Securing Mobile Banking Apps: You Are Only as Strong as Your Weakest Link

January 26, 2015
|
co-authored by Patrick Kehoe
|
6 min read

The devastating effects on revenue and brand caused by cybercriminals to consumer corporations, especially trusted organizations such as financial institutions, are by now well understood and very intimidating. What is not so well understood is how to prevent these attacks, especially in the exploding mobile environment, where customers demand innovation — and where cybercriminals are finding it easier than ever to exploit the widening gap between mobile technology and security protections.

Changing Landscape

Mobile banking services are the new “game-changers” in the banking and payments arena. In light of a number of macro trends, those who offer the best and most secure banking and payment apps will win.

Consider the following:

Mobile Banking Apps Are Your Best Driver for Customer Acquisition
  • In recent research by AlixPartners in the U.S., mobile banking was identified as the most important deciding factor when switching banks (60 percent). Mobile banking was identified as more important than fees (28 percent), branch location (21 percent) and services (21 percent).
Mobile Banking Is Critical for New End Users
  • Based on the Federal Reserve mobile device report, the use of mobile banking is highly correlated with age, with individuals between ages 18–29 accounting for approximately 44 percent of mobile banking users, relative to only 6 percent accounting for end users over 60.
Mobile Banking and Payments Opportunity Is Huge
  • According to IDC, the mobile payments market will eventually eclipse $1 trillion by 2017.
  • More than half of the6,000 commercial banks in the U.S. now offer some form of mobile banking, and that portion is projected to reach nearly 75 percent in the coming years.
  • In the Kount’s recent Mobile Payments and Fraud survey, both security and fraud are in focus; consumers are apprehensive about how to better manage fraud risk and consumer security — both growing by more than 40 percent as compared to last year.

How Secure Are Mobile Banking Apps and Mobile Devices?

Unfortunately, only a few are capitalizing on the opportunity to gain a competitive advantage by offering secure mobile apps. Recent analysis by Arxan found that the majority of paid financial services and retail apps have been hacked.

Mobile devices running iOS or Android are far from secure; the latest Kindsight Security Labs report from Alcatel-Lucent highlights that there are currently over 15 million infected mobile devices worldwide — a 20 percent increase from 2013. The Kindsight Security study also found an increase in mobile spyware. Of the 2.3 billion smartphones around the globe, Kindsight Security estimates that 40 percent of them contain spyware used to monitor the phone’s owner by tracking the device’s location, incoming and outgoing calls, text messages, email, Web browsing and history.

Unfamiliar Terrain

What makes the ground so fertile for such breaches?

The “surface area” for attackers to hit has grown immensely with the mobile computing explosion. In the past, when apps were run inside data centers, there used to be just a few “attack areas” for hackers to pursue — mainly focused on remotely exploiting flaws and defects in the application code.

Today’s mobile landscape introduces new threat vectors that typically aren’t considered in organizations’ mobile banking security approaches. Key threat vectors include:

1. Jailbroken or Rooted Devices: Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS. Recently, a variant of the PC-based Zeus malware “ZitMo” has been used to forward SMS messages to cybercriminals as a means of circumventing out-of-band authentication.

2. Outdated OSs and Nonsecure Connections: Risk factors such as dated operating system versions, nonsecure Wi-Fi network use and pharming attacks allow cybercriminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device.

3. Account Takeover: Cybercriminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. And unfortunately, they have enjoyed relative anonymity when using mobile devices that share many similar attributes, making it challenging to defend against. Server-side device ID solutions have a difficult time uniquely detecting criminal devices.

4. Cross-Channel Credential Theft: One of the prevalent enablers for account takeover is stolen credentials through phishing or malware on the online channel. In some cases, the mobile channel is not sufficient to fully execute a fraudulent transaction; fraud can either start or end on the mobile device, but most methods of attack involve at least one additional channel that fraudsters use to complete their task. To effectively protect end users and the mobile banking application, cross-reference actions need to be performed on the various channels while looking for suspicious activities. To identify mobile account takeover, one must see the entire picture — the full fraud life cycle — rather than a limited, tunnel-visioned view of just the mobile channel.

