Possible vulnerabilities in mobile devices and applications
By Jeff Multz
To be or not to be mobile, that is the question. Either way, you’ve got a problem.
Thirty-two percent of U.S. adults bank online via their mobile phones, according to the Pew Research Center. Last year, Juniper Research reported there were 590 million mobile banking users and expects the number to hit 1 billion by 2017.
Need help running all this mobile banking? There’s an app for that. Aye, there’s the rub. Sometimes mobile apps—both iOS and Android apps—have vulnerabilities that could provide attackers with personal identifiable information of your community bank’s customers, including the current location of their mobile devices. Insecure Web apps and mobile apps can allow attackers to intercept customer data and sensitive company data in transit and at rest.
Having conducted several tests on hundreds of mobile banking applications, security researchers have discovered many of them are susceptible to various attacks. Banking applications generally use SSL encryption for securely transporting private documents via the Internet, but 90 percent of the tested apps initiated several non-encrypted connections during their operation. This could allow an attacker to intercept traffic and create a fake logon prompt.
Meanwhile, cybercriminals create and make available in third-party stores versions of banking apps that look and act just like authentic banking apps, except they have malware hidden in them. To prevent its customers from having their personal financial information stolen, your bank should advise its customers to go only to your home page and click on a button that sends them directly to either the Apple or Android store to download your bank’s mobile app.
No mobile device, whether company issued or otherwise, should ever be allowed to connect to your network in any manner because if there is any malware on the mobile device, it could infect your bank’s network. Mobile antivirus is not 100 percent effective and can easily be disabled. Many mobile applications have malware built into them. When users download the apps, the malware can disable the antivirus.
A sea of troubles
While there is nothing any community bank can do to ensure the complete security of its mobile banking system, the following steps will help prevent mobile fraud.
- Proactively provide customers with your bank’s policies and advisories to inform them of your bank’s mobile banking guidelines.
- Manually audit and assess applications before launching them.
- Provide customers with additional levels of security, like multifactor authentication services and text message notifications.
- Ensure all of your bank’s applications are built with secure data transmission standards, secure data storage and application logging.
- Examine your bank’s current Web and mobile application designs at least quarterly, and test the apps directly through the user interface.
- Assess the security and compliance risks of your bank’s entire mobile application, its backend systems and network it connects to, and the interactions and data flows between them.
- Conduct a detailed manual technical testing and targeted source code review to expose vulnerabilities that are not apparent from end-user interface testing only.
- Have an independent security consultant assess the security of your bank’s app, from the app itself to its backend supporting systems and the communications inbetween.
- Test Internet-facing systems that support the mobile application.
- Work with an expert who can tell exactly what your bank might need to protect its network and data, and to be compliant with industry regulations.
Jeff Multz (firstname.lastname@example.org) is director of midmarket North America at Dell SecureWorks, an information services security company in Atlanta, Ga.