An executive’s mobile banking security playbook

16.02.2021
9 min.
title

The growing mobile ownership rate, the emergence of more user-friendly banking apps, the tech-native younger generation, and, of late, the pandemic-induced shift to online—all this creates a fertile ground for mobile banking.

Unfortunately, the acceleration of banking app adoption today goes hand in hand with the increase of targeted security threats. In 2020, a month wouldn’t go by without a headline-making mobile banking attack or incident that resulted in stolen funds and sensitive personal information from thousands of users. Against this backdrop, robust cybersecurity is coming to the fore of the customer expectations.

Nevertheless, a fair share of BFSI companies persists to treat security as an afterthought during and after mobile banking app development. According to the 2020 Mobile Security Index report by Verizon, 48% of the surveyed financial institutions had to compromise on mobile app security for the sake of expediency. This corner-cutting didn’t fail to take its toll, as financial apps were the second type of apps most likely to suffer a security compromise last year, preceded only by information and media software.

The state of mobile and IoT security in the financial sector in 2020

In the turbulent threat landscape of today, there are only two types of financial institutions: the ones who faced a mobile-app-targeted attack and the ones who will. Neglecting your banking application’s security is a dead-end track that leads only to severe financial and reputational repercussions.

We devised a five-step guide to help financial institutions build shell-proof mobile banking apps, maintain them this way, and safeguard customers from mobile security troubles.

#1: Test security throughout SDLC and beyond

The safety of mobile banking is a subject of many regional and industrial standards, so companies traditionally design the security architecture of their apps around these guidelines and call it a day.

While regulatory compliance is vital, financial institutions often mistakenly bank on it alone and perform security-related activities late in the SDLC. As a result, there is a good chance pre-release quality assurance (QA) can discover deeply ingrained security flaws that will require fundamental corrections. What’s even worse, if the QA fails to do so, the app will be released with inherent vulnerabilities.

The best way to make an app safe by design is to integrate security testing into the development lifecycle. At the start of the project, the team needs to explore relevant external and internal threats and, drawing on the analysis, specify security requirements to the application alongside functional and performance ones. At the design stage, it’s a great practice to perform threat modeling, as it allows developers to understand which elements of the app require protection most and what security controls will fit the purpose.

During the application development, engineers should not only implement security controls into the source code but also review it for bugs and flaws at each iteration, so that all vulnerabilities are rooted out immediately, before the app goes to production. After the development work is completed, the solution should undergo an all-round security assessment (with an emphasis on data security and regulatory compliance) and only after that can be released.

But the work doesn’t stop here. As time goes by, there is a risk that in-built security controls will grow outdated and insufficient against the evolved threats. By conducting regular scans of the banking app after its release, the development team can timely pinpoint new security flaws and vulnerabilities and mitigate them timely, before they get exploited.

In case your in-house development team would not be able to fulfill QA tasks under their own steam, you can always request software testing services from Itransition. To streamline ongoing QA without sacrificing the quality and scope of analysis, you can also resort to automating some labor-intensive security tests.

#2: Implement a strong authentication layer

Access control is the foundation of security, and mobile banking is not an exception. By equipping your application with a proper authentication mechanism, you ensure that only the customer is allowed to view and manage their personal funds, while third parties, malicious and not, are kept out, thus eliminating the user-side risk of the most basic but still prevalent attack — unauthorized access.

Despite remaining a predominant user authentication method, passwords have long been showing their insufficiency in the modern threat landscape. Even lengthy and complex passwords are easily discovered by a brute-force attack or malware; they can also be drawn out from a person with various social engineering techniques or simply overseen by a third party. What is more, passwords are often forgotten and lost and need to be recovered, which creates additional friction in customer experience. All things considered, using the easy-to-implement but vulnerable password verification in your banking app is not worth the risk.

Two-factor authentication has many uses in the financial industry, and app user verification is one of them. Requiring two separate forms of identification, commonly a password and a single-use code sent via SMS, push notification, or email, it is a much more secure option than passwords, and for some time it was truly effective for thwarting unauthorized access attempts.

Of late, however, various ways to bypass 2FA started to crop up, ranging from a SIM swap fraud to malware that instantly intercepts one-time codes, and the technique ceased to be so impregnable. Still, when integrated along with a comprehensive anti-malware solution, two-factor authentication will greatly strengthen a banking app’s security.

Biometric identification gained traction only recently, but its efficiency propelled its adoption as a verification method in mobile apps across industries, with finance leading the way. Relying on physiological human characteristics, such as fingerprints, facial features, voice, or iris to identify a person, the technology is highly accurate and spoof-proof. Convenience is a distinct advantage of biometrics, as all a user needs to do to identify themselves is look at the camera or scan their fingerprint.

Due to its novelty, biometrics is continuously tested by ethical hackers who have uncovered ways to bypass it, such as 3D fingerprints, deep fakes, or biometric database hacks. Nevertheless, as long as the methods remain too complicated to be commonplace, the technology will stay the most air-tight app identification control.

