Cyber criminals have been causing tremendous damage to revenue and brand of consumer corporations around the world, whether big or small. This can be a very alarming situation for any company, more so if it is a financial institution where consumers engage on the basis of trust. Mobile banking apps have been the latest hunting ground for many cyber criminals.
Over the last one year, I’ve been speaking to a lot of CIOs, CISOs, and CTOs of companies of varying sizes. I have been trying to understand their perspective towards security and what they’ve been doing within their organizations to make themselves more secure. I realized that most of them are aware of the importance of security, especially those at large firms, but what is not so well understood is how to prevent these attacks, especially in today’s era of mobility. As a CIO, it ‘s hard to fulfill the needs of innovation as demanded by consumers, while cyber criminals are finding it easier than ever to exploit the widening gap between mobile technology and security protections.
If Mobile is Not Secure, Then Why Have Mobile Banking Apps?
Mobile is the new game-changer. There’re no two thoughts about it. Businesses that offer the best and most secure mobile banking apps and digital payment wallets will surely win.
Mobile banking apps are an excellent way to acquire new customers. In a recent research by AlixPartners in the U.S., mobile banking was identified as the most important deciding factor when switching banks (60 percent). Mobile banking was identified as more important than fees (28 percent), branch location (21 percent) and services (21 percent).
New age users (age 18-29) are strongly driven by mobile and reports show that over 44% of mobile banking users fall in this age range.
According to IDC, the mobile payments market will eventually eclipse $1 trillion by 2017.
How Secure are Mobile Banking Apps?
As I mentioned before, mobile is going to be an active driver in the banking and payments market. While most banks are pouncing on this opportunity, very few are actually trying to make security as their competitive advantage. Recent analysis by Arxan found that the majority of paid financial services and retail apps have been hacked.
To add to that, the latest Kindsight Security Labs report from Alcatel-Lucent highlights that there are currently over 15 million infected mobile devices worldwide — a 20 percent increase from 2013. The Kindsight Security study also found an increase in mobile spyware.
We also ran a detailed research at Appknox covering 106 mobile banking apps in the Asia Pacific region and found that over 85% of these apps failed basic security checks.
3 Things to Make Mobile Banking Apps More Secure
Since mobile is a relatively new and unexplored landscape as far as security is concerned, it is important for businesses to take extra measures to ensure better security. A comprehensive security approach is the need of the hour which should comprise of the following scenarios:
Device-level risk detection
Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Often, users jailbreak or root their devices which result in breaking the security model that you worked so hard implementing. This opens up an opportunity to cyber criminals to take advantage using malware or rogue apps.
Apart from jailbroken or rooted devices, outdated operating systems can be another reason behind a security attack. Make sure you use device tracking systems that can keep you informed about such situations allowing you to inform and educate particular customers specifically.
Cyber criminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. It is not very difficult to maintain anonymity across mobile devices, making it challenging to defend against.
Stolen credentials through phishing or malware are some of the prevalent ways to exploit and take control of user accounts. We’ve come across cases where mobile might not be the only channel in use. Mobile can be the starting or end point, but most methods will involve another channel as well. Keep a track of security across all these channels. You are as strong as your weakest link. Try to paint the full picture of the fraud lifecycle so that you can get a clearer view of the situation and how to act upon it.
When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. This can result in code modification, application duplication, etc. There are many products available that can help you prevent reverse engineering. Things like obfuscation and app wrapping are now getting popular as a means to protect source code and prevent reverse engineering.
While you do that, also remember that most exploits are done in real-time. Ensure you use a solution that gives you dynamic and behavioral analysis as well. It is important to resolve all security issues that might arise while your app is running.
Overall, as a CIO, you are responsible directly for the security of the product and indirectly for the brand and trust that you’ve built over time. The key is to understand that security is not a one off thing, it is something that you will have to look into every single day, in a comprehensive manner.