The adoption of mobile banking will continue to surge across Europe, says a recent ING International Survey – Mobile Banking 2016 report. In its annual survey, ING shows that the share of mobile device users in Europe who bank by mobile has swelled to 47% – up from 41% in 2015 – with another 16% expected to adopt the technology in the next 12 months.
Although ING’s research indicates the situation in Europe, it is worth considering the state of play in the US among millennials too. The Federal Reserve says that 67% of millennials now use mobile banking; which is important to consider, as these people will be the next generation of banks’ customers (18% of consumers over the age of 60 use mobile).
For the banking sector, a strong mobile strategy is becoming critical for financial institutions to compete in the changing landscape. Customer and employee expectations are increasingly mobile-first, so banks need to address this evolution, to build customer loyalty and revenue streams.
However, The Federal Reserve’s research also questioned why people do not use mobile banking apps. It discovered that 73% of people had concerns about the security of mobile banking technology. So, as mobile banking continues to soar in Europe and the US, what should banks consider as they develop apps that meet the security concerns of customers?
Top 10 Mobile Vulnerabilities
From a technology standpoint, there are many vulnerabilities that could cause problems for your banking apps across the software development cycle (SDLC). These occur at the customer facing, front-end of the app as well as the back-end, within the device and the banking app level, and mean that banks need to ensure that apps have advanced authentication, including integrations into Active Directory, Oauth - and the like - built into their software development; as well as compliance with all the necessary essential industry standards, like PCI, SOX, HIPPA, Common Criteria and so on.
The Open Web Application Security Project (OWASP) is a vital source of critical security information. It provides sound guidance about what it deems as the ‘Top 10 Mobile Vulnerabilities’. In order of importance, they include: lack of binary protections (19%), insecure data storage (17%), insufficient transport layer protection (16%), unintended data leakage (13%), weak server side controls (6%), poor authorisation and authentication (6%), client side injection (4%), broken cryptography (3%), improper session handling (2%) and security decision via untrusted inputs (1%). Interestingly, 13% is unaccounted for too. Of course, the degree to which these common vulnerabilities affects your mobile banking app will vary, according to your systems and strategy.
‘Reverse engineering’ is your enemy
Outside of OWASP’s recommendations, there are several other key factors that banks ought to consider as they tighten up the security of their mobile apps. For instance, often attackers will simply pick up where the secure SDLC leaves off. So, your team needs to evaluate this and establish how to overcome and secure this entry point. They also need to consider that, in the case of consumer apps, they are often freely available.
This means that they are open to scrutiny and that hackers will try and reverse engineer and modify banks’ mobile apps, even though they are supposed to be free of vulnerabilities.
In addition to this, banks need to establish how they can develop apps that have the capabilities to protect themselves. Achieving this starts with developing a secure SDLC that ultimately provides the app with the capability to defend against compromises, detect attacks in real-time and react to, or ward off attacks in real time; which comprises of the following phases and key points:
- Planning, and assessments of high-level risk assessments; a security policy review; defining security requirements
- Designing, building, and testing, which consists of a security architecture review; threat modeling; secure coding training; secure code reviews; app integrity protection design; static analysis; and dynamic testing
- Protection, which is a layer that provides application integrity protection
- Test & Deployment, this is made up of final functional and security tests; penetration testing; application monitoring; and application integration protection and continuous vulnerability assessments
The many benefits to providing customers with mobile banking apps far exceed the risk; however, it is critical to arm with the current capabilities that are required to defend and protect your apps and business from security breaches, resist tampering, and ward off, as much as possible, hacking attacks and malware exploits.
As mobile banking continues to grow, so will the number of exploits, and so development teams will face constant challenges to protect their business from security issues. It is, therefore, critical to factor security into your long-term mobile banking app development strategy and align with proven partners that can help you ensure your success. To learn more about making your mobile banking apps as secure as possible, join our upcoming webinar with Gemalto, "5 Key Steps for Building Secure and Convenient Mobile Banking Apps."
Note: This blog originally appeared on Finextra and has been reprinted with permission.