5 tips how banks can increase mobile banking security
While customers are learning how to use mobile banking apps instead of in-branch banking, cyber criminals are on the high alert opening up new possibilities for fraudulent activities. In these circumstances, banks of all sizes should carefully think how to increase mobile banking security and protect customers’ data.
A new era in mobile banking fraud
Security researchers are constantly discovering new malware that targets mobile banking apps. One of them is FakeBank, a spyware that monitors SMS activity for incoming verification messages from a customer’s bank. When a mobile banking user gets an SMS with a verification code, the spyware copies the contents and sends it to fraudsters.
Another malware, discovered by ESET security systems, spreads as an imitation of the Flash Player video app either installed from an infected website or via a predatory SMS containing a malicious download link. Once installed on the phone, the spurious app requests device administrator rights and if granted by the user, the malware creates a fake login screen that will appear next time the user logs in a mobile banking app. Once the victims enter their login and passwords, the malware copies this data so that the fraudsters can later use it to access the account remotely and steal the money.
Furthermore, Roman Unuchek, Kaspersky Lab's senior malware analyst, recently found a new modification of the well-known mobile banking trojan Svpeng. In November 2016, it managed to infect over 318,000 Android devices across the world using Google AdSense advertisements. As for now, Svpeng is considered one of the most dangerous mobile banking malware because of its powerful abilities. For example, the Trojan can draw itself over other apps, give itself permissions to send and receive SMS, make calls, and read contacts as well as grant itself device administrator rights and block any attempt to cancel this action.
As you can see, fraudsters become more and more creative in inventing malicious software for the banking industry. In these circumstances, we advise to be thoughtful and cautious in choosing your mobile banking development team as well as carefully check your existing banking apps for vulnerabilities.
Where mobile banking vulnerabilities hide
In 2017, Accenture and NowSecure performed vulnerability assessments of mobile banking apps belonging to 15 North American banks. After testing both iOS and Android apps, they outlined the following list of major mobile banking security risks:
- World-writable files (i.e. other apps can have write access to the files)
- Broken SSL check / sensitive data in transit (i.e. unencrypted communications)
- Writable executables – can lead to additional app vulnerabilities when combined with other issues
- Lack of obfuscation of the app source code, which eases reverse-engineering
- Weak SecureRandom implementation
- Dynamic code loading
- Inappropriately set “HttpOnly” flag (to prevent XSS attacks)
- Inappropriately set “Secure” flag (to prevent the sending of cookies over insecure channels)
- TLS traffic with sensitive data
- Lack of app transport security (e.g., ATS globally disabled).
You can also use black box or white box penetration testing to check up whether your existing mobile banking app has any of these vulnerabilities and ask your development team to fix them if any. Apart from these measures, you can also rework your app in a number of ways.
5 ways to strengthen mobile banking security
1. Introduce device fingerprinting
This feature serves to determine the integrity of the device and helps to confirm a user identity by using the unique set of signals obtained from the device. Such signals usually include IP address, location, screen size, browser, time of day, device type, etc.
2. Implement SIEM solutions
Mobile banking protection with a SIEM system allows identifying a large number of risks, anomalies and malicious behavior, such as:
- jailbroken or rooted device
- device is connected to an insecure Wi-Fi network
- device is running an emulator
- access from foreign countries
- high velocity of recent logins
- escalation in bad login attempts
- other unusual circumstances.
You can create your custom correlation rules and define when these events will trigger a system alert.
3. Add multi-factor authentication
A simple requirement to submit a password to access a customer’s bank account in a mobile banking app is no longer satisfactory to prevent fraud. To increase mobile banking security, banks should add another layer of defense, such as generated one-time passwords or biometric authentication. The latter can be based either on static physical characteristics or human behavioral patterns. While static biometrics analyzes peoples’ physiological characteristics, such as fingerprints, iris, retina, etc., behavioral biometrics deals with a person’s voice, typing rhythm, scroll speed, swipe patterns, and other traits revealing the unique ways people interact with their devices. When implemented, these factors are almost impossible for fraudsters to mimic.
4. Offer real-time text and email alerts
By adding security alerts to your mobile banking functionality, you’ll be able to notify your clients in real-time when there has been any unusual activity online or through a mobile device. Such alerts allow a bank to notify consumers:
- When big purchases happen
- When a customer’s profile or password changes
- When an ATM withdrawal exceeds a certain amount
- When a customer’s account balance drops below a specific amount
- When any debit card purchase occurs, etc.
For example, if a bank notices that a customer has made an online payment to an unknown payee, the bank can send the consumer a text alert to confirm that the requested transaction is legitimate. As a result, this functionality can not only help to prevent fraud, but also improve customer experience and increase trust.
5. Proactively educate your clients
Strengthening mobile banking security is not only a bank’s responsibility, and customers must take their own precautions as well. That is why banks that offer mobile banking apps to their customers should also educate them how to protect themselves from any fraudulent activity.
Security or UX?
Striking an appropriate balance between security and user experience is a challenging goal in mobile banking development. Taking into account that mobile banking apps currently store and transmit the increasing number of customer sensitive data, banks should hire only experienced developers with a "security first" mindset. Still, the adoption of mobile banking highly correlates with user experience and the app’s overall convenience. If banks sacrifice user experience for security, customers, especially Millennials, may be unwilling to use mobile banking due to the increased friction. Thus, we advise banks to consider how to balance security and UX while planning mobile banking implementation and creating requirements for it.