Monthly Archives: October 2015

Mobile Banking App. Security

Mobile Banking App. Security

There are over 1.4 billion smartphones in use: 798 million of them will run Android, 294 million will run Apple’s iOS, and 45 million will run Windows Phone2, With the world population at 7 billion that will mean one phone for every five people in the world. We are in a post-PC era, where billions of consumers are carrying around Internet-connected mobile devices for up to 16 hours a day.
In an increased effort to attract and retain customers on the go, many banks have developed custom mobile applications. Mobile banking use has surged over 50% in some demographics, according to a survey by ComScore, Inc. For the banking industry security of finances and personal information is not just a key acquisition driver; it is also essential for retaining customers.

Today it’s easy to transfer money, make payments, and buy goods and services in countless ways outside the walls of a bank or retailer. Mobile Apps are being developed to be all-round where users can not only check balances, but also contact customer care, plan their budget, view statements, apply for finance etc. Thus all over the world, banks are striving to upgrade their online customers from regular browsing all the way to financial engagement.

A new Ponemon Institute study sponsored by IBM shows that many organizations neglect security when building mobile applications for their customers. The report shows that nearly 40 percent of the 400 organizations that took part in the survey, 40 percent of which are Fortune 500 companies, potentially expose their customers’ data because they don’t scan the code for vulnerabilities (View Full IBM Report)

Banks provide PINs and passwords on accounts, which should be kept confidential; there are also lock-outs and time-outs – for example, some apps give you five attempts to enter your PIN correctly. After that, the app is locked ensuring others can’t attempt to guess your PIN. And after three to five minutes of inactivity, the app may log you out, in case you forget to close it; Then there is monitoring of your accounts and providing customer authentication procedures, and lastly in some countries banks also back with a security guarantee – i.e banks will cover any losses if there is an unauthorised transaction on your account provided you protect your PIN and password. Customers must notify their bank if there is a loss, theft or misuse of their PIN and/or any suspicious activity on the account.

Unfortunately, criminals see opportunities whenever money is involved – they will always seek new ways to steal and commit fraud. As seen above most banking apps provide only limited security guarded by a user pin or password. Unfortunately, passwords still guard access to applications and sensitive data and mobile devices are no exceptions. We’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

Thus in Australia, as of today & in most cases the only thing protecting access to your mobile banking application is a 4 digit Pin. Enough for a hacker to log into your banking app, & access statements, know your credit card numbers, account numbers, address, transactions, liabilities or Assets you may owe/own, know your payees, your friends, or even tell at what places you hang out usually.
Moreover, SMS Token Security is a method of choice, for transactions carried out via banking apps.

“UK based Security Researcher; “fin1te” revealed that attacker could compromise any Facebook account in less than a minute simply exploiting an SMS message” (See Full Post)
“According to an article in CNN, Android phones can be hacked with a simple text” ( See Article )

So how can someone get access to your SMS on your phone? To deliver single-use SMS passwords, the SMS has to travel through various networks from the firm’s headquarters, to a wholesale SMS gateway, international SMS network and finally down the line of the local phone company. In Australia the Comms Alliance, The lobby group for Australian telcos, declares SMS banking unsafe and calls upon Australian banks to seek out alternative technologies of authentication.
A more likely reason why it has become popular amongst banks is that many lenders want to ensure they have mobile phone numbers to contact customers when loan or credit card payments are missed. Making the mobile phone number mandatory for login ensures they almost always have the correct phone number for almost 100% of customers. It is not clear that this benefit justifies the failure to provide proper security and the inconvenience when travelling. The only potential benefit to SMS authentication is that it weeds out some of the most amateur attempts to compromise your bank account, but this is a false sense of security.

Historical forms of authentication were never meant for the networked landscape we live in today, At this point in the data security environment most people are aware that a single installed antivirus system is not enough to protect a given endpoint.

Thus with a borderless IT landscape, the focus needs to shift from device based security to an application based security. One must also take note that while there is nothing like 100% security, a multi-layered security approach with new generation authentication including matured technologies like Voice Biometrics and Face Recognition can present a fighting chance for organisations against cyber attackers.