hitting mobile like nobody’s business. It is a sad fact of life - hackers, fraudsters, cyber-criminals and the like will never go away and will evolve and adapt as our payment landscape evolves too.
The real question is whether we have the tools to counter those malware attacks so our customers can securely do their business on their mobile. The highlighted report gives a far from re-assuring answer. Banks, from reading the report, seemingly have a
long way to go to secure their mobile apps. On the one hand there is no arguing with the fact that banks do have a responsibility to protect their customers but have relatively limited exposure to this platform compared with traditional web development. On
the other hand, many of the vulnerabilities the blog describes are stepping stones to theoretical attacks; nothing significant has actually been orchestrated yet. Many of the banks apps available today have limited functionality due to security concerns, yet
there is no reason why with the implementation of the right technology to the mobile channel can’t be utilised for high value and other high risk transactions.
I have said this before, the best way to fight fraud is to encourage industry collaboration and work with banks on setting strong authentication standards. Some consumers may be scared off by these latest statistics, yet the majority will carry on regardless,
and whilst it is of course a numbers game, the vast majority of mobile banking app users will be safe. In fairness, consumers should expect to be safe using mobile banking apps and that they are protected by their banks. Most consumers will believe that this
is the case until they themselves are the victim of identity theft or fraud, and unfortunately when that happens the experience and consequences can be very nasty indeed.
If we look at how malware has developed over the past few years, the report clearly shows a focus on the exploitation of weaknesses in the mobile channel similar to those in the traditional online channel. Education has to play a major role in all such
cases – a good software developer, or app developer does not necessarily mean that secure software code will result, and the distributed nature of software development combined with a lack of central architectural security standards to assist the developer
in writing secure code, means that there is always the propensity for vulnerable code to be deployed in production. The report by IOActive Labs research clearly emphasises this. Expert assistance in security code reviews and intrusion analysis is a fundamental
part of the software development process, combined with a sustained investment in software development education. And we can’t stop there.
Hackers exploit weaknesses everywhere: in process flows; in software code; in run-time environments; in operating systems. Wherever a weakness or “back door” exists, the hacker will exploit. So, alongside our good intentions and good practice, since no wallet
or app exists in a vacuum, we still must adopt the strategy that everything has been or can be compromised, because only when we accept that this is possible can we begin to truly understand the importance of a layered security approach where visible and invisible
layers are combined in real-time to create very complex security models but where all the complexity is hidden from the end user.
Such an approach is the same for the mobile channel as it is for the online channel, however the mobile channel is far less tolerant of any customer “friction”. Unlike traditional PC based Internet banking, mobile banking really does not lend itself to the
use of separate security devices or even SMS. For mobile banking to grow it primarily needs to have an excellent customer experience, be functionally rich and safe. The market already offers solutions that can protect mobile banking with no negative impact
on customer experience. Those solutions utilise an invisible layered approach to security combined with and high fidelity voice based authentication and transaction verification over the cost effective data channel, providing the ultimate balance in invisible
strong security and very low friction to the consumer.
The same solution means no keying of OTPs into the phone or carrying additional devices. The combination of usability, portability and security allows banks to deploy the functionality that will drive the adoption of M-banking as well as make it more secure.