Security Insights for the Best Financial Mobile Applications
Beginning in 2010, consumerization was the “it” thing, inspiring new ways for customers to interact with their banks and financial institutions. Back then, CIOs were just considering branchless banking and began dabbling in mobile banking. According to a Nielsen study, the digital transformation at that time proved to be worthwhile as mobile banking customers tended to carry higher balances than the average banking consumer. As confidence and comfort levels with mobile transactions rose, it was a win-win situation with greater efficiencies, cost savings, customer loyalty, and engagement of new segments.
Now eight years later, more than ever, the customer experience is considered a top priority and often used as a benchmark of success. The difference? Today’s customers are savvier, have higher expectations, and thrive on digital experiences to effortlessly manage all of their daily tasks. To achieve the same impact that was felt in the digitization of 2010, financial institutions are challenged with adopting enhanced mobile and cloud-based solutions that redefine services and are often the competitive differentiator needed to survive.
Since mobile devices having become the widely accepted way to bank, conduct trades, and pay bills, financial institutions must move swiftly to ensure their mobile application hits the market early (before competitors), and without bugs or security vulnerabilities.
Security Problems in Fast and Slow Development
For all those in the financial sector, there is always the challenge of balancing the risk-adverse industry with the cutting-edge digital transformations that consumers expect. With traditional barriers and boundaries disappearing, sluggish development of new applications places a greater risk of shadow IT. From a security perspective this can feel daunting because if IT moves too slowly, shadow applications can threaten security, or if development moves too fast, application misconfigurations can result in security breaches.
To maintain the balance, IT should consider adopting next-generation architectures, using cloud-native platforms, and develop more agile processes across both IT and the business.
Stay Safe from the Cloud and the Mobile Application
Mobile applications collect, store, and transmit data that previous methods like web applications, never did -- for example, when a picture is taken of a check for mobile deposit that includes the bank account number. Although cloud is often the logical approach for building more modern applications that move faster to accommodate these changes and storing data, the risks often aren’t fully considered.
In development, whether porting existing code, integrating new code, and/or using third party and/or open source, security must always be the first thought. How will data be stored and encrypted, at rest and in motion? Especially in the case of sensitive financial data -- how will data be fully protected and meet the requirements of regulations like PCI?
To achieve cloud security, mobile application developers should consider a layered approach to security, that includes both device-level security as well as cloud security:
Multi-Factor Authentication (MFA) - With mobile devices that are often used without a passcode, MFA can make more dynamic risk assessments, detect high-risk logins, and trigger additional authentication factors as necessary. MFA can also protect against man-in-the-middle attacks that are used to circumvent one-time passcode tokens.
Encryption and/or Tokenization - Given that financial data is always considered highly-sensitive, it’s essential to consider how to obfuscate the information, especially in the cases where application security controls may fail.
Penetration/Vulnerability Testing - 60% of developers lack confidence in their application security, but don’t take steps to fix it. While it’s a redeeming quality that they admit their shortcomings in writing flawless code, it also highlights the importance of continuous testing for QA and identification of problems within third-party dependencies.
Also, with organizations adopting agile development models, there are greater security risks that require integrated and exception testing to minimize and mitigate potential weaknesses and breaches. In these cases, DevOps should implement test automation and focused manual testing (and re-testing) as part of the process.
Minimize Data Input - Freeform input fields within an application are considered a threat vector. Instead of allowing a customer to enter information, “standard” selections should be provided to reduce validation. This simplification not only reduces security exposure, but also improves the user experience.
Minimize Permissions - While the camera is needed to capture a photo of the check being deposited, it doesn’t need constant connection. Applications should be designed with the zero-trust security model that assumes no one and nothing is secure, so only the barest permissions should be granted.
End-to-End Visibility - Consider Visibility-as-a-Service (VaaS) to provide an end-to-end view from the device to the application. With many legacy financial applications dependent on archaic technologies and databases that lack modern security and controls, it’s important to conduct architecture reviews and simplification, but also enforce better visualization. Doing so can measurably reduce risk by gaining real-time visibility so that data from the device, traveling to the cloud, can be tracked for proper handling. In cases of user behavior anomalies or security concerns like data exfiltration, visibility along with baselining and analytics can provide unprecedented intelligence with the included benefit of market and customer trends.
Additionally, financial institutions should consider how operations and support teams will access application insights, if they will be able to drill-down on a per-user basis, and if the overall monitoring should be architected into the application for ongoing support.
Given the complexity of mobile applications and cloud, it can be challenging to add additional layers of protection, while still remaining user friendly. At Edgeworx, we work in step with our customers to ensure their technology is safe and a means of creating an agile business. To learn more, read about our security services or contact us at +1.647.793.4731.