Security on multiple fronts
Banking apps pose unfamiliar and wide-ranging challenges when it comes to assessing their security risk.
For example: Is the app using Apple’s iOS® platform or Google’s Android™ platform? Is it tapping into the device’s web browsing capability? What about GPS? Motion detection? Camera? What is the app’s intended functionality? How is it accessing, using and storing data? Resolving these questions, then incorporating the answers into a “security first” mind set, can yield a strong security solution.
An awareness of these additional potential penetration points can also help:
The device: The browser, the system, phone and SMS capability, and apps themselves all leave potential security gaps.
The network: What about WiFi security? What if hackers create a rogue access point or a fake SSL (Secure Sockets Layer) certificate?
The data center: The underlying web server could be vulnerable to attack, as well as the database that stores vital content.
Mobile apps should be designed with an understanding that they are going to be used by diverse sets of users and in varying environments.
Accenture joined with NowSecure, employing its Lab Automated tool, to assess the security of various mobile banking apps against fraud and penetration attempts.
The analysis performed yielded a number of "typical" security risks. It also yielded these broad-brush conclusions:
At least one security issue was identified in every one of the apps we reviewed.
Institutions have proactively addressed certain well-known security risks over the past few years, while other mobile app vulnerabilities have not received the same level of remediation—and remain problematic.
Using multi-factor authentication has gone far to make online banking more secure, but is not a silver bullet. Industry standards offer guidance around multi-factor authentication.
Forty percent of identified banking app issues are related to insecure communication.
Security and innovation
Given the varied set of mobile banking app risks—including security design gaps and vulnerabilities—what can providers do?
First and foremost: Treat banking and other mobile apps the same as any other software asset, particularly when it comes to security. A secure development approach is a core up-front step that can prevent trouble down the road.
As a second step, organizations can look longer term toward building an integrated mobile security strategy that assesses and addresses apps’ impact on an organization-wide scale.
Customer-facing mobile apps should be designed with an understanding that they are going to be used by diverse sets of users and in varying environments. This should be baked into the mobile development environment through a "security first" mindset, and coupled with periodic execution of vulnerability and/or configuration assessments, source code review, app fuzzing and pen-testing.
Accenture and NowSecure have done legwork to evaluate the security challenges posed by mobile banking apps. Now it's time for your financial organization to step in and close the gaps, while preserving opportunities for continued mobile innovation.