For financial firms, mobile apps bring a powerful new way to connect with customers.
Mobile devices continue to replace legacy hardware across organizations, providing a platform for new tools and processes. This shift has contributed to the ongoing expansion of the mobile universe, as well as an increase in mobile app development in the financial services industry.
Because they foster new, more personal connections, mobile apps can bring gains for financial firms. But they also can bring risks. Especially vulnerabilities in the mobile technology chain, across the device, the network and the data center.
Teaming with NowSecure, the mobile threat landscape for customer-facing mobile banking apps was analyzed. Given the prevalence of security vulnerabilities we found, firms are encouraged, at a minimum, to apply the same security standards they use for any software asset, to their customer-facing mobile banking apps.
It’s up to providers to build strong mobile security, without diminishing the flexibility and productivity gains apps can bring.
For example: Is the app using Apple’s iOS® platform or Google’s Android™ platform? Is it tapping into the device’s web browsing capability? What about GPS? Motion detection? Camera? What is the app’s intended functionality? How is it accessing, using and storing data? Resolving these questions, then incorporating the answers into a “security first” mind set, can yield a strong security solution.
An awareness of these additional potential penetration points can also help:
The device: The browser, the system, phone and SMS capability, and apps themselves all leave potential security gaps.
The network: What about Wi-Fi security? What if hackers create a rogue access point or a fake SSL (Secure Sockets Layer) certificate?
The data center: The underlying web server could be vulnerable to attack, as well as the database that stores vital content.
Accenture joined with NowSecure, employing its Lab Automated tool, to assess the security of various mobile banking apps against fraud and penetration attempts.
The analysis performed yielded a number of "typical" security risks. It also yielded these broad-brush conclusions:
At least one security issue was identified in every one of the apps we reviewed.
Institutions have proactively addressed certain well-known security risks over the past few years, while other mobile app vulnerabilities have not received the same level of remediation—and remain problematic.
Using multi-factor authentication has gone far to make online banking more secure, but is not a silver bullet. Industry standards offer guidance around multi-factor authentication.
40 percent of identified banking app issues are related to insecure communication.