Even before the events of 2020, Australian and New Zealand consumers were embracing banking on the go. A 2021 RFI global digital banking study shows that 73% of consumers are using a mobile app to do their banking, with a significant increase of 12% over the past two years. The uptake of mobile banking apps has risen dramatically across all demographics, bringing with it new vulnerabilities.
In this article, Sandstone Technology outline the data security threats exposed by mobile banking, and a range of solutions the industry is working on to help preserve consumer trust, prevent reputational damage and avoid financial penalties.
Banking trends upping the ante With the pandemic in full swing, Sandstone have seen consumers embrace mobile apps as a convenient, easy and safe way to bank. But beyond COVID, there are other factors boosting mobile adoption. Neobanks continue to spring up, in most cases branchless, offering interaction solely through their apps. After downloading the app, customers can digitally onboard, open their account and continue interacting with their financial services through the app.
Many of the popular ‘buy now pay later’ products are set up so that younger consumers – their primary market – are captured via their mobiles and perform all their interactions through their devices.
And our increasingly cashless society means that many of the newer mobile devices come with built-in wallets to replace physical credit cards, debit cards and loyalty cards.
As consumers leave their wallets at home and adopt digital banking in all its forms, bad agents are zeroing in on mobile banking security vulnerabilities.
Cyber security as we know it Cyber attacks used to be focused on digital banking through laptop and desktop computers. Attackers honed in on popular browsers like Chrome, and operating systems like Windows. Hence the prevalence of Windows viruses reported in the news and cautioned on social media.
But as mobile devices have risen in popularity, we’ve made the pie bigger. We’ve created an even larger digital playground, and there are more agents out there rising to the challenge.
In the biggest data security shift of the last two years, mobiles are now more targeted than Chrome or Windows. And their data security issues are quite distinct from those associated with traditional laptop/desktop-based digital banking. 5 reasons why mobile devices pose security issues
1. Mobiles travel with you Mobile devices are not typically locked to a physical location like a home or office. The customer’s phone is out and about with them, which means there’s always the risk of losing it. Banking apps need extra protection to address that scenario.
2. Two main operating systems prevail Since mobile phones have become ubiquitous across the developing world, iOS and Android have emerged as the most actively used operating systems. That popularity attracts actors who specifically target those two operating systems, trying to find exploits that allow them to monitor activity on the phone or even take over the device.
3. Older phones in the ecosystem New phones are generally supported by manufacturers’ software updates and security patches for about three years. Once the phone gets to four or five years old, there’s a good chance the software that’s running on the phone isn’t being upgraded by the manufacturer anymore and is now exposed to known data security vulnerabilities.
4. App stores are vulnerable too While the Google Play store and the iOS App Store are walled gardens in some respects, their process for uploading apps is not perfect. Sandstone have seen instances where attackers have uploaded fake banking apps that mimic the look and feel of a real bank’s app, in an attempt to capture customers’ credentials and use them to gain access to their banking. And it works. This has happened multiple times in Australia, including among the big 4 banks.
5. Side loading apps When users download apps from another device – e.g., USB, Bluetooth, external storage – rather than from the internet, it may lead them to disable security features in their phones. If this is managed in the wrong way, it could allow malware to be installed on the device, allowing actors to monitor or take over the device. Our mobiles are a battleground Mobile banking users today need to be aware of data security traps. Take phishing via SMS, where the user clicks on a simple link in an SMS that looks legitimate, and is taken to a login page where they’re asked to enter their details.
Credential stuffing is also rife. Attackers use leaked credentials from past data breaches and correlate data sets to try and match a password to a username or email. They then use these in other apps, including banking.
There’s SMS hi-jacking – quite a technical feat – where the attacker ports someone else’s phone number to theirs to enable them to receive the customer’s calls and SMSs.
