This is an issue that has worried us for a while.
For over 7 years we've been working in the Mobile Financial
Services space and throughout that period we hear time and time again in our
interactions with Banks & Payment experts etc, that Fraud is their Number
One concern. Why is that? What is their expectation of Fraud, Loss or even
Liability? Do they worry more about criminals getting into their networks? Or
actually about smart customers managing to get goods or services for free?
Maybe I'm a cynic but isn't this latter point passing the
buck? The Customer is apparently under suspicion as a potential fraudster from
the moment he opens a bank account? Hardly a good way to begin relationship.
This is compounded by what ordinary the customer perceives
as the risk and the reason for security, to her it's not fraud per se, it's the
full spectrum of information held, managed and shared by the Bank that concerns
her.
One conclusion from The Clearing House's excellent research
jumped out at me immediately. Nearly nine in ten consumers (89%) said they are
concerned about data privacy and data sharing—and more than two-thirds (67%)
are very or extremely concerned
Bank Customers are concerned about their Personal Data, so
why do the Banks not appear to give a damn?
In the research our Security Lab conducted with UL
Labs last year, we found that Mobile Security was pretty poor globally -
95% of Mobile Banking apps tested came nowhere near the standards required for
example, of Mobile Payments Apps. Our ongoing research and testing of Banking
Apps hasn't changed this view.
The main weaknesses are in the protection of the
Customers's Personally Identifiable Information. Secondary to this are the
bank's own APIs, these are pretty visible too.
Of course to be fair to the Banks, their other worry about
Fraud is mass attacks on Apps to gain large amounts of cash - but those are
rare and very difficult to actually deliver, especially where Tokenised
Payments are correctly applied.
The same cannot be said of Malware on a mobile device
sniffing Personally Identifiable Data when on-boarding to a Digital Bank. That
is pretty easy.
Our research shows that Personally Identifiable information
can often be seen in simple analysis; it is seen at Input, it's Stored and it's
Passed-through to a server-side back-end. Corroborating information too can
also be seen in the clear; Photos of Drivers License or Passports used for KYC,
Fingerprint Data from the scanner sent to the Operating System, and crypto used
for facial or voice biometrics can be all accessed.
It we can see these, so can the attackers and they will not
simply write a blog, they will build mass-attack Malware to exploit this data.
The Financial Services Company may never know from where the data leak has
come, this data can be gathered and lie fallow for months before being sold on
by the bad guys once a critical mass has been assembled.
Lawyers and Risk Analysts in the bank will fall back to
their Ts&Cs. They will tell you that you should use Malware Detection tools
on your phone (which don't work), or that you can't run their app on a Rooted
Phone (who's phone is it anyway?) or that you should have read the Ts&Cs
thoroughly. These are (as we say in the UK) a cop out and I hope won't be
accepted as an excuse when regulators' fines are considered.
Mobile Financial Apps are among the most powerful tools the
Banks have, there is a reason that they advertise them constantly, it will be
interesting to see the first GDPR case brought against a Mobile Banking App
provider (established or challenger) or worse still, a US law suit for Identity
Theft traceable to a mobile app......
It's just a matter of time.
Click
here for the original article from Fin Extra.