Mobile vulnerabilities require banking apps rethink
Annual global smartphone shipments broke through the one billion barrier for the first time last year, reinforcing the strategic importance of banking ‘on the go’ as a platform for future growth. But with more than one third of UK internet users already using mobile banking apps, concerns are emerging over the failure of some providers to address security risks, writes Martin Baldock.
According to a recent report by IOActive, which reviewed 40 home banking apps from the world’s top 60 banks, nine out of 10 apps had serious security vulnerabilities. As a result, attackers could intercept traffic and inject code to create fake login prompts or send rogue texts or emails from the customer’s device.
The apps development process is in urgent need of a rethink, with security placed higher up the agenda. In the past, a bank’s IT director had a comparatively straightforward job, building a secure perimeter around traditional, centralised enterprise systems, but in the world of mobile apps all that has changed. The perimeter has broken down and mobile app development presents different challenges from enterprise application development.
There is limited awareness that access into banks’ enterprise systems may be enabled through hasty app development. Researchers point out that hackers have been able to crack binary code in an app and uncover hard-coded development credentials. Using such information, an attacker may be able to gain access to the bank’s development infrastructure and either expose confidential information, or more worryingly, push malware on to the bank’s internal infrastructure.
In their quest to refine the user experience and make apps available as swiftly as possible, many app developers simply do not have the time to consider the perspective of the criminal fraudster. This is further exacerbated by the fact that few developers come from a traditional financial technology background and may, therefore, be unfamiliar with the unique security requirements of banking systems. Some banks have taken steps to address such concerns, by creating a separate specialist group that reviews app security ahead of release.
There are a number of issues that may be addressed to mitigate the risks of rapid development and deployment. Some factors to consider include the context of the connection method and the location of data. For example, banks may be able to tap into location features to warn users about to access their account through an app using an insecure public open wi-fi system.
Customers accessing their bank accounts online using a PC are used to seeing ‘https’ before a secure web address, along with the reassuring padlock that appears on the web address bar. However, most apps do not clearly communicate the state of their security and users are simply not tuned into the need to consider security.
Fraudsters are increasingly targeting mobile app users, as individuals do not expect to be targeted on their smartphones and tablets. Most users have become wary of fraudulent emails, asking users to click on a link to update their banking password, but may not be suspicious if they receive an ‘error’ message on their banking app that suggests the banking session has timed out and asks for the password to be re-entered. Hackers can initiate such attacks if the app does not require a signed certificate to check that it is communicating with a secure and trusted bank system.
To further minimise app risks, developers should look to reduce the amount of sensitive data stored on the smartphone or tablet and ensure data is encrypted. At the same time, connections between the app and the bank must use secure transfer protocols and SSL certificates should be verified by the app. While undoubtedly helpful to developers in diagnosing potential problems with an app, the crash report logs could also become a weak point and measures must be put in place to prevent such information being available to cyber criminals.
While the integrity of the underlying technology is paramount, customer authentication is an integral part to hardening the security of an app. However, according to IOActive, up to 70% of banking apps do not use multifactor authentication or any alternative authentication method of verification.
App multifactor authentication is not difficult to integrate and could be used to supplement a password. There are various ways of integrating such technology, ranging from additional logon details being texted to a smartphone, to emerging biometric authentication, such as fingerprint, facial or voice recognition, which go a long way towards improving security.
A further challenge appears in the guise of modified phones, where customers may have changed or removed the original factory security settings, by ‘jailbreaking’ or ‘rooting’ the device. While it may not be necessary to develop code that prevents installation of a banking app on modified phones, it may be appropriate to incorporate specific checks, which would trigger a message that warns customers of the inherent risks.
As cyber criminals up their game, banks must urgently take steps to review the resilience and potential vulnerabilities of existing apps. Customers have placed significant trust in banks to safeguard their own systems, while making the mobile banking experience as secure and intuitive as possible. With significant financial and reputational risks at stake, banking apps should be developed from scratch, backed by a clear focus on identifying potential vulnerabilities.