A recent study by Oxford Economics found that 70% of consumers worry about hackers stealing their personal information and 55% feel mobile money is less secure than a physical wallet.
Furthermore, in January, IBM, Ponemon and Arxan revealed that 44% of organizations are taking no steps to protect their apps.
This is especially worrisome given some 65% of the U.S. population carrying smartphones and a Federal Reserve report that revealed 53% of smartphone owners with a bank account used a form of mobile banking in 2015.
Mobile and IoT app security expert Mandeep Khera discussed how consumers can validate their security on mobile apps and what steps financial institutions and payment app companies must take to assuage security concerns and vulnerability to hacking and sensitive data leaks.
1. What are the common risks around mobile payment and banking apps?
“Mobile banking and payments are prime targets for hackers,” Khera said. He added, if left unprotected, hackers can exploit the code for their own financial benefits as well as for malicious intent. They can steal IP, siphon off money to their own accounts, create duplicate apps, steal credentials and access consumers’ accounts, etc.
2. What types of questions should financial institutions and consumers ask related to their security and the security of these apps?
Khera suggested, “Both financial institutions and consumers should ask how these apps are protected. Not only do you have to make sure that the source code of the web app is secure with major vulnerabilities fixed, you also have to extend the secure development lifecycle to mobile apps and make sure that the binary code is protected.”
“Most companies stop at the web app level and the binary code is in the wild – vulnerable and low hanging fruit for hackers who can use off-the-shelf tools to decompile and exploit the application,” Khera noted. They also should guarantee the security of cryptographic keys, which hackers could swipe, as well as APIs, to reach the source code.
In addition, many consumers don’t ask their financial institutions questions about the app’s security and they should. “They need to educate themselves and understand the risks of using the app. Even if the bank reimburses them for the financial losses, they could potentially lose their personal information to hackers which could be sold on the dark web to others.”
3. What concealed risks exist in today’s mobile transaction space?
“Most mobile apps are inherently insecure and most companies have been ignoring them because there haven’t been a lot of visible hacks,” Khera stated. “The fact is that most likely, hackers are in most of these applications and exploiting the heck out of them.” Hackers, he added, have no incentive to publicize these hacks because it’s a good source of income. “Companies need to realize that one hack can result in millions of dollars in losses from brand damage, theft, stock price decline, compliance penalties, and much more. Investment in protection of mobile banking and payments apps is a smart investment.”
