How Mobile Devices Affect Your Credit Union and Members
To be, or not to be mobile, that is the question.
Either way, you’ve got a problem.
Thirty-two percent of U.S. adults bank online via their mobile phones, according to an August 2013 report from the Pew Research Center. Mobile banking has doubled since 2011. Last year, Juniper Research reported there were 590 million mobile banking users and expects the number to hit one billion by 2017.
Need help running all this mobile banking? There's an app for that. Aye, there's the rub. Mobile apps for both iOS and Android have vulnerabilities that could provide attackers with personal identifiable information of your members, including the current location of their mobile devices. Insecure Web and mobile apps can allow attackers to intercept member data and sensitive company data in transit and at rest. What's more, vulnerable Web apps could provide attackers with access to your servers. With nearly eight out of 10 consumers wanting more banking interactions via mobile, according to a recent study by analytics software company FICO, you’ll likely be providing more mobile options to suit members. In turn, you’ll likely be using more mobile applications, vulnerabilities and all.
Having conducted several tests on hundreds of mobile banking applications, security researchers have discovered many of them are susceptible to various attacks. Banking applications generally use SSL encryption for securely transporting private documents via the Internet, but 90% of the tested apps initiated several non-encrypted connections during their operation. This could allow an attacker to intercept traffic and create a fake logon prompt.
Seventy percent of the apps didn't use any other authentication method to add another layer of security. The log files generated by the apps exposed information that could be leaked and could allow attackers to find and develop exploits to target users. Forty percent of the tested apps neglected to validate the authenticity of digital certificates from the server, making them vulnerable to man-in-the-middle attacks. Cybercriminals create and make available in third-party stores versions of banking apps that look and act just like your authentic banking apps, but they have malware hidden in them. To prevent that from happening, you should advise your members to go to your home page and click on a button that sends them directly to either the Apple or Android store to download your mobile app.
No mobile device, whether company issued or otherwise, should ever be allowed to connect to your network in any manner because if there is any malware on the mobile device, it could infect your network. Mobile antivirus is not 100% effective and can easily be disabled. Most mobile users have no idea that many mobile applications have malware built into them. When users download the apps, the malware can disable the antivirus. A 2013 Kindsight Security study found that at any one time, 11.6 million mobile devices are infected and they create a risk that attackers can steal funds from your members’ accounts. The most popular mobile banking malware, Zitmo, is a Trojan that steals financial transaction information so the attacker can later go into the user's account and steal funds. Zitmo forwards all incoming SMS messages to a remote Web server so the attackers can grab your mobile transaction authentication numbers, or mTANS, defeating your security control.
Take Arms Against a Sea of Troubles
While there is nothing you can do to ensure the security of mobile banking, you can take the following steps to help prevent fraud.
Provide users with policies and advisories so they are well-informed of your mobile banking guidelines.
Address security vulnerabilities during development.
Manually audit and assess applications before launching them.
Provide users with additional levels of security like multifactor authentication services and text message notifications.
Ensure all your applications are built with secure data transmission standards, secure data storage and application logging.
Examine your current Web and mobile application designs at least quarterly, and tests the apps directly through the user-interface.
Assess the security and compliance risks of your entire mobile application, the backend systems and network it connects to, and the interactions and data flows between them.
Conduct a detailed manual technical testing and targeted source code review to expose vulnerabilities which are not apparent from end-user interface testing only.
Have an independent security consultant assess your app's security from the app itself to your backend supporting systems and the communications in-between.
Test Internet-facing systems that support the mobile application.
Work with an expert who can tell you exactly what you need to do to fix holes in your apps to protect your network and data, and to be compliant with industry regulations.