P a g e

messages with them (Rapport, M. , 2010). Consumer education, as always, remains key too. There are all kinds of wild cards out there: losing devices because theyre not stationary like your desktop PC, new kinds of malware finding multi-access security breaches, the fact that Bluetooth (the wireless connection between cell phone and earphone) is nonencryptedeven the uniquely mobile GPS channel, but the my biggest concern remains the fact that consumers are less vigilant than they should be, said Lawlor, former CEO Matt Lawlor.

Besides devices themselves being lost or stolen and hacked, mobile networks may be also vulnerable and intercepted either by breaking the wireless encryption mechanism or by hacking into the wired backbone of the network where encryption is not compulsory under telecommunications standards (Rapport, M. , 2010).

2.4 Customer Protection discussed up to date 2.4.1 Security in Mobile Banking As mobile banking is a viable business for the financial services providers, the banks would need to ensure that customers information are protected when they use their mobile devices to do their banking. The key criteria to ensure customers data security as described by Mustafa et al. (2002, p. 356) are as follows: Confidentiality. Customers data must be protected at all times against any

unauthorised access. Authentication. Access to customers data can only be allowed after the user

identification has been ascertained and authenticated.

20 | P a g e

 Integrity.

Encryption techniques must be used to avoid fraudulence during

transmission. Non-disputability. All transactions must be documented to allow customers to track the transactions executed. This would also enable the customers to report any

discrepancies to the bank. This is very important as this document may be required by the court of law in the event of any dispute between customers and bank.

2.4.2 Regulation and Guideline of Security Rolf H. and Aline (2010) stated that the duty of banks relating to data protection and security includes two salient requirements: banks are not allowed to disclose customer data to third parties. On the other hand, data security implies that banks must keep unauthorised persons from misusing their customers information. The banks offering mobile banking must protect customers from the threat of malware on mobile device. Data security makes a contribution to the protection of bank customers in terms of personal wealth and information. The common regulations on data protections apply to financial services providers when a mobile device is utilized to undertake banking transactions.

For example of such the regulations, UK effectuated Privacy and Electronic Communication (EC Directive) regulations 2003 reflecting the data protection and privacy regulation 2003 of European Communities, where personal data is including such data like mailing lists of named individuals, cookies containing personal data, etc. The Regulations also govern problems of security, the confidentiality of electronic communications and the collection, retention and processing of traffic, location and billing data (Kwang Jin, et al. 2007). 21 | P a g e

At the same time, OECD suggested the Guidelines Governing the Protect of Privacy and Transborder Flows of Personal Data in the context of international standardization. However, it is true that the inherent regulations of OECD members fall a short of the guidelines of OECD.

Figure 4: Principles of Privacy and Personal Data Protection Collection limitation There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data quality Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose specification The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Use limitation Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law.

22 | P a g e

Security safeguards

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual participation

An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under

subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

23 | P a g e

Accountability

A data controller should be accountable for complying with measures which give effect to the principles stated above

Source: www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html

2.4.3 Authentication Customer identification and authorization are essential processes through all the steps of wireless transmission. For security purposes, customers authentication implies that the banks must know whether the customers are authorized to undertake the related transaction (Weber and Willi, 2006). As some examples the followings can be reviewed (Rolf H. and Aline, 2010; Youngsam and Suk, 2008). Personal Identification Number (PIN) and Transaction Number (TAN): when customers are able to undertake financial transactions on a secure website, they need a PIN and TAN. The confirmation of transaction: the Mobile Transaction Number process would require transaction confirmation through the mobile phone after transaction has been completed by customers; namely transaction-related information is delivered to customers via mobile device Wireless Public Key Infrastructure (WPKI): even though the business logic and system base of mobile banking are same with internet banking based on website (Digital Time, 2009), mobile banking service providers use the authentication supported by chip like Subscriber Identity Module (SIM), while internet banking utilizes security based on Public Key Infrastructure (PKI). PKI are arrangement to manage digital certificate, where PKI arrangements bind digital public keys with repective user identities.. 24 | P a g e

Banks must employ reliable methods for verifying the identity and authorisation of new customers as well as authenticating the identity and authorisation of established customers seeking to initiate electronic transactions (BCBC, 2003). The various methods used by banks would constitute PIN numbers, passwords, smart cards, digital certificates (such as PKI) as well as biometric identifiers.

