International Training & Assistance (ITA)
for Bank Supervisors

E-Banking/Mobile Banking

S.T.R.E.A.M/Technology Lab Courses - The Federal Reserve Bank of Chicago

June 19 - June 23, 2017 (Chicago, IL)

Type of Participant Targeted
E-Banking/Mobile Banking is a five-day course intended for examiners with IT examination responsibilities but with little or no university training in information technology. At least one year of field examination experience is preferred.

Prerequisites
None.

Course Overview
This course provides participants with a detailed understanding of the technologies and risks fundamental to electronic banking (e-banking) and mobile banking. Topics include technology and mobile financial service overview, common security threats and vulnerabilities, device authentication techniques, and web application testing. Hands-on demonstrations and exercises encompass website authenticity evaluation, vulnerability testing, and a Structured Query Language (SQL) injection vulnerability demonstration. Mitigating controls such as web-application testing, mobile device testing, and the Federal Financial Institutions Examination Council's (FFIEC) strong authentication guidance are also covered.

Course Objectives
After completing the course, the participant, at a minimum, will be able to

  • Describe fundamental concepts behind modern e-banking/mobile banking technologies
  • Perform a risk assessment of an existing e-banking/mobile banking solution
  • Test controls in an e-banking/mobile banking environment
  • Recommend possible solutions/procedures to enhance e-banking/mobile banking security controls
  • Assess the vendor management program to identify required controls that meet financial institution policies and standards

Post-Course Intervention
Participants will learn the technology essentials contributing to internet and mobile banking risks, and will be able to apply that knowledge in the context of common threats. Participants will contrast the risks for serviced and turnkey e-banking platforms, as well as for established and emerging technologies. Case-based demonstrations and exercises will provide context for examination activities.

Learning Objectives
Participants should be able to identify risks associated with the three tiers (presentation, business, and database logic) commonly used to describe the technical implementation of an e-banking/mobile banking website. Participants will also be able to identify the risks associated with various web server technologies. Hands-on exercises will provide participants with an understanding of the SQL as well as the tiers that can be compromised by attackers. Participants will understand the various technical solution enablers used to support policies and procedures for risk mitigation of associated vulnerabilities and exploits. Finally, the participant will understand the importance of web-application testing methodology and tools.

By module, the following learning objectives will be accomplished:

Module Learning Objectives
Introduction to E-Banking/Mobile Banking
  • Gain a basic understanding of key terms related to e-banking/mobile banking
Mobile Financial Services Overview
  • Provide overview of various mobile services (e.g., mobile banking, mobile payment, and alternative transaction channels)
Identifying and Analyzing Risk
  • Understand the risk associated with e-banking/mobile banking solutions
  • Provide a methodology to assess the risks associated with an e-banking/mobile banking solution
E-Banking/Mobile Banking Key Components
  • Define e-banking/mobile banking
  • Describe e-banking/mobile banking infrastructure and components.
Implementing E-Banking/ Mobile Banking
  • Introduce web applications
  • Illustrate e-banking/mobile banking implementation modes
Gathering information
  • Identify the means by which attackers can acquire the technical characteristics of a website
Web Search
  • Identify the extent of publicly available information that can be found on the Internet regarding financial institutions
  • Describe ways to limit the amount of information that is publicly available
Web Server
  • Introduce IIS Web Server
  • Introduce Apache Web Server
Web Authentication/Mobile Device authentication
  • Illustrate web authentication methods
  • Describe current mobile device authentication technologies
Vulnerabilities
  • Demonstrate common vulnerabilities in the web server and applications
  • Illustrate social engineering exploits (e.g., Phishing)
Banking Case Study Overview
  • Hands-on lab using a mockup of a financial institution
Common Web Vulnerabilities
  • Hands-on lab designed to demonstrate common web vulnerabilities and exploits
Using SQL
  • Demonstrate the Structured Query Language
  • Review key commands used to add, change, or modify data in the database
SQL Injection
  • Understand the technical operation and describe how SQL can be used to compromise a host
  • Review common configuration errors
Web Application Testing
  • Review current tools that are designed to automate the detection of vulnerabilities
Vulnerability Testing
  • Identify other means of testing web applications
Guidelines on Risks and Managing Risks
  • Review the FFIEC guidance on Strong Authentication
  • Review guidance from other agencies regarding the Gramm-Leach-Bliley Act, and legal and data privacy issues
Vendor Management
  • Describe vendor selection and evaluation via due diligence
  • Outline performance monitoring for e-banking/mobile banking third-party solution providers
  • Assess vendor incident response and management program
Examination Issues
  • Describe common issues related to e-banking/mobile banking
E-Banking/Mobile Banking Trend Watch
  • Maintain awareness of e-banking/mobile banking emerging trends
  • Anticipate future directions of e-banking/mobile banking

Instructors
This course is developed and supported by a group of instructors with extensive examination experience and expertise in banking technologies. Instructors come from across the Federal Reserve System as well as other regulatory agencies and industry.