Mobile banking security risks are the big news of the day. And you can blame COVID-19 for this as well? ZDNet reported an increase of 238% in cyberattacks against banks between February and April of this year. That’s after Forbes reported that in the first 3 months of 2020, mobile banking was up 35-85%. Obviously, the hacking community must have taken note of that as well. This now has even the FBI worried. They published the following public service announcement on June 10, 2020:
Increased Use of Mobile Banking Apps Could Lead to Exploitation
FBI Internet Crime Compliance Center – Alert Number I-061020-PSA
Mobile Banking Security Risks Are Big News
It seems that every other day, there is an article about mobile banking app vulnerabilities. Here are some of the articles that I find very concerning.
- Data Breach Today – Many Mobile Banking Apps Have Exploitable ‘Coding Errors’
- Forbes – Mobile And Online Banking Security During COVID-19: What You Need To Know
- Credit Union Times – FBI Alert: Lock Down Mobile Banking Apps
- Insurance Business Magazine – No device is safe: cyber risk increases for brokers and agents
- Intertrust – 2020 Security Report on US Financial Mobile Apps; over 70% of U.S. financial services apps have at least one serious vulnerability
- Outlook Money – The future of FinTech in a Post COVID-19 World
- Washington Post – The coronavirus is upending cash economies. Mobile money could emerge as the winner.
- Payment Source – How EventBot Malware Exploits Shift to Mobile Payments During Coronavirus Crisis
- Mobile Payments Today – Following COVID-19: How the virus is affecting the mobile payments industry
- TechCrunch – Meet EventBot, a new Android malware that steals banking passwords and two-factor codes
- Credit Union Times – As Mobile Shifts from Trending to Necessary, Credit Unions Must Assure Data Protection
- Techbeacon – Fintech fiddles as home burns: 97% of apps lack basic security
If you have another good mobile banking security story that I should add to this list, please share it with me.
What’s at Stake for Consumers and Banks
Depending on the vulnerability here is a (limited) overview of the security threats and exploits consumers as well as banks may be facing.
Risks to mobile banking customers:
- Mobile Fraud – Malicious or unauthorized use of mobile apps & services, fake users, fake events, misappropriated connections, all to receive goods, services, revenue, money, attribution or rankings without paying.
- Account Takeover – Using stolen or misappropriated credentials, fake apps, SMS interception and other methods, to lock valid users out of individual mobile accounts, and steal goods or money from individual mobile users. Also associated with individual cyber-ransom attacks.
- Identity Theft – Trafficking or using stolen user, business or dev credentials and other PII to open accounts, steal goods, services, and money from individuals or businesses. Target could be mobile apps or online services.
- Malware Risk – Local, on device, risk of exploit & control of mobile apps & users by mobile app or device malware.
Risks to the mobile banking business:
- Credential Stuffing – A network attack that uses automated credential guessing to get access to back end systems.
- Data Breach – Unauthorized access, export or theft of mobile app client or mobile app backend user or dev data, including PII, financial or business data. This risk is also associated with business level cyber-ransoms & dark web trafficking.
- Back-End Risk – Using any mobile app exploit to access, harvest or control back end systems, data and services.
- Web Risk – Any security risk to web services that results from a mobile breach, including theft of user credentials and server information of the mobile banking web servers.
- Mods and Fake Apps – Mobile app piracy, copy cat apps and malicious trojans of valid apps, increasing cost of customer acquisition, causing user confusion and more.
- IP Risk – Loss of intellectual property, including competitive risk, loss of trade secrets and innovation.
- Revenue Loss – Studies have shown that the monthly business impact of a breach of a transactional app with over 1M users, is over $6M per month.
- Regulatory Penalties – Regulations, including GDPR in Europe, call for heavy fines and penalties in the event of breaches of Personally identifiable information (PII) and more.
- Damage to Brand Reputation – Any published breach of a mobile has a negative impact on the brand’s reputation.
Who’s Responsible for Application Security
The world of application security can be divided into a pre-Zoom world and a post-Zoom world. The post-Zoom world starts in late March 2020, when Zoom got into a lot of trouble for security breaches and privacy lapses. In response Zoom took full responsibility and launched a 90 day effort to fix all security problems and overhaul its architecture to focus on security first and foremost. This launched a new era in application security. In the new post-Zoom world, the responsibility for application security and end-user privacy has fully shifted away from the consumer to the developer. The articles above all focus on this fundamental shift in responsibility.
Let’s look at the options developers had for ensuring application security.
- Doing nothing and hoping for the best. With the increasing reliance on web and mobile applications in our COVID-19 world, this is absolutely no longer an option.
- Putting the responsibility for keeping end-user information secure, on the shoulders of the end-user. This is no longer acceptable in a post-Zoom world. Application security and protecting the privacy and PII of the end-user is now fully the responsibility of the developer.
- Relying on the Operating System to secure the application. Android and iOS operating systems are not secure. While both will increasingly have better and more robust security features, these features are dedicated to protecting the device (not the app). Once the device is unlocked, everything about and in your app is exposed, whether or not the user is legitimately accessing your app.
- Depending on the backend to protect the app, the app data and the user. Unfortunately, backend security measures, alone, are not adequate to protect your mobile business. First, many attacks, like mobile malware attacks, occur at the client level, usually from another app on the same device. Strong backend or infrastructure security measures are critical. But, mobile apps themselves include all the elements necessary to reach and connect with your backend, access users’ accounts, download data and more. If these methods, URLs, keys, certificates and more are left in the clear, your backend security can be ineffective and hackers could use your mobile apps to mount attacks, that may remaining unnoticed, until the damage is done.
What Developers of Mobile Banking, FinTech Challenger and Cryptocurrency Apps Should Do
Use Appdome. The Appdome Mobile Security Suite is the only layered defense that protects the app, the app data and the user against any known attack vectors. As a result, developers can add complete Runtime Application Self-Protection (RASP) to their Android and iOS apps, in seconds, without coding. All without any impact to development schedules and product roadmaps. Read my previous blog on how banks can protect their mobile banking customers to learn more. Appdome also protects apps against malware attacks as described in this blog on protecting mobile banking customers from EventBot Malware.
For more information, request a demo or create your account and start protecting your apps today.
