To operate a truly secure mobile banking channel, banks should adopt a multilayered approach and create a security culture—one that uses an information security management policy tied to a bank’s risk profile and business objectives, said presenters affiliated with Mobey Forum during a mid-May webinar.
Speakers also said that banks should embrace a security agenda early in the life of an application. A safety-oriented design phase that is carried into the coding process will result in safer, less-penetrable applications on customer phones, members of the London-based independent nonprofit told listeners.
Concurrent with the event Mobey Forum’s risk mitigation working group also issued a whitepaper with remediation based on practices specified in ISO/IEC 27005.
Avoid taking a holistic approach and you risk having customers fall victims to fraud events that include stolen smartphone takeovers, according to Maikki Frisk, Mobey Forum’s executive director. The webinar and white paper outlined these recommendations in regard to mobile financial services, which refers to payments, remittances, and other banking transactions.
The organization’s white paper maps out many types of breaches, categorized into customer-level and device-level incursions. The paper also touches on application-level and communication-level takeovers, including “man-in-the-middle” attacks, in an easy-to-read chart format.
Other potential mobile banking risks include data-related attacks such as the compromise of the secure element (e.g., tamper-resistant hardware in the phone) or corruption of the operating system. Engineering a stealth application takeover is a scheme used increasingly.
Customer awareness not enough
In the years since online-, then mobile-, banking, took off, much of the security efforts at banks doubled down on generating awareness among customers.
“Many risk mitigation measures ultimately rely on customer education,” said Phillipe Roy, IT Security Specialist at Danske Bank and co-chair of the Risk Mitigation Workgroup, said. The experts don’t consider education by itself to be sufficiently protective.
In contrast, building in barriers to illicit software modification, in effect, making applications impervious (or as resistant as possible) to a Trojan takeover or incursion from a similar piece of malware, lays the groundwork for a truly secure application. Developers also need to focus on meeting customer confidentiality requirements and privacy regulations—while also authorizing transactions customers authorized to perform them. The white paper takes readers through each recommended security routine.
To combat impersonation, for example, Mobey Forum advises raising awareness of common schemes resulting in theft, as well as adopting multi-factor and passive authentication. (This second approach to authentication relies on analysis of historical data about the customer in comparison to specifics about the transaction to detect abnormalities and other useful trend information.) Mobey Forum also calls for using a call center to verify customer information.
To further protect a bank’s mobile channel, Mobey recommends use of techniques for fighting reverse-engineering. This includes taking a preemptive strike against a criminal technique known as “software binary code disassembling.”
Among the anti-reverse-engineering techniques are “obfuscation,” “hook detection,” “anti-debug methods,” and “code verification at runtime.”
Some things customers should know
The white paper touches on the following tips to share with customers:
• Only install applications from official app stores such as Apple’s App Store and Google Play.
• Install and run anti-malware and firewall software.
• Do not “root” or “jailbreak” your mobile device
(“Rooting” an Android phone has to do with taking control of the root, or various critical subsystems, in effect enabling more varied types of customization; however, it also exposes the phone to more takeover threats. “Jailbreaking” is a similar go-around on Apple devices.)
• Protect access to your mobile device with a code or, when possible, biometric verification.
• Use lost or stolen remote content locking or wiping functionality.
Popular channel, but exposed
The paper and webinar come at a time when adoption of mobile banking technology steadily continues among a variety of demographic groups. Customers expect access to increasingly sophisticated services, Mobey Forum’s Frisk pointed out.
While 70% of millennials now use mobile banking, its usage is growing across all age groups. In the U.S. in 2015, 58% of smartphone owners between the ages of 30 and 44 and almost 20% over the age of 60 reported that they were using mobile banking, according to data published by Clearbridge Mobile.
As the channel gains popularity for transactions beyond alerts, account-balance verification or the assessing the status of recent transactions, it only makes sense that banks work preemptively by taking on a more coordinated, policy-based approach to keep mobile banking humming along.
Mobey counts as its mission encouraging banks to take a leadership role in creating groundbreaking applications and refining standards surrounding data delivery, storage, and application protections for a continually improved mobile banking experience.
Expectation of security
Mobey points out mobile’s steady as she goes growth is attracting criminals as well flocks of devoted bank customers, who want greater capability with their phone despite some high-profile cyber crimes tied to mobile banking. Customers, says Maikki Frisk, now expect to use their mobile devices for all sorts of interactions with their financial institution, including payments.
At the same time, and in addition to an utterly convenient experience with the phone, bank customers expect that their financial data and ID information will remain secure. Hitting that sweet spot will remain a challenge.
Download Mobey Forum’s Guide To Risk Management In Mobile Financial Services [Registration required]