2.4.4 Integrity Banks already know that any information customers submit to a secured or unsecured Web site is seriously at risk. And thus they need to incorporate the encryption technology and Secure Sockets Layer (SSL) Certificates they employ (Ion and Alexandru, 2010).

Encryption is the process of encoding information to make it unintelligible to all but the intended recipient, then decoding them at the receiving end of the transfer so that the intended recipients can read or hear them. Encryption actually allows users to secure even other related securities: authentication, privacy/confidentiality, non-repudiation (Joe and Christoph, 4th edition).

Encryption is the core ground of data integrity and privacy necessary for e-commerce. In general, customers will submit sensitive information and transactions in mobile banking as well as web-based transaction only when they are convincing that their sensitive information is clearly secure (Ion and Alexandru, 2010). Levels of encryption come in various strengths, made by the number of bits used in the encryption algorithm. The 128 bits of current standard is considered for all intent and purpose unbreakable at current computing speeds. 25 | P a g e

Ion and Alexandru (2010) states that older versions of some operating systems and browsers, in certain combinations, including many Windows 2000 systems, do not support more than 40-bit or 56-bit encryption. Even the newest Window 7 operating system and its Server counterpart, Windows 2008 R2, have the possibility to use the 40-bit encryption model Informatica Economic vol. 14, no. 2/2010 33 for connections with older systems. Unfortunately, these levels are easily breakable today, rendering users of those operating systems and browser combinations vulnerable. Cryptography (SGC), available with certain VeriSign SSL Certificates, overcomes this problem for 99.9% of Web site visitors (the rest of 0.1% represents certain older browser versions that are not capable of 128-bit encryption with any SSL certificate) (p 31.).

Secure Sockets Layer (SSL) as the standard for Web security is the technology used to encrypt and protect transaction information transmitted over the Web. SSL protects online customer and related data in motion which can be intercepted and tampered with by a thief or hacker if data is sent unencrypted. A SSL Certificate is an electronic file that creatively identifies individuals and allows encrypted communications. SSL Certificates play a role as a kind of digital passport or credential (Ion and Alexandru, 2010).

Hence, the security technologies of Web transaction, encryption and SSL certificates, can applied to mobile banking, for mobile banking employs same business logic and system environment except for wireless distance. However, according to Nicholasthomas of Worldpress, network solutions SSL certificates are not properly conducted by latest Smartphone. Today we received reports from our users that 26 | P a g e

their phone was presenting them with an egregious SSL certificate error when trying to access our mobile application. We decided to use Network Solutions for an EV SSL cert (primarily to save a lot of money per year on the same certificates at VeriSign). We did not do sufficient homework (Source: Worldpress.com)

Apparently, SSL certificates may not a trusted security on most recent mobile devices. In response to this collapse in online authentication, a consortium of leading certification authorities and browser providers including Microsoft, Mozilla, Opera and VeriSign have teamed up to create anti-phishing best practice to address emerging trust threats on the Internet. The creation of Extended Validation (EV) SSL certificates has been the first result of the effort. This technology integrated the versatility and Encryption ability of the SSL with the possibility of certifying the website, which is legitimate with the help of a security certificate issued by a trusted Certification Authority. And thus EV SSL certificate prevents unauthenticated parties to access to undertaken transaction by customers.

One of the key purposes of SSL or EV SSL certificates is to help assure customers that they are actually shopping and undertaking transaction with virtual space they believe they are accessing. Security responses to online fraud have been quite passive and ineffective, and based on old-versioned tools which are becoming more vulnerable under today everchanging mobile devices technology. By the use of up-to-date security solutions banks can start capitalizing on this trust and then gain tangible and intangible benefit from investing resources into the secure development of mobile banking (Ion and Alexandru, 2010).

27 | P a g e

2.4.5 Customer awareness and perception Ion and Alexandru (2010), besides implementing physical device or software such as the EV-SSL, highlight that financial institute and the online businesses must continue to educate customers and take them to the knowledge required by 21st century the cuttingedge tech society and associated to safe network usage and practices. Related parties should spread around the information and knowledge correlated to identifying the most usual signs of phishing: a certain degree misspellings, generic salutation formulae instead of clear and personalized ones, urgent must deadlines for acting in a certain manner, account status threats, requests for the users personal data and information or fake domain names and links. Banks should particularly educate customers and help them understand how to recognize good, valid and secure transaction guidelines before undertaking in and providing personal and sensitive information to a mobile banking transaction (Ion and Alexandru, 2010)

The Independent Community Bankers of America (ICBA) and its nearly 5,000 member banks are advising consumers on how to safely use mobile banking applications. Mobile banking, one of the fastest growing trends, gives our customers flexibility and the chance to manage their finances any time, anywhere. To stay ahead of the demand, community banks are investing millions to secure their banking channels, but consumers need to make good decisions as well in order to avoid the scams and schemes that are growing up around this new technology, said R. Michael Menzies, ICBA chairman and president and CEO of Easton Bank and Trust Co., Easton, Md.

28 | P a g e

Banks can pass and educate along with these mobile banking applications (Teller Vision, May 2010, p.5): Never pass personal identification or banking information via your mobile device unless you initiate the contact and you know that youre dealing directly with your bank. Remember, your bank would never contact you asking for personal or banking information. Assume any unsolicited text request is fraudulent. Giving this information places your finances and privacy at risk. Avoid sharing your password, account number, PIN number, and answers to secret questions. Dont save this information anywhere on your phone. Dont set the Web or client-text service to automatically log you in to your bank account. If your phone is lost or stolen, someone will have free access to your money. Set the phone to require a password to power on the handset or awake it from sleep mode. Immediately tell your bank and your mobile operator if you lose your phone.

S. Singh (2006) study concluded that people generally focuses on the services delivered by the financial services rather than the technologies used to enhance data security. The banks could increase the customers thrust on their data security through the following three ways: Increase the convenience and usefulness of online transactions. Have the customers believe that the bank would not allow their customers to suffer from fraudulent activities.

29 | P a g e

 Provide personalized online transaction experience by giving customers greater control over their transactions and information.

What is more important is that customers need to feel at ease to use the mobile services. They need to place their trust that the bank would do whatever necessary to protect their interest and security. Hence, it is important that banks build that trust perception with its customers and customers awareness (S. Singh, 2006; Teller Vision, May 2010)

In a nutshell, customer protection goes beyond the requirements resulting from technical security and customer awareness. The bank has a fiduciary duty to its customers. The bank shall abide by its duties in order to gain customer trust.

3. Issues/Problems/Challenges
3.1 Challenges In a high technology used in new solution of banking needs, the providers of the mobile banking service need to face with challenges along the way of its implementation. The big challenge is in terms of data security followed by others that are handset operability, scalability and reliability, application distribution, and personalization.

3.2 Security Nowadays, most of financial institutions are incorporating mobile banking and financial services as consumers increasingly turn to their mobile devices to conduct everyday tasks. Despite the convenience of doing business this way, majority of consumers are reluctant to try mobile banking because of perceived security threats. Mobile banking involved 30 | P a g e

transactions through the air and consumers worried if their important information such as name, address, amount of money, credit card num and PIN number being misused or hack by other people. Financial institutions need to have a strategy and planning to overcome this big challenge and increase the confidence level of consumers to use this new high technology facility. In order to provide security to mobile banking transactions, the below aspects need to be addressed: Physical part of the hand-held device. If the financial institution is offering smart-card based security, the physical security of the device is more important. Security of any thick-client application running on the device. In case the device is stolen, the hacker needs to have at least an ID/Password to access the application. Authentication of the device with service provider before initiating a transaction. This would ensure that unauthorized devices are not connected to perform financial transactions. User ID / Password authentication of banks customer. Encryption of the data being transmitted over the air. Encryption of the data that will be stored in device for later / off-line analysis by the customer. Other than that, the One-time password (OTPs) was introduced by financial and banking service providers in order to fight against cyber fraud. Consumers need to request OTPs each time they want to perform transactions using mobile banking. When consumers request received, the password is sent to the consumers phone via SMS. The password will expired once it has been used or once its scheduled life-cycle has expired. This new security tool is more efficient and secure compared to traditional memorized password. 31 | P a g e

