How safe are your mobile banking apps?

March 22, 2012 11:50 am 0 comments

Not very, based on the findings of a 2011 study by digital forensics and security firm, via Forensics.

According to the study, 25% of the mobile banking apps tested didn’t provide adequate security: passwords, partial credit card details, payment history and transaction details were easily retrieved from the handset.

What’s more, another 31% of banking apps had less severe security issues with 44% offering adequate security.

Mobile banking apps actually fared well in comparison to social networking and retail apps – none of these passed the security test – and only 9% of productivity apps made the grade. However, it is clear that banking apps are nowhere near secure enough when you consider the potential fallout from having banking details compromised.

And when one considers the predictions that as consumers move more and more of their banking and shopping activities onto mobile devices, hackers and criminals are going to be increasingly targeting these devices. What’s more, they have years of experience in the PC world to draw on, so all indications are that mobile security issues are going to evolve far faster than they did in the PC world.

Surely banks and developers should have learnt these same lessons and be keeping ahead of criminals? Unfortunately several factors about the current mobile development landscape mean that security is left to the last minute, or not even considered at all, rather than being a priority from the get-go. These factors include a focus on speed to market and grabbing market share, outsourced development projects running over time and budget, and hiring software developers with little security experience.

Beefing up mobile security

As ever in the fragmented mobile market, it’s important to understand the various security capabilities of different mobile technologies and to offer transactional services accordingly:

USSD

USSD offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself. No matter how well a USSD service is implemented, it can never offer adequate levels of security so should be reserved for more basic services.

Mobile web

Despite including SSL (secure sockets layer) encryption, security on the mobile web is also problematic. For a start users  have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also in many cases and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is in fact unsecure.

HTML5

Unfortunately the introduction of HTML5 is going to do nothing to improve security on the mobile web. Simply put, the specifications haven’t considered security at all and new features, such as local storage, make security levels on the mobile web significantly worse than the status quo.

Applications

Mobile applications have the potential to offer the highest levels of security – but only if this is implemented properly. Too often apps are implemented without utilising security features, or are outsourced to software development teams with no security experience or knowledge. Then factor in variances across different operating systems and the fact that when under time or budget pressure, security becomes the last concern.

Two things need to happen to provide customers with an adequate level of security when it comes to banking applications, both to avoid disaster and also to ensure that customers have the same level of confidence in the bank, irrespective of the channel they are using.

Firstly inherent security flaws need to be mitigated as far as possible. So rather than rely on standard SSL security and certification authorities on web browsers, run a standard, validated security stack that you know hasn’t been compromised. Consider what data is being stored locally and don’t store or transmit passwords and other sensitive details as plain text.

Even if inherent risks have been mitigated, only offer services suited to the functionality, security capabilities and user experience of each channel. So, for example, USSD should only be used for non-critical transactions such as balance statements, while a well-implemented app can be trusted to handle more complicated payments and transactions.

Developing mobile services using a mobile enterprise application platform (MEAP) with a built-in, externally verified security stack is the best way to deliver the most suitable service for a mobile channel while still remaining conscious of the channel-specific security concerns.

By Wilter du Toit, CEO Virtual Mobile Technologies

pf button big How safe are your mobile banking apps?

Other News

  • Internet

    Online shopping on the rise

    Online shopping has increased significantly in SA and continues to show potential for growth, says MasterCard. According to the latest MasterCard worldwide online shopping survey; price, convenience, and security are key factors are influencing the purchasing decision. The survey revealed that the number of South Africans shopping online has steadily increased over the past two years, with 58% of respondents in a survey of active Internet users saying they use the Internet for shopping. This is an increase from 53% [...]

    Read more →
  • Mobile

    R2.3bn allocated through eBucks

    FNB eBucks partners have allocated more than R2.3 billion, the bulk of which was allocated by FNB, with members spending just over R 1.8 million to date. According to the bank, over the last year nearly half the total eBucks spent each month were redeemed on necessities such as fuel, airtime, groceries and over the counter medicines. “Over the past few years, we have brought more partners on board who add everyday value to our members and have noticed a [...]

