5 Ways Banks Can Protect Mobile Banking Apps and Transactions
Mobile banking attacks are at an all-time high, with the sophistication and volume of fraud attacks by attackers increasing year on year. A 2021 Threat Intelligence report monitoring more than 200 million devices globally saw an 80% increase in the first half of 2021 in the number of new banking trojans attacking devices and attempting to steal SMS one-time passwords. In June 2020 the FBI issued a cybersecurity warning anticipating an increase in the number of attacks on mobile bank customers due to soaring use of banking applications and the decline of the physical branch, partially driven by the COVID-19 pandemic. With more customers online banking on their mobile and lower barriers to entry for attackers, financial institutions urgently need to deploy advanced app security to protect both their customers and their brand.
OneSpan Blog Audio Version
5 Ways Banks Can Protect Mobile Banking Apps and Transactions
In a recent video interview, Greg Hancell, Director of Data Strategy, Product Management at OneSpan, discussed the methods and technologies financial institutions can use to protect customers’ devices and transactions. In this article we’ll take you through his top five recommendations, with further insights from security experts.
- Remove static passwords and move to strong customer authentication
- Use contextual authentication with behavioral analysis
- Apply a secure channel with end-to-end encryption
- Apply advanced application security and malware detection
- Increase trust by protecting mobile banking
What are the different types of mobile banking attacks?
Mobile banking attacks could include, but are not limited to:
- Emulator attacks – In these attacks, scammers take advantage of compromised user devices (devices which contain malware) to steal data and passwords. Criminals pass on that data to emulators, which simulate a legitimate user and automate the flow of typical app interactions, enabling attackers to intercept SMS text message codes for authorization and gain transaction approval on fraudulent banking transactions.
- SIM-swap – This scam is a type of account takeover attack whereby fraudsters use social engineering techniques to transfer the victim’s mobile number to a new SIM card, therefore enabling the attacker to perform fraudulent transactions using two-factor authentication (2FA) with SMS verification. Financial institutions can help mitigate the risk of SIM-swap fraud by integrating software authentication into the mobile banking app.
- Mobile phishing – Attackers text or email a link which contains a malicious payload. The victim clicks on the link and can be tricked into entering personal details onto a webpage which they think is genuine or unknowingly downloading spyware on their device.
- Mobile banking trojans – A file or third-party app download which appears to be legitimate, whether from the Android or Apple app stores or direct site downloads, but is in reality hiding malware that targets mobile banking apps on the mobile phone it’s downloaded on. The malware can then capture banking information and other sensitive data a user submits to steal their identity, obtain login credentials, infiltrate their bank account or intercept fund transfers.
How to protect devices and transactions from mobile banking attacks with layers of security
1. Remove static passwords and move to strong customer authentication
Greg’s first piece of advice to close vulnerabilities is regarding user authentication – the steps a customer goes through to authenticate themselves on login or when carrying out a transaction.
“If you're using static passwords, move to second-factor authentication. If you're using SMS for second-factor authentication, then move to strong customer authentication. If you're using strong customer authentication, move to dynamic linking and contextual authentication.”
The gold-standard of banking security that Greg advises financial institutions should reach is strong customer authentication with dynamic linking and contextual authentication.
Strong customer authentication uses multi-factor authentication (MFA) to authenticate a customer’s identity during login and transaction authorization. More than just a strong password, multi-factor authentication uses three common factors – something you ‘know’, such as a PIN, something you ‘have’, such as a mobile device or hardware token, and something you ‘are’, such as a biometrics fingerprint or facial scan.
2. Use contextual authentication with behavioral analysis
Contextual authentication, also known as adaptive authentication, takes into account the context or behavior surrounding an event such as login, beneficiary creation and transaction. Adaptive authentication and behavioral analysis review vast amounts of data related to the user’s behavior, cell phone device, and transaction in real-time, resulting in a risk score. This score triggers automated security workflows that apply the exact security required. Greg advises that:
“Banks also want to apply behavioral analysis. You want to be able to understand what the user typically does, when they normally connect and what types of devices they have. You also need to make sure that you can really understand their interactions on that device from a financial perspective as well.”