3.3 Handset Operability Other challenge in the execution process of mobile banking is there is large number of different mobile phone devices. For example, some devices only support Java ME application, SIM Application Toolkit, WAP browser or only sms. The question is how financial institutions or banks can offer services to the different types of devices? This problem or challenge was involved interoperability issue where the solution is largely dependent on the financial institutions or banks which installed the applications for mobile banking service. Standardization of device use is needed to overcome the issue of handset operability to perform transactions. All financial institutions need to standardize the device to be used based on the ability of the device to perform tasks. Normally, to do the transaction like transfer funds, customers need to have smart phones such as Apple iPhone and RIM blackberry. And also, is needed for financial institutions to look at the ability of local people to have that type of mobile phones.

3.4 Scalability & Reliability Another challenge for the management of financial institutions and banks is to scale-up the mobile banking infrastructure to handle exponential growth of the customer base. With the common tagline banking anytime and anywhere, customers may be do transactions through mobile phone in any part of the world. Hence, financial institutions need to upgrade and always use the latest system that can meet the customers banking needs. The system must have the ability to running in a true 24 x 7 fashion. In todays high development of technologies, the expectations of customers to mobile banking also increase. The financial institutions that unable to meet the performance and reliability expectations may lose customer confidence. Example of system that allows quick and 32 | P a g e

secure mobile enabling of various banking services is Mobile Transaction Platform. This system was implemented in India and successfully meets the needs of mobile banking consumers.

3.5 Application Distribution Due to close connection between customers and financial institutions in mobile banking service, customers may be having an expectation that, whatever upgrades or updates in applications can be automatically downloaded in their mobile phone. Its impractical to expect customers to regularly visit banks or visit a web site to upgrade their mobile banking application. However, there has many issues included before it can be implemented such as to synchronize all dependent components.

3.6 Natural Limitations Experience of banking using mobile device is not similar to internet banking. The main different is the display in mobile phone is much smaller compared to personal computer. This will limit the features that the banks want to show and viewing multiple accounts can make the system doesnt work. Other than that, typing in mobile phone is not similar with typing at a computer keyboard. Customers sometime feel like doing data entry when they want to perform transactions. Sometimes, because of phone have distinct look and feel, the icons provided by banks lost and customer cannot fully look to all the information.

33 | P a g e

4. Discussions
In mobile banking, the close bank-customer relationship doesnt be constructed any longer. Hence, the question arises as to whether the banks fiduciary duties can be carried out in mobile banking. For instance, the duties of diligence, advice, loyalty and information, and cannot be fulfilled exactly in the same way like in traditional banking. Due to the fact that these duties must be present in all types of banking services, a satisfying way has to be found to incorporate them in mobile banking. The reason for developing consumer protection standards depends on various aspects. On the one side, customer identification is forced on banks for a public purpose, namely to combat money laundering. On the other side, consumer protection is also in intensive light of banks. If the bank acquires customer confidence, customers accept the mobile banking services more easily. Specific concerns have been triggered in the virtual world in terms of securing consumer protection. The banking industry recognises the need for transaction transparency to promote confidence and acceptance of electronic commerce, such as mobile banking.

The role of mobile operators on mobile banking Banks and mobile operators have two different perspectives on mobile banking. Banks view it as a way to enhance services to existing customers. Mobile operators, on the other hand, focus more on reaching the mass market and unbanked.

Here we will only focus on mobile operators. There are options for mobile operators to participate in financial services delivery:

34 | P a g e

The mobile operator can offer basic services where it can provide secure

communications services to financial service providers, enabling transactions. Thus, the mobile operator will be in the role as an intermediary, relaying messages between the provider and customer. It can also provide mobile wallet services, which manage the flow of transactions between accounts as directed by the mobile customer. The mobile operator may also host the accounts of third parties and authorize

transactions on their behalf. A third-party institution keeps the float, but account management is delegated to the mobile operator. The mobile operator may issue accounts where value can be stored before or after the

transaction. These are prepaid or electronic money or mobile accounts where basic transactional deposit accounts are accessible from a mobile phone. The most comprehensive option would be to provide mobile banking

capabilities. This would go beyond making and receiving payments and customer management of accounts. This would entail using a broader range of products like credit and insurance.

