Yearly Archives: 2015

Mobile Wallets are coming…

The popularity of banking and m-commerce on smartphones and tablets, merchant adoption of mPOS devices, the growth of in-app payments, and the emergence of mobile wallets and NFC-based point-of-sale payment services mean that ensuring the security of mobile transactions and the privacy of customers’ data is critical. Around the world with so many banks and merchants trying to get consumers to pay with some form of a mobile app or wallet, awareness is increasing. But so is confusion — there are so many options, and yet no clear winner.

According to a report by Forrester analyst Tim Sheedy, The Reserve Bank of Australia is working with industry on a central hub infrastructure platform to support ‘overlay’ or mobile payments services. By the end of 2016, any transaction will occur within a few seconds using the new platform.

In Australia, NAB’s “Flick”, Westpac’s “Tap & Pay” are some examples of steps in this direction. Around the world, banks are at par or ahead with Mobile Wallets Technology. Having said that, a security analysis of mobile banking apps for iOS devices from 60 financial institutions around the world has revealed that many were vulnerable to various attacks and exposed sensitive information.

Mobile Payments refers to payment services, operated under financial regulation, using a mobile device. With mobile payments, the mobile device is used to make the payment in place of the ‘traditional’ channels such as cash, credit / debit card and cheque. There are many other terms that refer to Mobile Payments – these include mobile money, mobile money transfer, mobile wallet, m-payments, etc.

Major Australian banks have made mobile payments a priority tech initiative and are in various stages of rolling out technology that lets customers pay with smartphones. Commonwealth Bank, Credit Union Australia (CUA) and Bendigo Bank have released mobile payments apps.
It is important to note, Mobile devices face the same security risks as PCs and laptops, including malicious apps, viruses and other types of malware. They also have the risk of malicious code such as phishing links being inserted into QR codes. In addition, retailers’ Wi-Fi networks are vulnerable to intrusion, which poses a security risk for their mPOS devices and customers’ smartphones.

Generally speaking, there are several security technologies that try and secure the end user to aid mobile banking, some of them include: Point to Point Encryption, Tokenisation, EMV, NFC & Authentication Technologies.

Voice Biometrics is a type of strong authentication for mobiles involving authenticating a speaker based on numerous voice characteristics, such as vocal tract geometry, harmonics, pitch and range. Speech recognition and voice biometric technology have come a long way, and products using voice as a biometric modality are gaining a ton of traction in the market.

Facial recognition is another such strong authentication method for mobiles. Every face has numerous, distinguishable landmarks, the different peaks and valleys that make up facial features, These landmarks are also known as nodal points. Each human face has approximately 80 nodal points. Today, facial recognition technology uses advanced pattern recognition models and captures images in real time to select areas of the face with dense information values. Facial recognition today can even be used in darkness and has the ability to recognise a subject at various view angles.

Recently, The Australian Senate has passed new legislation to strengthen the country’s biometrics system, Under the legislation, the Department of Immigration and Border Protection would be able to match the fingerprints and potentially iris scans and facial images of travellers entering and exiting Australia against a database containing the biometric data of known criminals and suspected terrorists.

Companies deploying any type of mobile security technology should consider the maturity of such technology, A financial institution’s online banking app, for instance, has to support thousands of different devices, making it important that biometric authentication work with existing hardware. It is also advisable not to look to any particular technology for all the answers. A Multi-Layered security approach is often the most suitable approach to reduce the level of risk.

Mobile Banking App. Security

Mobile Banking App. Security

There are over 1.4 billion smartphones in use: 798 million of them will run Android, 294 million will run Apple’s iOS, and 45 million will run Windows Phone2, With the world population at 7 billion that will mean one phone for every five people in the world. We are in a post-PC era, where billions of consumers are carrying around Internet-connected mobile devices for up to 16 hours a day.
In an increased effort to attract and retain customers on the go, many banks have developed custom mobile applications. Mobile banking use has surged over 50% in some demographics, according to a survey by ComScore, Inc. For the banking industry security of finances and personal information is not just a key acquisition driver; it is also essential for retaining customers.

Today it’s easy to transfer money, make payments, and buy goods and services in countless ways outside the walls of a bank or retailer. Mobile Apps are being developed to be all-round where users can not only check balances, but also contact customer care, plan their budget, view statements, apply for finance etc. Thus all over the world, banks are striving to upgrade their online customers from regular browsing all the way to financial engagement.

A new Ponemon Institute study sponsored by IBM shows that many organizations neglect security when building mobile applications for their customers. The report shows that nearly 40 percent of the 400 organizations that took part in the survey, 40 percent of which are Fortune 500 companies, potentially expose their customers’ data because they don’t scan the code for vulnerabilities (View Full IBM Report)

Banks provide PINs and passwords on accounts, which should be kept confidential; there are also lock-outs and time-outs – for example, some apps give you five attempts to enter your PIN correctly. After that, the app is locked ensuring others can’t attempt to guess your PIN. And after three to five minutes of inactivity, the app may log you out, in case you forget to close it; Then there is monitoring of your accounts and providing customer authentication procedures, and lastly in some countries banks also back with a security guarantee – i.e banks will cover any losses if there is an unauthorised transaction on your account provided you protect your PIN and password. Customers must notify their bank if there is a loss, theft or misuse of their PIN and/or any suspicious activity on the account.

Unfortunately, criminals see opportunities whenever money is involved – they will always seek new ways to steal and commit fraud. As seen above most banking apps provide only limited security guarded by a user pin or password. Unfortunately, passwords still guard access to applications and sensitive data and mobile devices are no exceptions. We’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

Thus in Australia, as of today & in most cases the only thing protecting access to your mobile banking application is a 4 digit Pin. Enough for a hacker to log into your banking app, & access statements, know your credit card numbers, account numbers, address, transactions, liabilities or Assets you may owe/own, know your payees, your friends, or even tell at what places you hang out usually.
Moreover, SMS Token Security is a method of choice, for transactions carried out via banking apps.

“UK based Security Researcher; “fin1te” revealed that attacker could compromise any Facebook account in less than a minute simply exploiting an SMS message” (See Full Post)
“According to an article in CNN, Android phones can be hacked with a simple text” ( See Article )

So how can someone get access to your SMS on your phone? To deliver single-use SMS passwords, the SMS has to travel through various networks from the firm’s headquarters, to a wholesale SMS gateway, international SMS network and finally down the line of the local phone company. In Australia the Comms Alliance, The lobby group for Australian telcos, declares SMS banking unsafe and calls upon Australian banks to seek out alternative technologies of authentication.
A more likely reason why it has become popular amongst banks is that many lenders want to ensure they have mobile phone numbers to contact customers when loan or credit card payments are missed. Making the mobile phone number mandatory for login ensures they almost always have the correct phone number for almost 100% of customers. It is not clear that this benefit justifies the failure to provide proper security and the inconvenience when travelling. The only potential benefit to SMS authentication is that it weeds out some of the most amateur attempts to compromise your bank account, but this is a false sense of security.

Historical forms of authentication were never meant for the networked landscape we live in today, At this point in the data security environment most people are aware that a single installed antivirus system is not enough to protect a given endpoint.

Thus with a borderless IT landscape, the focus needs to shift from device based security to an application based security. One must also take note that while there is nothing like 100% security, a multi-layered security approach with new generation authentication including matured technologies like Voice Biometrics and Face Recognition can present a fighting chance for organisations against cyber attackers.