    Read more →
  • Internet

    More data for FNB customers

    First National Bank (FNB) has announced that its own Internet Service Provider, FNB Connect, will be increasing the free monthly ADSL data which it awards to qualifying cheque account customers, from today. Qualifying FNB cheque account customers will now receive up to 5GB of ADSL data on a monthly basis, just for having the requisite FNB cheque account. The announcement follows the Independent Communications Authority of South Africa (ICASA) decreasing in the wholesale IP connect (IPC) costs to Internet Service [...]

    Read more →
  • Opinion

    Behind the contact centre buzz words

    A few years ago most consumers would refer to a call centre – a term which reflected the fact that the majority of brand interactions centred around voice calls.

    Today, thanks to the surge in digital communication across the world, most of us have instinctively switched to contact centre. From Facebook posts to Twitter, SMS, email and fax, the list of possible interaction channels between the brand and customer goes on and on. Contact centre really is the only relevant phrase to use.

    But this is just the beginning of the change. Deeper shifts are occurring within the communication sphere, and many of them are illuminated by our evolving understanding of common industry phrases such as inbound, outbound and, perhaps most importantly, the blended contact centre.

    Read more →
  • Mobile

    Vodacom cuts Africa roaming rates

    Vodacom has introduced roaming savings for customers travelling to 6 African countries where Vodacom and Vodafone operate. These countries include the Democratic Republic of Congo, Ghana, Kenya, Lesotho, Mozambique and Tanzania. The operator has introduced flat rates which have resulted in roaming data rates being reduced from R17.50/MB to only R5/MB. In addition, roaming customers will also get free incoming calls when they travel in these countries. Vodacom says it is leveraging its presence and that of its parent company [...]

    Read more →
  • Internet

    African internet makes steady progress

    Broadband connectivity will be one of the major spurs to the growth of African economies over the next decade, but there is still plenty of work to be done in building the telecommunications backbone, says SEACOM. According to at Baigrie, head of business development at SEACOM, connecting the continent to the global village is still a challenge. Speaking at the Africa Economic Forum, he says that broadband is to the 21st century what railways were to the last century – [...]

    Read more →
  • Mobile

    FNB eWallet hits 1 million mark

    FNB has announced that more than 1 million eWallets have been created – while over R1.6 billion has been paid into FNB eWallets since inception in 2009. FNB eWallet allows people to send money to anyone in South Africa with a valid cellphone number. The recipient is able to withdraw cash at FNB ATMs, buy pre-paid airtime or electricity, send money to another cellphone, purchase and/or get cash at selected retailers as well as make once off payments. “We have seen [...]

    Read more →
  • Mobile

    8ta extends data promotion

    8ta has announced that its Midnight Surfer data offering, will be extended by one hour. The data offer, which provides internet surfing at a discounted rate, will now be known as Night Surfer and be available from 11pm until 5am.   “We analysed our network load curves during the course of the day and have decided that we do have capacity at 23h00 to cater for increased network utilisation without compromising the user experience. This is a case of passing [...]

    Read more →
  • Internet

    Beware of phone scammers - Microsoft

    Microsoft has warned local consumers to be wary of a phone scam that has left some victims hundreds of rands out of pocket. Microsoft SA’s chief security advisor, Khomotso Kganyago, says scammers are using several well-known brands, including Microsoft, to fool people into believing that something is wrong with their computers. The scam typically involves a cold caller, claiming to be a representative of Microsoft, one of its brands or a third party contracted by Microsoft, who tells the victim [...]

    Read more →
  • Internet

    Oltio joins forces with PayU

    Oltio, has partnered with PayU to introduce mobile payment solution, payD, to the local market. PayD aims to remove obstacles to the mainstream adoption of e-commerce by transforming a user’s mobile phone into a remote point of sale (POS) device, using debit or credit cards for payments to be processed. “This is a significant partnership for us because PayU currently processes 65% of all online payments in South Africa for brands such as Kalahari.com and Netflorist, which is at the [...]

    Read more →
Feedback

SA IT NEWS Feedback

We appreciate any and all feedback about our site; praise, ideas, bug reports you name it!

AUGUST / SEPTEMBER ISSUE | Engage in our latest issue of Saitnews Magazine titled Woman in IT Download Now