How safe are your mobile banking apps?

1 June 2012 Information Security

Not very, based on the findings of a 2011 study by digital forensics and security firm, viaForensics. According to the study, 25% of the mobile banking apps tested did not provide adequate security: passwords, partial credit card details, payment history and transaction details were easily retrieved from the handset. What is more, another 31% of banking apps had less severe security issues with 44% offering adequate security.

Mobile banking apps actually fared well in comparison to social networking and retail apps – none of these passed the security test – and only 9% of productivity apps made the grade. However, it is clear that banking apps are nowhere near secure enough when you consider the potential fallout from having banking details compromised.

And when one considers the predictions that as consumers move more of their banking and shopping activities onto mobile devices, hackers and criminals are going to be increasingly targeting these devices. What is more, they have years of experience in the PC world to draw on, so all indications are that mobile security issues are going to evolve far faster than they did in the PC world.

Surely banks and developers should have learnt these same lessons and be keeping ahead of criminals? Unfortunately, several factors about the current mobile development landscape mean that security is left to the last minute, or not even considered at all, rather than being a priority from the start. These factors include a focus on speed to market and grabbing marketshare, outsourced development projects running over time and budget, and hiring software developers with little security experience.

Beefing up mobile security

As ever in the fragmented mobile market, it is important to understand the various security capabilities of different mobile technologies and to offer transactional services accordingly:

USSD

USSD offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself. No matter how well a USSD service is implemented, it can never offer adequate levels of security so should be reserved for more basic services.

Mobile Web

Despite including SSL (secure sockets layer) encryption, security on the mobile Web is also problematic. For a start users have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also in many cases and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is in fact unsecure.

HTML5

Unfortunately, the introduction of HTML5 is going to do nothing to improve security on the mobile Web. Simply put, the specifications have not considered security at all and new features, such as local storage, make security levels on the mobile Web significantly worse than the status quo.

Applications

Mobile applications have the potential to offer the highest levels of security, but only if this is implemented properly. Too often apps are implemented without utilising security features, or are outsourced to software development teams with no security experience or knowledge. Then factor in variances across different operating systems and the fact that when under time or budget pressure, security becomes the last concern.

Two things need to happen to provide customers with an adequate level of security when it comes to banking applications, both to avoid disaster and also to ensure that customers have the same level of confidence in the bank, irrespective of the channel they are using.

Firstly, inherent security flaws need to be mitigated as far as possible. So rather than rely on standard SSL security and certification authorities on Web browsers, run a standard, validated security stack that you know has not been compromised. Consider what data is being stored locally and do not store or transmit passwords and other sensitive details as plain text.

Even if inherent risks have been mitigated, only offer services suited to the functionality, security capabilities and user experience of each channel. So, for example, USSD should only be used for non-critical transactions such as balance statements, while a well-implemented app can be trusted to handle more complicated payments and transactions.

Developing mobile services using a mobile enterprise application platform (MEAP) with a built-in, externally verified security stack is the best way to deliver the most suitable service for a mobile channel while still remaining conscious of the channel-specific security concerns.

Wilter du Toit, CEO Virtual Mobile Technologies
Wilter du Toit, CEO Virtual Mobile Technologies

For more information contact Virtual Mobile Technologies (VMT), +27 (0)21 424 7818, [email protected], http://ramp.virtualmobiletech.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
African industries may overestimate cyber defences
Information Security
A significant perception gap exists in security awareness training: 68% of leaders believe training is tailored to roles, yet only a third of employees feel adequately trained. Many organisations only conduct annual or biannual generic training that may not effectively change behaviour.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.