This is an issue that has worried us for a while.
For over 7 years we've been working in the Mobile Financial Services space and throughout that period we hear time and time again in our interactions with Banks & Payment experts etc, that Fraud is their Number One concern.
- Why is that?
- What is their expectation of Fraud, Loss or even Liability?
- Do they worry more about criminals getting into their networks?
- Or actually about smart customers managing to get goods or services for free?
Maybe I'm a cynic but isn't this latter point passing the buck? The Customer is apparently under suspicion as a potential fraudster from the moment he opens a bank account? Hardly a good way to begin relationship.
This is compounded by what ordinary the customer perceives as the risk and the reason for security, to her it's not fraud per se, it's the full spectrum of information held, managed and shared by the Bank that concerns her.
To better understand consumer perceptions and awareness of third-party personal and financial data collection, The Clearing House
conducted a survey of more than 2,000 U.S. banking consumers and oversampled to reach 1,500 fintech users in Q1 2018
One conclusion from The Clearing House's excellent research jumped out at me immediately;
- Nearly nine in ten consumers (89%) said they are concerned about data privacy and data sharing—and more than two-thirds (67%) are very or extremely concerned
Bank Customers are concerned about their Personal Data, so why do the Banks not appear to give a damn?
In the research our Security Lab conducted with UL Labs last year, we found that Mobile Security was pretty poor globally - 95% of Mobile Banking apps tested came nowhere near the standards required for example, of Mobile Payments Apps. Our ongoing research
and testing of Banking Apps hasn't changed this view.
The main weaknesses are in the protection of the Customers's Personally Identifiable Information. Secondary to this are the bank's own APIs, these are pretty visible too.
Of course to be fair to the Banks, their other worry about Fraud is mass attacks on Apps to gain large amounts of cash - but those are rare and very difficult to actually deliver, especially where Tokenised Payments are correctly applied.
The same cannot be said of Malware on a mobile device sniffing Personally Identifiable Data when on-boarding to a Digital Bank. That is pretty easy.
Our research shows that Personally Identifiable information can often be seen in simple analysis; it is seen at Input, it's Stored and it's Passed-through to a server-side back-end. Corroborating information too can also be seen in the clear; Photos of Drivers
License or Passports used for KYC, Fingerprint Data from the scanner sent to the Operating System, and crypto used for facial or voice biometrics can be all accessed.
It we can see these, so can the attackers and they will not simply write a blog, they will build mass-attack Malware to exploit this data. The Financial Services Company may never know from where the data leak has come, this data can be gathered and lie
fallow for months before being sold on by the bad guys once a critical mass has been assembled.
Lawyers and Risk Analysts in the bank will fall back to their Ts&Cs. They will tell you that you should use Malware Detection tools on your phone (which don't work), or that you can't run their app on a Rooted Phone (who's phone is it anyway?) or that you
should have read the Ts&Cs thoroughly. These are (as we say in the UK) a cop out and I hope won't be accepted as an excuse when regulators' fines are considered.
Mobile Financial Apps are among the most powerful tools the Banks have, there is a reason that they advertise them constantly, it will be interesting to see the first GDPR case brought against a Mobile Banking App provider (established or challenger) or
worse still, a US law suit for Identity Theft traceable to a mobile app......
It's just a matter of time.