Financial service providers are digitizing as they are taking advantage of the widespread use of the internet and connected mobile devices. This is definitely bringing convenience to everyone, but it also creates new security problems.
One of the most important security concerns for companies that do business digitally and through the web is the use of applications, both native apps on devices and web applications. As financial service providers interact with their customers through apps, new sets of threats and vulnerabilities emerge.
As reported on CSO, the current state of application security does not look very promising. Many organizations proceed with the production of their codes even while knowing that they are not sure about the security of the apps or programs they release. Also, only 48 percent of organizations invest in security controls to address vulnerabilities in the open-source components of their applications, which comprise half of the overall code base of 50 percent of organizations.
Apps becoming security risks
App security merits ample attention given the growing volume and sophistication of cyber attacks at present. According to Statista, the finance industry is one of the top targets of cyber threats. Banks and other financial service providers cannot settle with just the basic security controls, especially when it comes to the apps they make their customers use. It is advisable to employ advanced solutions such as Runtime Application Self-Protection (RASP) to protect apps.
Ideally, developers should take security into account as they create their new programs or applications. Unfortunately, this is not the case in the real world and many apps end up having weaknesses that expose them to various threats including clickjacking, HTTP response splitting and method tampering, malformed content, path traversal, command injection, cross-site scripting, request forgery, and CSS and HTML injection. Advanced defenses such as RASP provide a dependable layer of protection that can even address zero-day attacks.
A study reported last year revealed widespread security issues in banking apps. Accordingly, around half of mobile banking apps have issues that can be exploited by cybercriminals to obtain sensitive information and engage in fraudulent activities. Around 43 percent of apps were found to be storing sensitive data without encryption or other forms of protection. Also, some 76 percent of the vulnerabilities discovered were shown to be exploitable without the need for physical access to the device being targeted, and more than a third are exploitable without necessitating administrator rights.
It is important to point out that app security issues are not only a problem for those who use online or digital banking. As mentioned, apps can be exploited to steal various kinds of information. Banking customers who only use their ATMs or non-online financial services can also fall prey to cybercriminals if they have information on their devices that can be useful in undertaking phishing, baiting, pretexting, tailgating, water-holing, ransomware, and other attacks that focus on human weaknesses.
Threats to banks and financial service providers
Banks and financial service providers stand to suffer financial losses because of app security problems. An NIST report says that the United States’ cybercrime losses amount to hundreds of billions of dollars or around one to four percent of GDP per year. Most of these losses are absorbed by financial institutions and service providers.
Banks guarantee compensation to their customers in cases of theft or other problems that are traceable to them. The failure to protect the money of their customers translates to financial losses that can even be multiplied if the financial service company contests the customer’s claims and engages in a lawsuit.
On the other hand, banks and finance-related businesses can also suffer reputational damage because of the poor security of their apps. This kind of damage usually entails indirect losses that can be observed in different aspects of a business. The security breach against JP Morgan Chase and other banks in 2014, for example, resulted in a 0.4 to 0.9 percent drop in the banks’ stock prices.
In other cases, news of security breaches leads to the reduction of the number of customers. It is not unusual for customers to withdraw their deposits or at the very least reduce their deposits in banks that demonstrate inferior cybersecurity sense. Prospective customers may also avoid certain companies upon learning of their weaknesses. Cybersecurity is a serious concern, so it only makes for customers to be very cautious.
Threats to customers
The FBI issued an advisory regarding the risks posed by mobile banking apps particularly with the rise of banking trojans. These trojans that target banking customers serve as dropping points for the spread of malware. They are used by cybercriminals to steal data not limited to login credentials but including contact lists, text messages, personal details, and other information that can be used in social engineering attacks.
Identity theft alone is already a massive $56 billion problem in the United States according to a study by Javelin Strategy and Research. It has affected some 49 million Americans in the past year. Spreading malware and directly siphoning data through mobile apps are among the methods employed by cybercriminals to successfully take over accounts and use stolen information for fraudulent purposes.
It is the responsibility of financial service providers to make sure that their apps are optimally secure. First and foremost, they need to ascertain that they have a secure code, and this can only be achieved through rigorous security testing. They also need to be careful with their libraries. Additionally, they should employ all of the appropriate encryption as well as high-level authentication and proper session handling. Also of equal importance is the use of secure and authorized APIs.
Customers, however, also have important roles to play to make sure that they maintain security as they use financial service apps. First, they need to ensure that they only download and install apps from safe sources. These are the official website of the bank or financial service provider and official app stores such as Google Play and the Apple App Store.
Additionally, customers must use complex passwords and two-factor authentication. Most banks already require multi-factor authentication with some even requiring a verification code for every transaction. Customers should not try to bypass or opt-out of these security measures.
It is also important to be careful in using public Wi-Fi for internet access. As much as possible, customers should avoid using public Wi-Fi unless they use a VPN.
Moreover, it is advisable to regularly update apps. Responsible companies promptly provide updates or patches to their apps to address emerging security threats. Customers cannot take advantage of these security updates if they refuse to update or defer updates because they find it inconvenient.
Ensuring protection for banks and their consumers
In conclusion, app security mindfulness is something financial service providers should pay attention to because it is undeniably the logical thing to do. Security problems arising from hastily developed and published apps can expose financial service companies and their customers to cyber theft or security breaches that result in huge reputational losses.
Making sure that apps are secure is the primary responsibility of the app creators or providers. However, no developer can absolutely secure their apps. Users, too, need to follow best practices as they can be instrumental in defeating the security controls built around apps.