The Wild West of Mobile Security
Verimatrix, at the heart of security solutions for mobile and connected devices, and UL, a global leader in safeguarding security, compliance and global interoperability, today revealed at the annual Mobey Day in Barcelona the findings of their joint research into the state of security of mobile banking applications. The results should serve as a wake-up call for the entire banking industry to raise their sense of urgency on increasing security, particularly with increasing concern from consumers and legislative mandates such as GDPR looming on the horizon.
Hardly a day goes by without another security breach or cyber-attack, to the point that it is not news anymore. And the growing complexity and fragmentation of the current environment are only increasing the exposure and risk to organizations. Yet unlike the world of mobile payment applications, which is harmonized and standard thanks to mandates to be evaluated by third party accredited laboratories, banking and financial institutions are not held to a security standard. Thus, it is unclear how much banks and financial institutions understand the security risk in their mobile applications and the potential exposure it brings. Mobile banking is more of a greenfield, absent of a compliance requirement. Consequently, very few rely on external risk assessments and security evaluations.
The research of UL and Verimatrix set out to measure where mobile banking applications stand with respect to security as compared with mobile payment applications, to provide a well-known reference point of comparison. They analyzed publicly available m-banking applications. The results show that mobile banking was the weak link in most banks’ security infrastructure.
What the companies have discovered is that it is a safe strategy to expect that the worst will happen in terms of a security breach and prepare your organization accordingly, just like a fire drill. It’s also important to have a remediation plan to solve a security breach both technically and from an image perspective.
It’s critical to address the process and secure development life cycle in the m-banking application. The real risk remediation is in how quickly you react and adapt to the new attacks and flaws that will differentiate you in the market. When you select your software protection architecture and solutions, keep in mind to evaluate beyond the level of assurance of the module and architecture, but also the design and the attention and reactivity you receive. It is not recommended to build security solutions in-house. Rather, it is best to rely on a proven solution that gets exposed via their broad install base and has teams dedicated to securing mobile applications. When you look at the fast pace of new operating systems, hardware and new attack techniques, it is increasingly challenging to keep up to date with the same team.
“There are many examples of good practices that banks can learn from and widely available solutions on the market that can help make their solutions more secure.”
UL and Verimatrix also advise to not reinvent the wheel; use partners that have experience in mobile banking security so they can support you in validating your decisions and scenarios. It is also safer to have your solution assessed as early as possible in its development and get an external security evaluation to get an unbiased report from a team of experts that are dedicated to continuous security. This will bring a higher level of confidence to banks and to their customers.
Everything is moving to mobile. To deploy a mobile banking application successfully, the functionality, security and usability must be carefully designed, tested and validated. While the adoption rate and innovation in the field is promising, now more than ever, businesses can never be too confident about security and should not take shortcuts needed to secure their mobile banking applications.
“While we see there are gaps today in the security of many m-banking applications, it’s not all doom and gloom,” said Neal Michie, product manager, Payment and Application Protection at Verimatrix. “There are many examples of good practices that banks can learn from and widely available solutions on the market that can help make their solutions more secure.”