By understanding the typical behavior of a user, banks, financial institutions, and financial service organizations can apply additional authentication challenges when the user’s behavior deviates from their normal activity. In his 2021 article Advanced Authentication: A Plan of Attack for Your Authentication Stack, security expert Sam Bakken explains in more detail how this works:
“An orchestration hub that has an advanced fraud prevention system at its core, can use artificial intelligence and machine learning to evaluate whether a user’s behavior aligns with what’s expected of a real person making a legitimate transaction. If a transaction’s risk signals set off alarm bells, the customer's digital identity can be confirmed with a new authentication challenge and second factor, thereby ensuring secure access to the application.”
3. Apply a secure channel with end-to-end encryption
To enforce the highest mobile app security for communication between a server and a customer’s iphone, smartphone, or mobile device, Greg advises that financial institutions should deploy end-to-end encryption with a secure channel.
“A secure channel means that only the user's device can decrypt and see the one-time password and the detail relating to that, plus the context.”
This additional layer of protection works by independently encrypting data on the server side for decryption on the mobile device. It ensures the secure transport to and from the device, enabling trustworthy communication to the user and the server. This layer, when used with application shielding, prohibits malware from intercepting OTPs sent in clear text such as SMS and provides rich context back to the server taking a risk-based decision on the user and their device.
4. Apply advanced application security and malware detection
As well as improving the security of transaction authentication, Greg also advises that banks should apply advanced application security:
“From a mobile banking space, make use of advanced application security such as application hardening, anti-tampering, and malware detection.”
Application shielding and hardening are types of in-app protection that uses code obfuscation, debugger detection, overlay detection and other techniques to protect applications from attacks such as reverse engineering and tampering. They include measures to increase the level of effort required for a malicious actor to attack an app.
Sony Bank, a Japanese direct bank, implemented app shielding to protect its mobile banking app. App shielding protects Sony Bank’s mobile app by preventing reverse-engineering techniques via code obfuscation and anti-repackaging technology. It also actively detects threats such as malicious keylogging, screen-readers, debuggers, emulators, and overlay attacks.
5. Increase trust by protecting mobile banking
In a 2021 article Secure Mobile Application Development: Making the Business Case for App Shielding, we argued that the value of app shielding extends beyond mitigating mobile threats and malicious code on the client-side.
“App shielding can also increase trust, improve the customer experience, and positively impact revenue growth, revenue retention, cost reduction, and cost avoidance…. Research suggests that mobile users who trust their financial institution to protect their personal, account, and payments information are more engaged and transact more in the mobile channel. App shielding, along with a comprehensive mobile app security program, greatly reduces mobile app security risks, which in turn increases trust in a bank.”
Greg Hancell echoes this statement, agreeing that applying the right type of security and protecting the personal data of customers is essential to increase the confidence and trust customers place in the mobile channel.
“If you apply the right type of security, you can increase the confidence and the trust in your digital channel through mobile.”
How to get started with mobile app shielding to protect mobile apps and banking services
Developing a successful mobile banking application is not easy, and development teams contend with pressures from every direction. While it’s important to get an application built, tested and published as quickly as possible, it’s also imperative to protect mobile banking apps.
Mobile App Shielding is easy to get started with and can be applied in minutes. Some of the largest banks and financial institutions in the world count on OneSpan App Shielding to meet their rigorous mobile app security requirements without slowing their app releases. Digital-only bank NewB utilize app shielding and cloud-based authenticatio n to protect their mobile app users and their transactions. On the speed of integration, they said “we needed only a few days to configure the OneSpan mobile app shielding capability to protect the NewB mobile banking app we had just developed.”
Raiffeisen Italy also utilize mobile app shielding to protect its app and were the first-to-market with the technology in Italy. The bank can now detect and block attacks on its authenticator app in real time – without interrupting the customer experience. App Shielding was easy to integrate and did not burden their developers. The bank’s CIO Alexander Kiesswetter advised financial institutions looking to do the same to “choose a strong partner with a strategic view of where your digital transformation can go in the future.”