There are advantages and core strengths that mobile operators have in providing financial services, advantages that banks may not possess. Network of physical retail outlets. Mobile operators do business with a greater

number of customers than banks. Thus, they have a greater number of retail outlets. Secure electronic transaction captures capability. The mobile operator can offer a

customer service platform that is both secure and user-friendly because of the mobile operators control of the subscriber identity module (SIM) card. SIM cards identify a user on mobile telephony devices. 35 | P a g e

Transaction processing platform. The platforms for processing prepaid mobile billing

are simple since they do not need to support a high level of customer reporting like monthly statements or regulatory reporting.

Incentives for mobile operators to offer financial services: Additional revenues. Mobile operators can charge transaction costs. Churn reduction. Mobile operators can reduce churn, or customer turnover, if regular users of payments services stop switching mobile operators once they are familiar with how the service works and have a bank account linked to their mobile phone number. Branding. A mobile operator can augment its brand positioning based on customer service and innovation if it were first-to-marketing providing financial services. Distribution cost reduction. Mobile operators incur substantial costs collecting revenue from their customers. This could reduce distribution of prepaid cards.

The risks associated with mobile operators providing financial services. Mobile operators possess vulnerabilities in offering financial services. Breaches in data and transactional security. Accounting errors, fraudulent transactions, and breaches in data privacy could expose the mobile operators to huge liability and damage to reputation. Operational focus. Its managements core focus is its communications business. Adding financial services may distract and stretch the abilities of smaller mobile operators.

36 | P a g e

Additional regulation. Accompanying the ability to provide financial services is compliance with financial regulation. Mobile operators may incur increased costs to comply with financial regulations, adding to the oversight they already receive.

Customer care costs. There could be an increase in customer care calls that could wipe out service profitability from service delivery.

Malaysia's mobile banking Industry experts at the 12th Malaysian Banking Summit 2008 say not just internet banking but mobile banking is set for further growth and expansion globally, reports The Star. CIMB Bank retail banking head, Peter England, is quoted as saying that Malaysia had successfully adopted Internet banking since 2000 and that mobile banking would follow suit. There are many ways in which mobile banking can be supported through the mobile platform. It could require users to download a Java application or it could be deployed through WAP 2.0, SMS or even USSD (Unstructured Supplementary Service Data). Right now, with mobile banking at its infancy in Malaysia, it's hard to tell which one would work.

Customers with Java-enabled hand phones with 3G (third generation), EDGE (Enhanced Data rates for GSM Evolution) and GPRS (General Packet Radio Service) connections can gain access to the mobile banking service.

Malaysian developer SIMER chief executive officer, Mazlee Md. Ramli, said, SIMER Financial Solutions, launched at the CeBIT 2009 Exhibition in Hanover, Germany, was currently being used in Malaysia and other countries. SIMER mobile technology does not 37 | P a g e

use SMS (short messaging service) or WAP (wireless application protocol)as used by many current mobile banking applicationsbut an improved version of USSD (Unstructured Supplementary Service Data) that will enable interactivity of users on mobile similar to the ATM. Hoping that with the new system will reduce the fraud in mobile banking.

An internet group which is on Facebook inform people about the scamming in Malaysia. The initiator hopes that will help people avoid getting cheated and end up losing money or what so ever. Anybody from anywhere is welcome to inform or share their news just to hope to reduce the scamming cases.

38 | P a g e

Security Case in Korea Here is the example of Korean security case of mobile banking. Even though the ratio of usage in Korea is significantly high compared to other countries (Table), Korean fraudulent amount is considerably low. The reason being is that internet banking in Korea additionally adopts Public Key Certificates. At the same time, mobile banking adopts same security system in Korea, even Smartphone which has uncovered a recent outstanding security issue.

