Financial service providers are digitizing as they take advantage of the widespread use of the internet and connected mobile devices. This is definitely bringing convenience to everyone, but it also creates new security problems.
One of the most important security concerns for companies that do business digitally and through the web is the use of applications, both native apps on devices and web applications. As financial service providers interact with their customers through apps, new sets of threats and vulnerabilities emerge.
As reported by CSO, the current state of application security does not look very promising. Many organizations proceed with the production of their codes even though they are not sure about the security of the apps or programs they release. Also, only 48 percent of organizations invest in security controls to address vulnerabilities in the open-source components of their applications, which comprise half of the overall code base of 50 percent of organizations.
App security merits ample attention given the growing volume and sophistication of cyberattacks at present. According to Statista, the finance industry is one of the top targets of cyber threats. Banks and other financial service providers cannot settle for just the basic security controls, especially when it comes to the apps they make their customers use. It is advisable to employ advanced solutions such as Runtime Application Self-Protection (RASP) to protect apps.
Ideally, developers should take security into account as they create new programs or applications. Unfortunately, this is not the case in the real world, and many apps end up having weaknesses that expose them to various threats, including clickjacking, HTTP response splitting and method tampering, malformed content, path traversal, command injection, cross-site scripting, request forgery, and CSS and HTML injection. Advanced defenses such as RASP provide a dependable layer of protection that can even address zero-day attacks.
A study reported last year revealed widespread security issues in banking apps. As a result, about half of mobile banking apps have flaws that cybercriminals can use to steal sensitive data and carry out fraudulent activities. Around 43 percent of apps were found to be storing sensitive data without encryption or other forms of protection. Also, some 76 percent of the vulnerabilities discovered were shown to be exploitable without the need for physical access to the device being targeted, and more than a third are exploitable without necessitating administrator rights.
It is important to point out that app security issues are not only a problem for those who use online or digital banking. As mentioned, apps can be exploited to steal various kinds of information. Banking customers who only use their ATMs or non-online financial services can also fall prey to cybercriminals if they have information on their devices that can be useful in undertaking phishing, baiting, pretexting, tailgating, water-holing, ransomware, and other attacks that focus on human weaknesses.
Banks and financial service providers stand to suffer financial losses because of app security problems. An NIST report says that the United States’ cybercrime losses amount to hundreds of billions of dollars,, or around one to four percent of GDP per year. Financial institutions and service providers are responsible for absorbing the majority of these losses.
Banks guarantee compensation to their customers in cases of theft or other problems that are traceable to them. The failure to protect the money of their customers translates to financial losses that can even be multiplied if the financial service company contests the customer’s claims and engages in a lawsuit.
On the other hand, banks and finance-related businesses can also suffer reputational damage because of the poor security of their apps. This kind of damage usually entails indirect losses that can be observed in different aspects of a business. The security breach against JP Morgan Chase and other banks in 2014, for example, resulted in a 0.4 to 0.9 percent drop in the banks’ stock prices.
In other cases, news of security breaches leads to a reduction in the number of customers. It is not unusual for customers to withdraw their deposits or, at the very least, reduce their deposits at banks that demonstrate inferior cybersecurity sense. Prospective customers may also avoid certain companies upon learning of their weaknesses. Cybersecurity is a serious concern, so it only makes sense for customers to be very cautious.
The FBI issued an advisory regarding the risks posed by mobile banking apps, particularly with the rise of banking trojans. These trojans that target banking customers serve as drop-off points for the spread of malware. They are used by cybercriminals to steal data, not limited to login credentials but including contact lists, text messages, personal details, and other information that can be used in social engineering attacks.
Identity theft alone is already a massive $56 billion problem in the United States, according to a study by Javelin Strategy and Research. It has affected some 49 million Americans in the past year. Spreading malware and directly siphoning data through mobile apps are among the methods employed by cybercriminals to successfully take over accounts and use stolen information for fraudulent purposes.
It is the responsibility of financial service providers to make sure that their apps are optimally secure. First and foremost, they need to ascertain that they have a secure code, and this can only be achieved through rigorous security testing. They also need to be careful with their libraries. Additionally, they should employ all of the appropriate encryption, high-level authentication, and proper session handling. Also of equal importance is the use of secure and authorized APIs.
Customers, however, also have important roles to play to make sure that they maintain security as they use financial service apps. First, they need to ensure that they only download and install apps from safe sources. These are the official websites of the bank or financial service provider and official app stores such as Google Play and the Apple App Store.
Additionally, customers must use complex passwords and two-factor authentication. Most banks already require multi-factor authentication, with some even requiring a verification code for every transaction. Customers should not try to bypass or opt-out of these security measures.
It is also important to be careful in using public Wi-Fi for internet access. As much as possible, customers should avoid using public Wi-Fi unless they use a VPN.
Moreover, it is advisable to regularly update apps. Responsible companies promptly provide updates or patches to their apps to address emerging security threats. Customers cannot take advantage of these security updates if they refuse to update or defer updates because they find them inconvenient.
In conclusion, app security mindfulness is something financial service providers should pay attention to because it is undeniably the logical thing to do. Security problems arising from hastily developed and published apps can expose financial service companies and their customers to cyber theft or security breaches that result in huge reputational losses.
Making sure that apps are secure is the primary responsibility of the app creators or providers. However, no developer can absolutely secure their apps. Users, too, need to follow best practices, as they can be instrumental in defeating the security controls built around apps.
In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…
Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…
A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…
SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…
CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond,…
A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…