The banking industry is seeing a second wave of digital transformation with 20% or more of all transactions now occurring from mobile devices, a number that is rapidly increasing. The majority of all online banking customers are now also accessing bank services through a mobile device and many are turning to mobile only. The retail arms of banks already have their second generation mobile products and are now working on innovating to further improve the customer facing product. However, with the increase in number of mobile customers and usage we are also seeing a growing security threat as mobile devices by nature are less secure.
The average larger bank of today spends at least $30M per year on development and innovation of their mobile banking. The really large banks spend considerably more. This includes big investments in user research content, UX/UI, pilots, front-end development, middleware development to support unique mobile features, but the majority goes to security and compliance. There is no evidence so far of a higher proportion of security breaches on mobile (vs. desktop) or attacks for that matter yet, but it’s a great concern on users’ side.
More and more frequently, we hear advice such as “Don’t use your banking applications over an open Wi-Fi network” although this is by no means the greatest threat.
Examples of security threats to banks include:
- Unsecure/open Wi-Fi – Although all banks “should” use encrypted/secure connections
- Phones are more frequently stolen/lost than desktop devices – Therefore 2nd level authentication is always used for transfers and SMS authentication/passwords is usually not an option
- Passwords are frequently stored on the phone – Many people use the notepad, Evernote, password storage apps, etc., to store their pin codes and passwords which poses a threat to the bank applications
- Malware / applications – In theory it could be possible to create an application on Android phones which detects all keyboard input to other applications which would allow another application that could be developed to capture password input
- Threats to the customers personal security – A user could be threatened by force to make transfers so therefore the transfer amounts may be different for mobile than PC or alerts/monitoring may be in place for unusual activities just like for credit cards
- Reverse engineering of code – Banks frequently use solutions such as Arxan to protect against reverse engineering
- Reverse engineering of APIs – There are lots of solutions such as mitmproxy that enables reverse engineering of APIs, which means that the banks have to put a lot of extra measures in ensuring that only their own apps can access their servers
With all the publicity and news around security breaches, banks have no choice but to improve their capabilities in this area. They’ve started to build a more capable in-house mobile security function and leverage the industry experts to help bridge the knowledge gap. When new products are rolled out, banks sometimes contract vendors to help with external penetration tests with the purpose of mitigating these threats, which can cause both reputational and economic harm.
At the moment, the biggest challenge for banks is that customers don’t believe that mobile banking is safe. DMI has been working with Lloyds, Ferratum, and several other leading global Tier-1 banks and all of them are working on measures to reduce security threats for customers and the bank. There are reliable solutions to protect business customers, but it’s a lot more difficult for consumers. Several banks have started to offer anti-virus and malware protection free of charge to customers just like they do on the desktop side, but this is only part of the solution. This is still a fairly immature market.
All banks we work with have external security audit teams for their mobile solutions and sometimes DMI plays this role when we are not responsible for the application development.
According to Red Points – “Monthly, 2,000 new malicious apps are detected, 99% to Android system.” DMI has worked with MYMobile Security (MMS) to deliver an app called MYAndroid Protection that protects sensitive Android data that is vulnerable to hacking and theft. For more information – please see this press release.
The Current State of the Industry
Banks have started to use sophisticated software to monitor hack attacks and use the knowledge to prevent harm. This requires the banks to get more streamlined and knowledgeable within the centralized corporate security function and work more closely with the business level development managers to ensure standardized solutions.
We estimate the size of mobile banking investments globally will be over $250 Bn in 2015. Out of this 75% are internal resources and 25% external.
Magnus Jern, President of Mobile Application Solutions division