Figure 5: Usage of internet banking Country Users of Internet banking*(A) China (2009) USA (2009) UK (2008) Korea (2009) (Source: www.cencus.gov. *by the customers of banks, **the number per household) Figure 6: Fraudulent amount and security method Country Period Fraudulent amount (US$) Korea 2008 150,000 (8) Security Method Secure Sockets Report of Financial Source 21,500,000 50,921,000 61,380,000 50,060,000 35.0% 118.3% 50,700,000** 308,880,000 18.5% 140,818,000 13,458,000,000 Total Pop(B) The ratio of usage (A/B) 11.0%

39 | P a g e

1 ~ 8.2009

230,000(14)

Layer +Security card + Public Key Certificate

Supervisory Service, 2009

USA

3rd Q of 2009

120,000,000

Secure Sockets

Report of FDIC in RSA

Layer + Security conference, 2010 card

UK

2008

90,000,000

Secure Sockets

UK Payment

Layer + Security http://www.banksafeonln card e.org.uk/faqs/faqs_13.ht ml 1st Half of 2009 66,400,000

Financial Fraud Action UK, 7.10.2009

5. Conclusions
With the evolve of new technology, a closer understanding and analysis of mobile banking risk is necessary, not to frighten off potential providers or to make regulators overcautious, but exactly so as to enable entities with appropriate technologies and adequate processes to assume new risks. Mobile financial service clearly has great potential by extending access to underserved people in developing countries. However, in the developing world today and for the foreseeable future, most customers will have only standard handsets. End-to-end security can be provided on standard handsets through approaches such as SIM toolkit. This is important in order to expand the service to more 40 | P a g e

people, reach a larger segment that remain unbanked, and protect consumers by being able to resolve problems quickly and thereby gain their confidence.

The development of mobile payments using mobile money will be shaped by two contrasting issues: the reliability and security of transactions for customer protection. It would be more secure to have compatible systems between the mode of transmitting information from mobiles to banks, and compatible systems across countries if it is to expand on a global scale. Given the newness of the service, different forms of mobile money transfers are currently being implemented. Interoperability, both at the local and global scale would offer significant value to customers, especially for developing countries with large populations working overseas (GSM Association 2008). Standard may have to be agreed upon to allow for exchanges between networks, within and across countries. It would also need keeping compatible transactional records of customers using both the bank and the mobile service. Serving the currently unbanked profitably and sustainably requires a radically different approach.

Roles of mobile operators and banking industry are crucial and need to work hand in hand to fight off the online fraud. Regulators and policy-makers need to ensure that evolving systems serve the broader objectives of economic growth and development as well as protect consumer interests, while creating an environment that encourages and rewards innovation. With the number of mobile users increasing, it is time for a more efficient and secure banking solution.

41 | P a g e

6. Recommendations
For Financial Institutions i. Financial institutions that provide the mobile banking service should also provide a link or contact information for customers to do report if they found any suspicious matters related to security issues. It will prevent the problem from turn to worse condition and be easier for them to get the information and find the solution. ii. Educate customers about security issues in mobile banking and showcasing samples for them to learn how to spot these activities. Knowledge gained can help to prevent them from be a victims. iii. In order to provide security in mobile banking, financial institutions should consider choosing latest technology that can provide protection to consumers. For example build extensive barriers to prevent hackers from accessing customers database. However, If financial institutions chooses to use less secure technology, technical and operational countermeasures need to be introduced to reduce the risk to the business and individual clients. iv. Establish Security and Fraud Control Unit to monitor all the transactions and access to customers database to assure security for the data. v. Financial institutions management plays an important role to develop a comprehensive risk framework based on previous cases in order to find the best solution for security issues in mobile banking.

42 | P a g e

For Consumers i. Never to disclose PIN or password or any other security information to anyone. Customers also advised not to write it down on front of someone or in paper. At the same time, set a password to mobile phone to prevent it from being misused if the phone being stolen. ii. Avoid following any activity that makes your phone vulnerable to viruses and a soft site for hackers or fraudsters to hog on. Never click any site or URL till you are not confident and delete all the chain messages or the unwanted messages. iii. Do not download any software if unsure about the security of the software to avoid mobile phone from gets infected to any viruses that might use by fraudster to steal some private information. iv. Integrate mobile phone with the latest updates regularly to secure the sensitive information transmitted or stored.

43 | P a g e

References Aaron Emigh (2005) Anti-Phishing Technology. San Francisco.

