MBanking Applications: The Next IT Security Battleground
By Nicolai Solling for Banker Middle East
As was the case with internet banking, the popularity and demand for mobile-application based services has caused something of a rat race between banks in the Middle East. According to Juniper research, there will be over 1 billion mobile banking users by the end of 2017. With the Middle East and Africa witnessing a a particularly high growth rate of smartphone adoption, it is expected to account for almost 8% of the global mobile banking market in the next 3 years. And though it is clear that mobile banking is fast becoming a must-have service for tech-savvy customers, there are several security aspects that banks need to worry about before jumping on the mbanking application bandwagon.
Rush to Market Risk
While an versatile and secure mbanking app can well be a competitive advantage, the rush to market could mean failing to conduct sufficient testing, causing developers to overlook critical security vulnerabilities. Once an error ridden application has made it to appstores, developers are faced with a very serious challenge that is inherent with mobile applications i.e. changes and bug fixes only take effect when the user chooses to update the app!
With the typical smartphone user downloading an average of 26 applications per device , updating each to the latest version is a process that is often overlooked. This then leaves users running older versions exposed to the risks that hackers are all too keen to exploit.
Data manipulation is one of the forms of attack that is greatly increasing. For banks, this actually presents a far greater risk than the loss of money through cyber theft. If a financial institution cannot trust the data in its core banking systems, it is faced with a very big problem. This became evident in 2012 when a bank in the US had the account numbers overridden in their backend database. In the 5 days that it remain closed to undo the changes, the institution suffered huge financial losses. Banks need to be aware that as they expand their services across different platforms and devices, they open up new possibilities to hackers. In fact, at an event held in Doha in March 2014, Help AG demonstrated to customers how local data corruption in mobile applications could be utilized to aid more sophisticated attacks.
User Behavior an Uncontrollable Factor
Even with well designed and securely implemented mobile apps, banks are still faced with the challenge of being able to do little or nothing to control user behaviour. This has always been a key element in the IT security equation and is no less so with mobile devices. In the region, jailbreaking and rooting smartphones are popular as they allow users to install free applications, often illegally, and modify their device settings in ways which would be prohibited by the device manufacturer. This often causes critical security measures to be circumvented leading to leakage of data between applications. For advanced users this may be acceptable, but even security professionals would have a problem in understanding the impact that rooting a device may have. Malicious applications could even make changes to the security settings of the operating system without the users knowledge.
Another big issue related to user behaviour, particularly on the widely popular android operating system, is that understanding and accepting the correct security privileges of applications is something that is left up to the user at the time of installation. Unfortunately, users are often unaware of the implications of their decisions, leading to the security of the device being compromised.
Addressing mBanking Security
There are a number of areas banking institutions should be aware about when starting mobile app development. First of all, they need to understand the data they want to give access to and to expose through the mobile application. Quite often this is as sensitive as the other customer facing applications, such as internet banking, which means that the mobile application too should undergo the same level of scrutiny.
Banks must realize that security is as- if not more- vital to success as use-ability. Just as
applications are rigorously tested for useability, so too must they be subjected to security testing- whether they are for mobile, web or client-server.
Banks should also consider employing the services of IT security consultants with expertise specific to the mobile domain. This is because mobile applications fundamentally differ from normal web-applications in that the clients side execution allows for a more rich computing environment compared to a normal web-application. This in turn means that the client platform needs to be taken into consideration and fully understood if the organization hopes to mitigate the risks of the mobile application. In-depth security analysis will be key to ensuring robust and secure mobile banking applications.
While we are no doubt in an age wherein it is the preferences and demands of the customer that drives the adoption of new technologies, the ability to deliver a guaranteed quality of service will remain a differentiating factor for banking institutions. And with mobile banking only set to grow in popularity, it is a secure long term strategy that will prove to be the key to success.