Securing Mobile
Banking Apps
BALANCING MOBILE INNOVATION
WITH SECURITY
WITH SECURITY
THE MOBILE THREAT
For financial firms, mobile apps bring a powerful new way to connect with customers.
Mobile devices continue to replace legacy hardware across organizations, providing a platform for new tools and processes. This shift has contributed to the ongoing expansion of the mobile universe, as well as an increase in mobile app development in the financial services industry.
Because they foster new, more personal connections, mobile apps can bring gains for financial firms. But they also can bring risks. Especially vulnerabilities in the mobile technology chain, across the device, the network and the data center.
Teaming with NowSecure, the mobile threat landscape for customer-facing mobile banking apps was analyzed. Given the prevalence of security vulnerabilities we found, firms are encouraged, at a minimum, to apply the same security standards they use for any software asset, to their customer-facing mobile banking apps.
It’s up to providers to build strong mobile security, without diminishing the flexibility and productivity gains apps can bring.
AND SHOULD BE EMBEDDED WITHIN THE MOBILE APP DEVELOPMENT LIFECYCLE, USING AN APPROACH THAT HAS APPROPRIATE CONTROLS IN PLACE FROM THE ONSET.
SECURITY ON MULTIPLE FRONTS
Banking apps pose unfamiliar and wide-ranging challenges when it comes to assessing their security risk.
For example: Is the app using Apple’s iOS® platform or Google’s Android™ platform? Is it tapping into the device’s web browsing capability? What about GPS? Motion detection? Camera? What is the app’s intended functionality? How is it accessing, using and storing data? Resolving these questions, then incorporating the answers into a “security first” mind set, can yield a strong security solution.
An awareness of these additional potential penetration points can also help:
-
The device: The browser, the system, phone and SMS capability, and apps themselves all leave potential security gaps.
-
The network: What about Wi-Fi security? What if hackers create a rogue access point or a fake SSL (Secure Sockets Layer) certificate?
-
The data center: The underlying web server could be vulnerable to attack, as well as the database that stores vital content.
MOBILE APPS SHOULD BE DESIGNED WITH AN UNDERSTANDING THAT THEY ARE GOING TO BE USED BY DIVERSE SETS OF USERS AND IN VARYING ENVIRONMENTS.
KNOWN SUSPECTS
Accenture joined with NowSecure, employing its Lab Automated tool, to assess the security of various mobile banking apps against fraud and penetration attempts.
The analysis performed yielded a number of "typical" security risks. It also yielded these broad-brush conclusions:
-
At least one security issue was identified in every one of the apps we reviewed.
-
Institutions have proactively addressed certain well-known security risks over the past few years, while other mobile app vulnerabilities have not received the same level of remediation—and remain problematic.
-
Using multi-factor authentication has gone far to make online banking more secure, but is not a silver bullet. Industry standards offer guidance around multi-factor authentication.
-
40 percent of identified banking app issues are related to insecure communication.
SECURITY AND INNOVATION
Given the varied set of mobile banking app risks—including security design gaps and vulnerabilities—what can providers do?
First and foremost: Treat banking and other mobile apps the same as any other software asset, particularly when it comes to security. A secure development approach is a core up-front step that can prevent trouble down the road.
As a second step, organizations can look longer term toward building an integrated mobile security strategy that assesses and addresses apps’ impact on an organization-wide scale.
Customer-facing mobile apps should be designed with an understanding that they are going to be used by diverse sets of users and in varying environments. This should be baked into the mobile development environment through a "security first" mindset, and coupled with periodic execution of vulnerability and/or configuration assessments, source code review, app fuzzing, and pen-testing.
Accenture and NowSecure have done legwork to evaluate the security challenges posed by mobile banking apps. Now it's time for your financial organization to step in and close the gaps, while preserving opportunities for continued mobile innovation.
First and foremost: Treat banking and other mobile apps the same as any other software asset, particularly when it comes to security. A secure development approach is a core up-front step that can prevent trouble down the road.
As a second step, organizations can look longer term toward building an integrated mobile security strategy that assesses and addresses apps’ impact on an organization-wide scale.
Customer-facing mobile apps should be designed with an understanding that they are going to be used by diverse sets of users and in varying environments. This should be baked into the mobile development environment through a "security first" mindset, and coupled with periodic execution of vulnerability and/or configuration assessments, source code review, app fuzzing, and pen-testing.
Accenture and NowSecure have done legwork to evaluate the security challenges posed by mobile banking apps. Now it's time for your financial organization to step in and close the gaps, while preserving opportunities for continued mobile innovation.
CONNECT WITH US
 |
Chris Thompson
Senior Managing Director, Global Financial Services Security & Resilience Practice Lead
 |
 |
Roshani Bhatt
Managing Director, Accenture Digital
|
|
Ryan Leininger
Manager, Accenture Finance & Risk
|
|
Legal disclaimers:
Copyright © 2017 Accenture All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © NowSecure, Inc. All rights reserved.
The NowSecure name and logo are trademarks of NowSecure, Inc. and are used with permission.
Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners.
We disclaim proprietary interest in the marks and names of others.
Copyright © 2017 Accenture All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © NowSecure, Inc. All rights reserved.
The NowSecure name and logo are trademarks of NowSecure, Inc. and are used with permission.
Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners.
We disclaim proprietary interest in the marks and names of others.