22 Jun 2020
It’s interesting how quickly our use of digital technology can feel normal.
Several years ago, transferring your half of the bill to a friend with a quick tap on your smartphone sounded pretty futuristic.
These days we do it all the time.
It’s quite common to hear younger Londoners telling each other to “Monzo me” or to “find me on Revolut” if money is owed when they say their goodbyes.
But there are others - 23% of Brits according to a YouGov study earlier this year - who are still uncomfortable with online banking.
And this word, uncomfortable, hints at an ongoing issue for mobile banks. As long as bad actors continue to succeed with their attacks, mobile banks will fail to convince everyone to move from traditional banks.
So, what’s the answer? How can we secure a safer future for mobile banking?
The number one target for bad actors
The YouGov figures shouldn’t mask the rapid growth of mobile banking. After all, the consultancy Caci reported that in 2019 there were more customers using mobile banking apps than there were using more traditional internet banking.
With good reason, too. As with most digital technology innovations of recent years, mobile banking has made our lives easier.
And while it’s true that usage sways towards younger demographics, that’s the generation mobile banks are interested in most. That’s where their growth is going to come from in the next few years.
The issue, as is the case with IoT, is that where we see opportunities for growth, so do bad actors.
For hackers, mobile banking is the most lucrative industry for them to attack. Beyond being able to glean valuable data, they can also steal money directly from banks’ customers.
And their starting point is often to attempt to run a dynamic analysis on the app itself.
The danger posed by dynamic analysis
By running a dynamic analysis on mobile banking apps, bad actors get to see how it works.
It’s like they open a door into a library that contains instructions for how the app is put together. Once inside, they can take a look around. They can scope out that library for weaknesses.
A dynamic analysis is also the starting point for reverse engineering the app. If hackers can do that, then they can release a version of it that customers of the bank might accidentally download from the App Store or Google Play.
Those customers wouldn’t notice anything untoward at first. After all, the hacker has released an almost identical app to the original. You’d be hard-pressed to spot any differences. That is until a transfer is made, and it’s the bad actor’s account that the money lands in.
Mobile banks are faced with other threats, too.
The attack suffered by Capital One last year made headlines around the world. And even before it happened, the New York Times was reporting that banks were learning lessons from the military in order to ward off hackers.
This shows how seriously some banks are taking the threat. Those who have already suffered an attack can testify to how hard it is to regain the trust they had worked so hard to build with their customers.
But fake apps seem to be the growing threat that many banks have yet to find a reliable solution for.
How to keep hackers out of the library
If we return to the app as a library metaphor, the danger comes from allowing the hacker into the library in the first place. You need to keep its door locked.
And the best way of doing that is to protect the code within the app so that bad actors can’t get their bearings. Quality protection and cryptography hides the keys to the library and makes sure that any files hackers do find contain scrambled code that they can’t make any sense of.
The problem is that not all mobile banks are using this robust level of in-app hardening and cryptography. That’s despite their customers relying on them to do so and demanding other security features such as temporarily turning off a payment card.
But as I’ve said, it’s not only their customers’ data and finances these banks stand to lose, but their own reputation, too. It takes a lot less time for customer trust to evaporate than it does to build it up in the first place.
If some mobile banks are being a bit lax with their security, their hand could be forced in the coming months. The PSD2 regulation in Europe will mean banks being obliged to commit to more stringent security measures.
However it happens, it’s clear that the main threat for mobile banks comes from dynamic analysis. And the best way for them to prevent this and to secure a safer future for them and their customers is to secure what they value most.