Security for mobile banking
It looks like the Accredited Standards Committee X9, the group that makes American National Standards for the financial services industry, is soon going to start work on its ANS X9.112 Part 3, Wireless Management and Security Part 3: Mobile Banking, even though work on Part 2: ATM and POS hasn’t even started yet. The sudden interest in mobile banking security is apparently due to the introduction of vans that go to events like fairs and other festivals. These vans act like a mobile bank and have a wireless connection back to a brick-and-mortar bank. These banks-in-a-van use commonly accepted protocols like SSL to protect transactions that are sent over wireless connections, but that’s not good enough for the more security-conscious banks.
Banking information security standards are fairly strict, particularly when it comes to the use of cryptography, and there are X9 standards that define in great detail how encryption and key management need to be done if it’s to be considered good enough to protect financial transactions. The use of SSL in off-the-shelf web servers doesn’t even come close to the level of care required by X9’s key management standards, and the ANS X9.112 Part 3 will try to correct that.
Creating an SSL server certificate is relatively easy with most web servers, but the process isn’t done in a way that meets the level of security that security-conscious banks want to see. They’re used to the careful key management processes that are used to generate and install the keys that are used to protect ATMs, for example, and these are much stricter that what controls that a web server can provide. They require the generation of keys in secure hardware devices instead of in software, and require careful protection of the keys throughout their life. Most commercial web servers don’t provide a way to do key management that carefully, but that’s what ANS X9.112 Part 3 wants to require.
There’s probably a fairly small market for web servers that are secure enough to keep security-conscious banks happy, but security-conscious banks may be willing to pay a fairly high price for products that meet their needs. It will be interesting to see how the ANS X9.112 Part 3 standard evolves and how widely it’s implemented.