19 September 2014

PCarroll

Pat Carroll - ValidSoft

75 | posts 265,370 | views 37 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Malware , the Achilles Heel of Mobile Adoption

30 January 2014  |  2587 views  |  0

Malware is hitting mobile like nobody’s business. It is a sad fact of life - hackers, fraudsters, cyber-criminals and the like will never go away and will evolve and adapt as our payment landscape evolves too.

The real question is whether we have the tools to counter those malware attacks so our customers can securely do their business on their mobile. The highlighted report gives a far from re-assuring answer. Banks, from reading the report, seemingly have a long way to go to secure their mobile apps. On the one hand there is no arguing with the fact that banks do have a responsibility to protect their customers but have relatively limited exposure to this platform compared with traditional web development. On the other hand, many of the vulnerabilities the blog describes are stepping stones to theoretical attacks; nothing significant has actually been orchestrated yet. Many of the banks apps available today have limited functionality due to security concerns, yet there is no reason why with the implementation of the right technology to the mobile channel can’t be utilised for high value and other high risk transactions.

I have said this before, the best way to fight fraud is to encourage industry collaboration and work with banks on setting strong authentication standards. Some consumers may be scared off by these latest statistics, yet the majority will carry on regardless, and whilst it is of course a numbers game, the vast majority of mobile banking app users will be safe. In fairness, consumers should expect to be safe using mobile banking apps and that they are protected by their banks. Most consumers will believe that this is the case until they themselves are the victim of identity theft or fraud, and unfortunately when that happens the experience and consequences can be very nasty indeed.

If we look at how malware has developed over the past few years, the report clearly shows a focus on the exploitation of  weaknesses in the mobile channel similar to those in the traditional online channel. Education has to play a major role in all such cases – a good software developer, or app developer does not necessarily mean that secure software code will result, and the distributed nature of software development combined with a lack of central architectural security standards to assist the developer in writing secure code, means that there is always the propensity for vulnerable code to be deployed in production. The report by IOActive Labs research clearly emphasises this. Expert assistance in security code reviews and intrusion analysis is a fundamental part of the software development process, combined with a sustained investment in software development education. And we can’t stop there.

Hackers exploit weaknesses everywhere: in process flows; in software code; in run-time environments; in operating systems. Wherever a weakness or “back door” exists, the hacker will exploit. So, alongside our good intentions and good practice, since no wallet or app exists in a vacuum, we still must adopt the strategy that everything has been or can be compromised, because only when we accept that this is possible can we begin to truly understand the importance of a layered security approach where visible and invisible layers are combined in real-time to create very complex security models but where all the complexity is hidden from the end user.

Such an approach is the same for the mobile channel as it is for the online channel, however the mobile channel is far less tolerant of any customer “friction”. Unlike traditional PC based Internet banking, mobile banking really does not lend itself to the use of separate security devices or even SMS. For mobile banking to grow it primarily needs to have an excellent customer experience, be  functionally rich and safe. The market already offers solutions that can protect mobile banking with no negative impact on customer experience. Those solutions utilise an invisible layered approach to security combined with and high fidelity voice based authentication and transaction verification over the cost effective data channel, providing the ultimate balance in invisible strong security and very low friction to the consumer.

The same solution means no keying of OTPs into the phone or carrying additional devices. The combination of usability, portability and security allows banks to deploy the functionality that will drive the adoption of M-banking as well as make it more secure.

 

 

TagsMobile & onlinePayments

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2226 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1730 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Securing Transactions Means More Than Just Authentication

10 July 2014  |  2451 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

'Trust but Verify' : Trust in Data Protection and Mobile

13 June 2014  |  2349 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith