Data manipulation is one of the forms of attack that is greatly increasing. For banks, this actually presents a far greater risk than the loss of money through cyber theft. If a financial institution cannot trust the data in its core banking systems, it is faced with a very big problem. This became evident in 2012 when a bank in the US had the account numbers overridden in their backend database. In the 5 days that it remain closed to undo the changes, the institution suffered huge financial losses. Banks need to be aware that as they expand their services across different platforms and devices, they open up new possibilities to hackers. In fact, at an event held in Doha in March 2014, Help AG demonstrated to customers how local data corruption in mobile applications could be utilized to aid more sophisticated attacks.
User Behavior an Uncontrollable Factor
Even with well designed and securely implemented mobile apps, banks are still faced with the challenge of being able to do little or nothing to control user behaviour. This has always been a key element in the IT security equation and is no less so with mobile devices. In the region, jailbreaking and rooting smartphones are popular as they allow users to install free applications, often illegally, and modify their device settings in ways which would be prohibited by the device manufacturer. This often causes critical security measures to be circumvented leading to leakage of data between applications. For advanced users this may be acceptable, but even security professionals would have a problem in understanding the impact that rooting a device may have. Malicious applications could even make changes to the security settings of the operating system without the users knowledge.
Another big issue related to user behaviour, particularly on the widely popular android operating system, is that understanding and accepting the correct security privileges of applications is something that is left up to the user at the time of installation. Unfortunately, users are often unaware of the implications of their decisions, leading to the security of the device being compromised.
Addressing mBanking Security
There are a number of areas banking institutions should be aware about when starting mobile app development. First of all, they need to understand the data they want to give access to and to expose through the mobile application. Quite often this is as sensitive as the other customer facing applications, such as internet banking, which means that the mobile application too should undergo the same level of scrutiny.
Banks must realize that security is as- if not more- vital to success as use-ability. Just as
applications are rigorously tested for useability, so too must they be subjected to security testing- whether they are for mobile, web or client-server.
Banks should also consider employing the services of IT security consultants with expertise specific to the mobile domain. This is because mobile applications fundamentally differ from normal web-applications in that the clients side execution allows for a more rich computing environment compared to a normal web-application. This in turn means that the client platform needs to be taken into consideration and fully understood if the organization hopes to mitigate the risks of the mobile application. In-depth security analysis will be key to ensuring robust and secure mobile banking applications.
While we are no doubt in an age wherein it is the preferences and demands of the customer that drives the adoption of new technologies, the ability to deliver a guaranteed quality of service will remain a differentiating factor for banking institutions. And with mobile banking only set to grow in popularity, it is a secure long term strategy that will prove to be the key to success.