And a growing threat: supply chain attacks. If an attacker manages to inject malicious code into software libraries used across the IT industry and breaks into the software of a particular IT provider, they can get leverage over one vendor in a supply chain. The chain of dependencies then means other organisations in the chain can be vulnerable to attack. A famous example is the Solar Winds hack, where a breach allowed hackers to spy on private companies.
7 ways Sandstone Technology are counteracting mobile vulnerabilities As digital banking specialists, Sandstone is constantly developing and implementing new security fixes in their mobile banking apps. At time of writing these include:
1. Replacing SMS with push notifications Internet banking adopted 2-factor Authentication (2FA) to improve security for anything deemed sensitive, like a high-value funds transfer. Traditionally 2FA involves a username/password (something you know) and a phone number (something you have). The system sends an SMS containing a one-time password (OTP) and the customer enters this OTP into internet banking. However, SMSs can be hijacked by a technique called SIM-swapping, where an attacker impersonates the customer and tricks the phone carrier into assigning the customer’s number to a new SIM Card owned by the attacker. From that point it hijacks all SMSs to the attacker’s device. Push notifications, on the other hand, are directly linked to the app on the customer’s device and can’t be hijacked to an attacker’s device.
2. Device binding This fix links the physical device securely to the customer’s identity record in the bank. Every Android 7 (or later) and iPhone 5s (or later) device has a piece of hardware that can produce and store a key. Device binding is a process where a key is produced on the device and stored within the customer’s identity record in the bank. Whenever a sensitive action is taken (log in, funds transfer etc.) the key is used to verify if that action originated from the device that produced that key.
3. Malware and jailbreak protection Software is installed on the phone to form part of the mobile banking solution. It then scans for malware and detects if the phone has been jailbroken or rooted.
4. Behavioural fraud monitoring By tracking the way someone physically uses their phone while they’re using the app, and by looking at how a user interacts with the screen – even the way they hold the phone, Sandstone can work out if it’s the same person using the phone as in previous situations. They can also monitor how the user interacts with the bank, e.g., where they usually send money, or which features they utilise within the bank, to develop a model of the user. This makes it easier to detect when they act outside of that.
5. Transport layer security (TLS) public key pinning As a customer browses the web, their browser constantly checks if the connection is secure and displays a padlock when the connection has been validated. This process relies on the computer or browser to have a set of certificates it can trust. Mobile banking apps do the same, but in addition to checking if the connection is secure, they check if the connection is going to a specific server hosted by the bank. This extra step creates a strong communication link between the mobile banking app running on the phone and the digital banking services.
6. Pin-based login Customers are expected to use unique and ‘secure’ passwords to access internet banking. Password managers help facilitate this, but they still rely on the customer remembering a ‘master’ password. With device binding in mobile banking, customers can set up a four to six-digit pin which is easier to remember and quicker to use.
7. Biometric login Most modern iOS and Android devices have built-in biometrics, e.g., fingerprint and/or face reader. This eliminates the risk of forgetting a password or a pin and is more convenient for logging in.
No interruption to the user journey Most financial institutions today are focusing their attention on the digital journey. But more than just introducing new features, the priority is to make that experience as frictionless as possible.
Many of the mobile banking security protections listed above are invisible to the average user. Some features like pin and biometric login actually improve the overall experience. They rely less on traditional methods, (e.g., coming up with a strong password – which people often repeat across apps) and rely more on simple methods like a fingerprint or a 5-digit pin (much easier to remember and backed by sophisticated systems).
Privacy and consumer data legislation in Australia and New Zealand put responsibility for data protection and consumer consent squarely onto financial institutions. Meanwhile, Google Play Store and App Store each have additional requirements for app builders; and the evolution of open banking will make the data imperative even stronger.
Any data breaches will have a long-lasting impact in terms of consumer trust and retention – and attract significant financial penalties. Achieving a secure customer journey is very much a collaborative process between Sandstone Technology and their banking clients, based on Sandstone’s knowledge and experience in the field, and their clients’ knowledge of their own systems and customers.