The Reserve Bank of India has opened up a new challenge to technologists in India by releasing its guidelines on Mobile Banking.

Though at present the transaction value would be limited to RS 2500/- per transaction and Rs 5000/- per day, the potential for organized salami attacks and Cyber Terrorism using the service is a distinct possibility which needs to be adequately secured.

At present, Indian Banks have not yet completely secured their online banking services and frauds are a very common affair. If such an insecure system carries over to the mobile network, the chaos in the Indian financial system will destabilize the economy.

The security standards prescribed by RBI require two factor authentication and mPin encryption. It is not clear if all handsets are equipped with such facilities and how deliberate/ accidental breaches can be prevented by the service providers.

The Mobile Service Provides (MSP) have also been mandated periodical security vulnerability assessments and documentation of security practices etc.

The security risks inherent in financial transactions and the vulnerability of the MSP network creates a huge concern in the society if we are pushing technology little faster than necessary. We are yet to find appropriate anti virus protection for mobile users and protection against SMS spoofing. We are not even able to track the IMEIs at the network level and resolve multiple IMEIs due to flooding of China made mobile sets.

In such a scenario, it is not clear if we can rejoice at the enthusiasm of RBI or consider it an adventure.

In case MSPs need to convert the well intended initiative into a business opportunity, they have to simultaneously set in motion a major Information Security drive. The also need to undertake a Techno Legal Compliance programme in their roganization including employee education.

Does MSPs such as Airtel, Reliance, BSNL, Vodafone,BPL etc have necessary information security capability to undertake the high risk mobile banking service?

Does MSPs have in-house information security infrastructure to take care of the emerging requirements?

Does India have enough Techno Legal information security specialists to guide the MSPs?

..are some of the questions that remain unanswered.

If there is no proper advise available and the MSPs rush to introduce the commercially attractive Mobile Banking services, then we are in for a turbulent period ahead in the Indian Banking system. It is possible that this may even lead to a financial crisis with some Bank failures.

The national cyber security advisors may also take note that insecure mobile banking services would be fodder for Cyber terrorists to undertake mass attacks on mobile networks and passing through unatuhorised payment instructions.

RBI may have to therefore follow a strict licensing policy for permitting mobile Banking taking into consideration the information security both at Banks as well as MSPs, in consultation with DOT. RBI should also ensure that the service is not thrust on unwilling customers of the Bank or through aggressive and misleading marketing by MSPs.

As an ex-Banker and a Techno Legal information security consultant, the undersigned has serious reservations on the introduction of the Mobile Banking services at the current level of preparedness of Banks and MSPs and would advise MSPs as well as Banks to carefully tread this unchartered path called Mobile Banking Services.

However, the undersigned is in the process of developing CyLawCom guidelines (Techno Legal Cyber Law Compliance Guidelines for MSPs) for MSPs  so that the risks can be mitigated.

I request RBI to cousult and collaborate with the Ministry of Information Technology and Home Ministry on security compromises in the financial infratructure of the country and their impact on National Security before proceeding with the introduction of the service.

Naavi of Naavi.org

September 21, 2008

Be Sociable, Share!