October 25, 2016 By Mandeep Khera 4 min read

Use of mobile payment and banking applications is on the rise as more users become comfortable conducting a wide array of financial transactions on their devices. Banks have been pushing mobile applications and mobile payments as convenient offerings to clients, as a competitive differentiator and to reduce operational costs.

Mobile Payments Are the Norm

Consumers are finally becoming comfortable with expanded mobile capabilities. As a result, the use of smartphones for mobile banking has increased dramatically. According to a recent Federal Reserve Board survey, 53 percent of smartphone owners with a bank account had used mobile banking in the 12 months prior to the survey.

The trend extends well beyond banking. Smartphone users can now make online and point-of-sale purchases, pay bills and transfer money using mobile applications, web services or text messages. According to Pew Research, 46 percent of U.S. consumers — roughly 114 million adults — have made a mobile payment.

Note that percentages are rounded to the nearest whole number in the graph below.


Source: The Pew Charitable Trusts

Mobile payment providers — such as Apple, Samsung, Google, Paypal and many banks and retailers — are extremely bullish on the mobile payment market, with TrendForce forecasting it to exceed $1 trillion by 2019.

Clearly, the convenience of making payments and transactions with near-field communication (NFC) and other technologies is making life easier for consumers. But if security and privacy issues are not addressed right away, could they drag down this fast-growing marketplace?

Convenience or Security?

Unsurprisingly, millennials and Generation Xers make up 72 percent of mobile payments users. Although every generation is concerned about security and privacy issues, baby boomers and the silent generation are more risk-averse than millennials and Generation Xers.

According to the Federal Reserve Board survey, for nonusers of mobile banking and payment apps, 73 percent of nonusers cited security as their major reason for not using the functionality. They have good reason to be concerned about security: Cybercriminals commonly use malware to steal credentials on iOS and Android operating systems. Once they have the credentials, fraudsters can log in from anywhere to steal funds from unsuspecting consumers. Sometimes malware can be used to cause related damage or render mobile devices unusable, but most attackers are financially motivated and not solely interested in troubling users.

Cybercriminals can easily spread malware by tricking users to open malicious text messages or click fraudulent links. Once installed, the malware can sit in the background until the user logs into a banking or other critical application. Advanced fraudsters often dupe users into providing their Social Security numbers, birth dates and other security information to bypass two-factor authentication protection. Mobile banking malware continues to grow, and banks that end up reimbursing their clients for losses must take action to protect their apps before a widespread attack takes place.

The complexity of the mobile payment process gives rise to security issues. A transaction involves multiple parties and systems — including the acquirer, card issuer, payment card network and many others — in between the consumer and the merchant. Each point of the process can be exploited for criminal purposes.

Many companies do a reasonable job of securing networks and applications in their data centers, but binary code is often left unsecured once apps are out in the wild. Cybercriminals can easily decompile the binary code and steal credentials, insert malicious code or reverse engineer applications. Bad actors can damage mobile payment systems by:

  • Tampering with security logic: Many payment and banking providers have common security modules inside their applications that provide security functionality, such as authentication. Tampering with this functionality allows fraudsters to bypass controls and access sensitive data.
  • Reverse engineering the application: Even if you are using mobile device management (MDM) and mobile access management (MAM) solutions that govern application usage, apps are still fully exposed and vulnerable to being reverse engineered.
  • Stealing cryptographic keys in host card emulation (HCE) applications.

Deep Defenses

Companies should employ defense-in-depth when it comes to their mobile applications — especially apps that are most attractive to cybercriminals due to potential monetary gain. Mobile payments and banking represent the most lucrative and low-hanging fruit for fraudsters. Organizations need to not only protect their code throughout the software development life cycle (SDLC), but also extend security to the weakest link: the binary code. The best defense against attackers is self-protection with strong software.

Most users are oblivious about security issues on their phones. Many believe that smartphone providers include built-in security protection. But while some security issues have been addressed, it is from perfect on these devices.

Users should take basic precautions, such as updating their operating system on a regular basis, installing anti-malware protection and not clicking on messages that appear suspicious. Even if they take these precautions, however, cybercriminals can still hack into the binary code and steal credentials by decompiling and reverse engineering applications.

The onus lies on financial institutions to make sure their binary code is hardened with the right tools. Consumers should ask what security precautions their banks are taking at the application level.

Where to Start?

The Arxan protection technology has been highly commended as the Best Anti-Fraud/Security Solution category at the just announced Payment Awards. Working together, IBM and Arxan provide an excellent solution for end-to-end application security to protect your mobile banking and payment solutions. It’s easy. You can also review case studies to educate yourself on how others have done it. For example:

Contact us at [email protected] to get started on your secure journey for your mobile banking or payment apps.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today