How To Prevent Cyber Security Threats On Mobile Banking App

By Maryna Cherednychenko

The Maryland university states that hackers attack mobile apps every 39 seconds, on average, 2244 times a day. According to the Accenture report, the banking industry lost $18.3 million due to cyber attacks on banks in 2018. Despite this, financial apps are selling like hotcakes. People like to manage their money on the go and want to do it without risk. If you’re going to launch a fintech app, you need to make it safe. This post will name the weakest points of software development and share our experience in building a secure fintech app.

Where Does Danger Come From?

  • Device
  • Transit
  • Server

At the device level, attackers gain access to sensitive records on the phone, tablet, or other devices. Most often, they do it via the poorly coded app. Take, for example, Nissan Connect. No offense, but their app has android.permission.GET_ACCOUNTS and sends data via the HTTP protocol. It means that the app may collect information about other accounts, such as Gmail, Twitter, etc. When this data goes through HTTP, any server can analyze and save traffic.

At the transit level, attackers can invade during data transfer. Most apps interact with many other services. For example, fintech apps contact the bank server to update a card balance or do a money transfer. If this data goes through an unprotected protocol, is unencrypted, or is poorly encrypted, it takes nothing to steal it.

At the server level, unauthorized users reach data in the cloud or on the app server. They can do it via backend APIs with security flaws. Also, it is easy to hack into the system if admins do not change standard passwords to CMS or make them too easy. In such a manner, hackers can copy, modify, and replace data right in the database of cyberbanking.

Three levels of cybersecurity issues

What Are Cybersecurity Threats?

Trojan virus is a malicious code that works within an app and steals sensitive data. In 2015, Lookout spotted Bancmarstealer. It is an Android trojan that infected nearly 600 financial institutions around the world. Two years later, it appeared again. The virus pretends to be a legal banking app and steals the user’s credentials with the help of features in the Android system.

Deep attacks change the way the application works. Just recently, WhatsApp met with such kind of intervention. Imagine that hackers got the chance to edit the code of the app with a user base of 175 million. It means they reached the camera, microphone, location, photos, and other private data on users’ devices.

Keyloggers and Screenloggers, in contrast to the code attacks, do not penetrate the app. Instead, they sit inside the device and watch everything that happens around them. As soon as the user launches a banking app, they start to record data.

Accessibility Framework attacks go through weak points in the operating system. The purpose of such a bank cyber attack is to pretend to be a real user. Thus, attackers trick the device and change phone setup, for example, disable the security settings.

Overlay attacks put a so-called layer on a valid app. This layer changes the application data and forces the user to edit the settings. As a result, the device remains unprotected, and malicious software gains access to personal data.

Cybersecurity threats

How To Build Advanced Mobile Security?

Secure Infrastructure

In addition to a reliable cloud, your infrastructure should contain the following:

  • Immediate OS updates. You can use the Software Update Service from Microsoft and up2date tools from RedHat’s, so you don’t miss an important update.
  • Separated drive for web files. It will protect system files and complicate access to passwords. The data separation prevents specific attacks, such as Cross-Site Scripting (XSS) and data injection.
  • HTTPS SSL certificate for secure data transfer. Today, it is a primary layer of protection. Browsers warn users if the mobile app does not support SSL.

Thought-Out App Logic

  • Store only essential data. For example, it is enough to have a token of billing method to make a payment. There is no need to keep the card number.
  • Assign roles and permissions. Define features that won’t be accessible to all users. For that, use RBAC or ACL models.
  • Deny simple passwords. Force users to utilize letters, numbers, and different registers. Accept no less than eight characters and insist on changing passwords once in 2–3 months.
  • Set multi factor-authorization. You can ask to verify a transaction by entering a code sent via SMS or using the hardware token.
  • Log transactions. If you detect a suspicious one, block it, and alert the user.

Safe Code

Here are a few more tips to keep your code safe:

  • check input values
  • review any information that you send to external sources
  • be careful in granting rights to third-party applications
  • defend against SQL injection

Smooth Workflow

  • follow standards of ISO 27001 certification
  • establish security policies and guidelines in your company
  • backup important data
  • set up the duties and influence area of each employee
  • simulate the worst-case situations and rehearse how you will solve them
  • sign non-disclosure agreement with the staff members
Nine steps to advanced mobile security

In-Depth Testing

At Softensy, we follow the guidelines of the Open Web Application Security Project (OWASP). They recommend testing the following aspects to cover all the gaps in bank cybersecurity.

  • app configuration
  • security policy
  • authentication
  • authorization
  • session management
  • user input
  • error processing
  • cryptography
  • business logic
  • user-side vulnerability

Protected API

  • Identification occurs when the user enters personal data, such as login or username.
  • Authentication occurs when the user confirms their identity; for example, scans a fingerprint. To enhance protection, you can use two-factor authentication.
  • Authorization takes place when the system allows the authorized user to get in. Remember to set app zones that the user can access.

You need to take care of each of them, but you may also delegate these duties to specialized services, like Auth0.

Data Encryption

The US government regularly updates the algorithms and their parameters, such as key length and encryption mode. One of the most simple, fast, and easy to implement shared-key cryptography algorithms is AES. For public-key cryptography, ECC may be your choice.

According to the US regulation, you should encrypt the following data:

  • Personal information (name, date of birth, address, social security number)
  • Transaction data (account ID, shopping history, credit card payments)
  • Financial data (reports, bills, payslips)

Payment Rejection

Educated Clients

  • Download apps from official stores. There, they are carefully checked before being put on the “shelves.”
  • Do not save the password on the device from which you log in.
  • Avoid running the application in public Wi-Fi.
  • Do not use jailbroken phones.
  • Install antivirus.

Adhering To Security In Financial Services

This article was originally published at Softensy.

Softensy specializes in fintech development and enterprise-level apps. Our team helps companies automate business processes by developing software solutions.