Use of mobile payment and banking applications is on the rise as more users become comfortable conducting a wide array of financial transactions on their devices. Banks have been pushing mobile applications and mobile payments as convenient offerings to clients, as a competitive differentiator and to reduce operational costs.

Mobile Payments Are the Norm

Consumers are finally becoming comfortable with expanded mobile capabilities. As a result, the use of smartphones for mobile banking has increased dramatically. According to a recent Federal Reserve Board survey, 53 percent of smartphone owners with a bank account had used mobile banking in the 12 months prior to the survey.

The trend extends well beyond banking. Smartphone users can now make online and point-of-sale purchases, pay bills and transfer money using mobile applications, web services or text messages. According to Pew Research, 46 percent of U.S. consumers — roughly 114 million adults — have made a mobile payment.

Note that percentages are rounded to the nearest whole number in the graph below.

Source: The Pew Charitable Trusts

Mobile payment providers — such as Apple, Samsung, Google, Paypal and many banks and retailers — are extremely bullish on the mobile payment market, with TrendForce forecasting it to exceed $1 trillion by 2019.

Clearly, the convenience of making payments and transactions with near-field communication (NFC) and other technologies is making life easier for consumers. But if security and privacy issues are not addressed right away, could they drag down this fast-growing marketplace?

Convenience or Security?

Unsurprisingly, millennials and Generation Xers make up 72 percent of mobile payments users. Although every generation is concerned about security and privacy issues, baby boomers and the silent generation are more risk-averse than millennials and Generation Xers.

According to the Federal Reserve Board survey, for nonusers of mobile banking and payment apps, 73 percent of nonusers cited security as their major reason for not using the functionality. They have good reason to be concerned about security: Cybercriminals commonly use malware to steal credentials on iOS and Android operating systems. Once they have the credentials, fraudsters can log in from anywhere to steal funds from unsuspecting consumers. Sometimes malware can be used to cause related damage or render mobile devices unusable, but most attackers are financially motivated and not solely interested in troubling users.

Cybercriminals can easily spread malware by tricking users to open malicious text messages or click fraudulent links. Once installed, the malware can sit in the background until the user logs into a banking or other critical application. Advanced fraudsters often dupe users into providing their Social Security numbers, birth dates and other security information to bypass two-factor authentication protection. Mobile banking malware continues to grow, and banks that end up reimbursing their clients for losses must take action to protect their apps before a widespread attack takes place.

The complexity of the mobile payment process gives rise to security issues. A transaction involves multiple parties and systems — including the acquirer, card issuer, payment card network and many others — in between the consumer and the merchant. Each point of the process can be exploited for criminal purposes.

Many companies do a reasonable job of securing networks and applications in their data centers, but binary code is often left unsecured once apps are out in the wild. Cybercriminals can easily decompile the binary code and steal credentials, insert malicious code or reverse engineer applications. Bad actors can damage mobile payment systems by:

  • Tampering with security logic: Many payment and banking providers have common security modules inside their applications that provide security functionality, such as authentication. Tampering with this functionality allows fraudsters to bypass controls and access sensitive data.
  • Reverse engineering the application: Even if you are using mobile device management (MDM) and mobile access management (MAM) solutions that govern application usage, apps are still fully exposed and vulnerable to being reverse engineered.
  • Stealing cryptographic keys in host card emulation (HCE) applications.

Deep Defenses

Companies should employ defense-in-depth when it comes to their mobile applications — especially apps that are most attractive to cybercriminals due to potential monetary gain. Mobile payments and banking represent the most lucrative and low-hanging fruit for fraudsters. Organizations need to not only protect their code throughout the software development life cycle (SDLC), but also extend security to the weakest link: the binary code. The best defense against attackers is self-protection with strong software.

Most users are oblivious about security issues on their phones. Many believe that smartphone providers include built-in security protection. But while some security issues have been addressed, it is from perfect on these devices.

Users should take basic precautions, such as updating their operating system on a regular basis, installing anti-malware protection and not clicking on messages that appear suspicious. Even if they take these precautions, however, cybercriminals can still hack into the binary code and steal credentials by decompiling and reverse engineering applications.

The onus lies on financial institutions to make sure their binary code is hardened with the right tools. Consumers should ask what security precautions their banks are taking at the application level.

Where to Start?

The Arxan protection technology has been highly commended as the Best Anti-Fraud/Security Solution category at the just announced Payment Awards. Working together, IBM and Arxan provide an excellent solution for end-to-end application security to protect your mobile banking and payment solutions. It’s easy. You can also review case studies to educate yourself on how others have done it. For example:

Contact us at [email protected] to get started on your secure journey for your mobile banking or payment apps.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…