Bankable Frontier (2008) Managing the Risk of Mobile Banking Technologies.USA.

Bank Technology News, Jan 2010. By The Numbers.

Digital Times, http://www.dt.co.kr/contents.html?article_no=2009050702012269729001 http://nicholasthomas.wordpress.com/2010/03/09/network-solutions-ssl-certs-are-notsupported-by-smartphones/ (2:28, 01/10/2010)

Francois Paget, McAfee Avert Labs (2009). Financial Fraud and Internet Banking: Threats and Countermeasures Georgi F., Piknl, J. (2005). Mobile Banking in Deutschland GSM Association [GSMA] (2008a) Introduction to Mobile Money Transfer Accessed 12 June 2009

Ion LUNGU & Alexandru TBUC,(2010) Optimizing Anti-Phishing Solutions Based on User Awareness, Education and the Use of the Latest Web Security Solutions. Informatica Economic vol. 14, no. 2/2010

Joe Valacich and Christoph Schneider, 4th edition. Information Systems Today. NY, USA; PEARSON

Juan Chen & Chuanxiong Guo (2007) Online Detection and Prevention of Phishing Attacks. Institute of Communications Engineering. Nanjing, China. 44 | P a g e

Kelvin Chikomo, Ming Ki Chong, Alapan Arnab, Andrew Hutchison (2007) Security of Mobile Banking.Cape Town, South Africa

Kwang Jin Park, Yeon Su Jung, and Dal Chun Kang, (2007). The study of personal data in information communication network, Korea Information Security Agency, 31/12/2007

Mobije Banking, Fraud Monitoring Among The Top Issues. CREDIT UNION JOURNAL. July 26,2010

Mobile, Net banking poised for more growth. The Star. June 6, 2008

Moore, R (2005). Cybercrime: Investigating High-Technology Computer Crime Nicholasthomas, 2010. Network Solutions SSL Certs are not supported by Smartphones.

O. Gunter (2004) The Phishing Guide: Understanding & Preventing Phishing Attacks. Policy Res (2006) 12:299323 DOI 10.1007/s10610-006-9025-0 KISA. May. 2010

Privacy and Personal Data Protection, www.oecd.org/sti/security-privacy, OECD 01/2007 and http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.

html (03/12/2010)

Rajnish Tiwari and Stephan Buse (2007). The Mobile Commerce Prospects: A Strategic Analysis of Opportunities in the Banking Sector

45 | P a g e

Rajnish Tiwari, Stephan Buse and Cornelius Hersitatt (2007). Mobile Services in Banking Sector: The Role of Innovative Business Solutions in Generating Competitive Advantage

Rapport, M. (2010). Mobile Banking Security: New Problems and Old Face Emerging Channel. Credit Union Times, 21(35), 19. Retrieved from Business Source Complete database.

RSA Online Fraud Report, May 2009. A Monthly Intelligence Report from the RSA Anti-Fraud Command Center.

Sangwan Park, 2010. The environment change of smart phone and Public Key Cetificates. Teller Version, May 2010. Offer Customers Advice on Mobile Banking Safety. Teller Vision [serial online]. May 2010 ;( 1393):4-5. Available from: Business Source Complete, Ipswich, MA. Accessed October 1, 2010.

Supriya Singh, 2006. The Social Dimensions of the Security of Internet Banking, Journal of Theorical and Applied Electronic Commerce Research, August, vol. 1, Univerdidad del Talca, Chile Tom Vander Beken and Annelies Balcaen,(2006). Crime Opportunities Provided by Legislation in Market Sectors: Mobile Phones, Waste Disposal, Banking, Pharmaceuticals. Eur J Crim

46 | P a g e

Youngsam Yun and Suk Park, (2008). The prospectus and issues of mobile banking. The research center of Industrial Bank of Korea, Issue analysis 2008.7, 21/7/2008

2008 CSI Computer Crime & Security Survey.

http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf

Malaysia Anti Fraud NEWS CORNER.

http://www.facebook.com/group.php?gid=69719929984

http://www.gsmworld.com/documents/GSMA_Introduction_to_MMT_0908.pdf

Privacy and Electronic Communication (EC Directive) regulations 2003

47 | P a g e