BY: Patrick Kehoe, CMO, Arxan
The devastating effects on revenue and brand caused by cybercriminals to consumer corporations, especially trusted organizations such as financial institutions, are by now well understood and very intimidating. What is not so well understood is how to prevent these attacks, especially in the exploding mobile environment, where customers demand innovation — and where cybercriminals are finding it easier than ever to exploit the widening gap between mobile technology and security protections.
Mobile banking services are the new “game-changers” in the banking and payments arena. In light of a number of macro trends, those who offer the best and most secure banking and payment apps will win.
Consider the following:
|Mobile Banking Apps Are Your Best Driver for Customer Acquisition||
|Mobile Banking Is Critical for New End Users||
|Mobile Banking and Payments Opportunity Is Huge||
How Secure Are Mobile Banking Apps and Mobile Devices?
Unfortunately, only a few are capitalizing on the opportunity to gain a competitive advantage by offering secure mobile apps.Recent analysis by Arxan found that the majority of paid financial services and retail apps have been hacked; read the full report here.
Mobile devices running iOS or Android are far from secure; the latest Kindsight Security Labs report from Alcatel-Lucent highlights that there are currently over 15 million infected mobile devices worldwide — a 20 percent increase from 2013. The Kindsight Security study also found an increase in mobile spyware. Of the 2.3 billion smartphones around the globe, Kindsight Security estimates that 40 percent of them contain spyware used to monitor the phone’s owner by tracking the device’s location, incoming and outgoing calls, text messages, email, Web browsing and history.
What makes the ground so fertile for such breaches?
The “surface area” for attackers to hit has grown immensely with the mobile computing explosion. In the past, when apps were run inside data centers, there used to be just a few “attack areas” for hackers to pursue — mainly focused on remotely exploiting flaws and defects in the application code.
Today’s mobile landscape introduces new threat vectors that typically aren’t considered in organizations’ mobile banking security approaches. Key threat vectors include:
1. Jailbroken or Rooted Devices: Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS. Recently, a variant of the PC-based Zeus malware “ZitMo” has been used to forward SMS messages to cybercriminals as a means of circumventing out-of-band authentication.
2. Outdated OSs and Nonsecure Connections: Risk factors such as dated operating system versions, nonsecure Wi-Fi network use and pharming attacks allow cybercriminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device.
3. Account Takeover: Cybercriminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. And unfortunately, they have enjoyed relative anonymity when using mobile devices that share many similar attributes, making it challenging to defend against. Server-side device ID solutions have a difficult time uniquely detecting criminal devices.
4. Cross-Channel Credential Theft: One of the prevalent enablers for account takeover is stolen credentials through phishing or malware on the online channel. In some cases, the mobile channel is not sufficient to fully execute a fraudulent transaction; fraud can either start or end on the mobile device, but most methods of attack involve at least one additional channel that fraudsters use to complete their task. To effectively protect end users and the mobile banking application, cross-reference actions need to be performed on the various channels while looking for suspicious activities. To identify mobile account takeover, one must see the entire picture — the full fraud life cycle — rather than a limited, tunnel-visioned view of just the mobile channel.
5. Attacks to the Mobile Application: When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. There are many readily available tools that can reverse an application from binary format into source code. With access to source code, hackers can gain access to sensitive data and intellectual property (IP). Also, the code can be modified (e.g., security controls can be patched out), the run-time behavior of the applications can be altered and/or malicious code can be injected into the application. Once altered, the application can be repackaged and circulated to look as though it originated from a known/safe source. These and other methods of hacking an app are outlined here.
A New Model for Mobile Banking Security
In order to deal with the changing mobile threat landscape, a new set of tools is necessary. Financial institutions should embrace a comprehensive security approach that meets these evolving threats and includes the following:
- Device risk level detection
- Jailbroken devices
- Outdated OSs
- Malware infections
- Rogue apps
- Account takeover detection
- Persistent device ID
- Mobile application protection
- Harden app to protect the confidentiality of the code
- Protect the integrity of the app at run time
Financial institutions are constantly looking for the right mix of technologies that can securely support multiple use cases and enable productivity while keeping enterprise data protected on mobile devices. Although the offer of technologies that address mobile security is broadening and maturing, the larger portion of enterprises are still looking for basic tools to provide protection against physical loss or the use of improper applications.
Despite the growing awareness and enormous efforts financial institutions undergo, a significant gap remains between mobile technologies and security protection mechanisms. Financial institutions have been carrying vast product sets, frequently unappreciated by their customers, often with a subsequent cost in operations, technology, service and, sometimes, risk and regulatory challenges.
The following three steps provide enhanced security against evolving mobile threats:
|Build Your App Safely||
|Keep the App Safe||We recommend exploring three techniques:
Detailed steps you can take to protect mobile banking apps will be reviewed in detail during our Jan. 29 webinar. We’ll explore mobile threat vectors in more detail and educate you about how to establish a secure mobile banking solution. This will enable you to win the mobile banking battle!
This blog was co-authored by ASSAF REGEV