5. Attacks to the Mobile Application: When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. There are many readily available tools that can reverse an application from binary format into source code. With access to source code, hackers can gain access to sensitive data and intellectual property (IP). Also, the code can be modified (e.g., security controls can be patched out), the run-time behavior of the applications can be altered and/or malicious code can be injected into the application. Once altered, the application can be repackaged and circulated to look as though it originated from a known/safe source. These and other methods of hacking an app are outlined here.

A New Model for Mobile Banking Security

In order to deal with the changing mobile threat landscape, a new set of tools is necessary. Financial institutions should embrace a comprehensive security approach that meets these evolving threats and includes the following:

  • Device risk level detection
    • Jailbroken devices
    • Outdated OSs
    • Malware infections
    • Rogue apps
  • Account takeover detection
    • Persistent device ID
  • Mobile application protection
    • Harden app to protect the confidentiality of the code
    • Protect the integrity of the app at run time

Financial institutions are constantly looking for the right mix of technologies that can securely support multiple use cases and enable productivity while keeping enterprise data protected on mobile devices. Although the offer of technologies that address mobile security is broadening and maturing, the larger portion of enterprises are still looking for basic tools to provide protection against physical loss or the use of improper applications.

Despite the growing awareness and enormous efforts financial institutions undergo, a significant gap remains between mobile technologies and security protection mechanisms. Financial institutions have been carrying vast product sets, frequently unappreciated by their customers, often with a subsequent cost in operations, technology, service and, sometimes, risk and regulatory challenges.

The following three steps provide enhanced security against evolving mobile threats:

Build Your App Safely
  • There are several factors to consider while designing an app — risk mitigation, security management, compliance and Web-based/mobile application source code vulnerabilities, just to name a few.
  • IBM® Security AppScan® can enhance Web application security and mobile application security, improve application security program management and help app developers meet regulatory compliance obligations. By scanning your Web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities, generate reports and remediate recommended issues.
Keep the App Safe We recommend exploring three techniques:

  • First, deploy a dedicated library designed to enable application security services for mobile applications. This library can be used to build custom apps with various advanced security features.
    • IBM Security Trusteer’s Mobile SDK protects organizations’ native mobile applications by performing device risk factor analysis while providing a persistent mobile device ID. The SDK can be used to build custom applications with advanced security features with the following functionality provided:
      • Device risk detection based on indicators such as Jailbroken/rooted device detection, malware infection detection and Wi-Fi network security state.
      • Active protection of IP and SSL.
      • Unique and persistent device ID creation.
  • Second, leverage protection that detects attacks at run time.
    • Arxan guards can verify the integrity of the application, its data or the app environment at run time. In addition to detecting hacking attempts by malicious actors, guards can also detect another seemingly innocuous but malicious application from performing a drive-by attack at run time. Another app can compromise your app via run-time method swizzling or function/API hooking to steal information or gain control.
  • Third, establish a formal mechanism to react to attacks.
    • With Arxan, you can define how the app should react upon attack detection. For instance, the app can shut down or not start to prevent the use of a compromised application. Also, self-repair capabilities can replace tampered code or data with original correct code. Finally, the app can alert and phone home to your back-end system of choice.
Prevent Misuse
  • This involves real-time fraud detection via evidence-based, cross-channel intelligence. As threats become more sophisticated, stopping fraud requires more decisive action, such as putting the transaction on hold and manually reviewing high-risk/high-value transactions. This can impact staff who investigate fraud and, ultimately, affect the customer experience. Several tools are specifically designed to prevent misuse:
    • IBM Security Trusteer Pinpoint Criminal Detection™ is designed to protect against account takeover and fraudulent transactions by combining traditional device IDs; geolocation and transactional modeling; and critical fraud indicators. This information is correlated using big data technologies to link events across time, users, activities and platforms, whether they’re mobile or PC-based. Phishing, malware and other high-risk indicators are used for evidence-based fraud detection. By matching new and spoofed device fingerprints, real-time phishing incidents and malware-infected account access history can be detected. Trusteer can identify account takeover attempts, minimize customer burden and help eliminate IT overhead.
    • Arxan Application Protection is designed to protect binary code. Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering the code within a mobile app. All too often, an adversary will steal code and recycle it within another app for resale. Arxan protection defends applications against compromise by obfuscating or scrambling the code and encrypting or pre-damaging some or all of the application statically or at run time.

Assaf Regev

Assaf Regev serves as the product marketing manager for the web fraud portfolio of Trusteer, an IBM Company, part of IBM’s Security Systems division. Assaf...
read more