#3: Encrypt user data and communications

Financial institutions are no stranger to encryption. Most banks today leverage the virtually unbreakable 256-bit advanced encryption standard (AES) or equivalent methods to make customers’ personal and payment information inaccessible to unauthorized parties.

Needless to say, a mobile banking app should incorporate similarly robust encryption mechanisms to protect user data. It can be the customary AES, but it can also be another encryption technology that fits the app’s specifics better. It is also important to secure the traffic between the app and the server, and the Transport Layer Security protocol (TLS) fits the bill here.

Things can get more challenging if you plan on integrating your mobile app with wireless BLE and IoT technologies for proximity-based marketing, in-branch experience personalization, and wayfinding. In this case, it’s necessary to bake in specialized encryption mechanisms for securing app-to-device communication and ward off man-in-the-middle attacks.

Lightweight encryption is widely considered the best-suited option for resource-constrained beacons and embedded devices. Featuring a small footprint and light computational complexity, this type of cryptography requires a small amount of memory and energy and is also faster compared to traditional encryption.

There is, however, an ongoing debate and research concerning the implementation of traditional encryption, namely AES, in connected devices. In 2019, Google made headway by presenting the Adiantum method for leveraging AES encryption in smart devices and outdated Android phones. What is more, the recently rolled out 5G with its low latency, high speed, and medium energy consumption allows for partially overcoming the capacity limitations of low-power devices. All things considered, the use of traditional cryptography in app-to-device communication is a feasible concept, but the technology needs to be implemented by application security consultants.

# 4: Integrate in-app protection

The financial industry has never seen a shortage of malicious software attacks, but in 2020, owing to a 50% surge in mobile banking, as per the FBI’s US financial data studies, there was an explosion of malware targeting applications.

Bank customers around the globe were plagued by malicious software of all stripes that captured card credentials and other financial information for ransom or fraudulent money transfers. The most prolific one, the Android trojan called EventBot, targeted users of over 200 banking apps across the US and Europe, including Barclays, HSBC UK, Capital One, and other, siphoning off passwords and intercepting two-factor authentication messages to break into the apps.

Number of installation packages for mobile banking Trojans

These days, there is a strict oversight over financial cybercrime, and specialized law enforcement together with private-sector IT specialists usually take prompt measures to disarm emerging malware. Nevertheless, considering the steadily growing adoption of mobile banking, malicious software targeted at new apps will continue surfacing monthly while the existing scripts will be upgraded to circumvent dedicated safeguards. To be a step ahead of the attackers, financial institutions need to embrace a more comprehensive approach and consider bolstering source-code security controls with robust in-app protection features.

Designed by cybersecurity tech companies, in-app protection is a set of tools that can be easily integrated into an application. These solutions typically include mechanisms for security monitoring and malware detection, network connection manipulation, and external tampering that vendors update on a regular basis. Thus, relying on in-app protection, banks can efficiently shield their app from emerging attacks. In-app protection also allows companies to tap into an advanced security expertise and know-how that their in-house developers might not always have.

#5: Raise customers’ security awareness

Regrettably, after the release, your mobile banking app’s security is not completely in your hands. All the efforts towards building and maintaining the solution impregnable can be easily obliterated by users’ poor choices. Some can turn off biometric authentication if they see no point in it, while others can click on a phishing link because it is sent from the domain looking just like yours. Hence, it’s not enough to deliver a highly protected mobile banking solution—you should also teach users how to render their app experience safe.

First and foremost, banks need to educate their customers about good mobile banking security habits, from the importance of strong passwords and the benefits of two-factor or biometric authentication to the dangers of trusting third parties with app credentials and using public networks when conducting financial operations. However, make sure to present this information in a detailed but unobtrusive and engaging way, for example through short posts or animated videos, otherwise there is a high chance customers will not bother to pay heed to it.

Other than that, financial companies’ security specialists should always keep their ear to the ground for upcoming threats. If there is a mobile banking malware or a social engineering scam running rampant, financial institutions should immediately inform their users about the potential attack, specifying how to recognize and report it and what to do when they have already fallen victim to it. When you release application patches and updates in response to the threats, make certain to convey the importance of their prompt installation.

Most common types of social engineering attacks in Finance and Insurance industry

By keeping your customers aware of the threats they are exposed to and gradually educating them on best security practices, financial institutions can not only significantly minimize incident risks but also nurture customer loyalty and trust.

Stay alert to stay secure

Over the recent years, mobile banking has burgeoned, but with this growth came a whole new set of threats, exploiting apps’ inherent vulnerabilities, loose security controls, and customer unawareness, with the burden of warding them off falling on their owners.

The battle for mobile banking security is ongoing, and to win it, banks need to respect security basics while also remaining open and flexible regarding the emerging security tech.

Tags: