This post is from the Arxan blog and has not been updated since the original publish date.
A Wake-up Call to the Financial Services Industry and Legislators: It’s Time to Regulate Mobile Apps
The time for resting on laurels is over. The financial services industry leaders and legislators need to wake up to the massive attack surface present in mobile applications consumers nationwide use for banking, payments and more. The FDIC has requirements around the security of the bank, identifying, and addressing risk to depositors. Why should mobile banking be any different? In order to protect consumers, the industry needs similar regulations around application security, secure communications between financial apps and their connected systems, and secure development processes and clear accountability for the security of those applications within the financial institution.
In “Software Security is National Security,” a report calling to institutionalize security, the Institute for Critical Infrastructure Technology writes, “Critical infrastructure sectors are shaped by regulation and oversight, such as HIPAA, FISMA, FERPA, Sarbanes-Oxley, and numerous other important policies, procedures, guidelines, legislation, and rules. The software development sector remains relatively unregulated, however, despite its impact on every critical infrastructure, every organization, and nearly every aspect of daily life.”
Shocking new research shows that despite guidance from the FFIEC (Federal Financial Institutions Examination Council), financial services mobile apps lack the appropriate security and rigor to protect consumer data, putting consumers at risk of data theft and financial fraud. The cybersecurity industry can help drive this regulation, but the governing bodies need to include more specific guidelines into how apps should be secured, and real consequences in the regulation that impose a significant impact for organizations that do not comply.
According to the American Bankers Association, 85 percent of Americans rate their banks’ security and fraud prevention measures as either excellent, very good, or good. Regulatory guidance would suggest that consumers are justified in that confidence given that rigorous security penetration testing is required annually. However, an analysis of mobile financial applications by Aite Group commissioned by Arxan tells a very different story: a systemic lack of security in financial mobile apps published by widely recognized banks, insurance companies, and mobile payment companies that should concern all of us. In this study, 97% of mobile financial services applications were able to be compromised in an average of 8.5 minutes -- exposing personal information, login credentials, APIs, private encryption keys and more. We need legislative action to ensure that consumers are protected in the digital age and that the financial institutions responsible for protecting people’s most valuable asset -- their money -- are held responsible for this fiduciary duty.
Critical mobile app vulnerabilities and their impact
Regarding their analysis of financial services apps, Aite Group senior analyst Alissa Knight reports, “The quantity and severity of the vulnerabilities discovered across the mobile apps clearly identify a systemic problem: a widespread absence of application security controls and secure coding, such as technology that implements application shielding, detection, and response capabilities.”
Some of the top vulnerabilities found in the financial apps tested include:
- The lack of adequate application security technology--enabling apps to be reverse-engineered in minutes--which then allows an attacker to discover host vulnerabilities, keys, and other secrets.
- An alarming amount of sensitive data surrounding API servers, including locations and encryption keys contained within the apps--placing backend systems and data at a significant risk.
- Rampant insecure coding, providing a clear roadmap of the app structure and logic.
- Inadequate protection of sensitive data, exposing it to surveillance and exfiltration.
- No capability to detect reverse engineering, which allows organizations to mitigate attacks before they become widespread.
The lack of basic secure coding practices and app security protections poses a direct threat to customers as well as the financial institutions. Financial losses can result from account takeovers, credit application fraud, synthetic identity fraud, identity theft, and more. The more substantial risk, at least for the financial institution, is the loss of customer trust. Financial institutions operate in a commoditized industry that competes on customer experience and loyalty. Institutions that violate that loyalty will be impacted in the long term.
The process of regulating mobile apps
Americans can’t afford to wait for an attack on their financial data before demanding that financial services institutions change their application security practices. The risk is too high to “wait and see.” But we need more than broad regulatory requirements. As states like California consider more consumer and data privacy laws to protect consumers from unintended use of their data, they need to get more granular about how data must be protected.
For example, PCI compliance standards allow checkbox solutions like a web application firewall (WAF) to satisfy a requirement for “application security” but the reality is a WAF won’t actually protect consumers against today's application-level threats. We call on regulators to not just adopt enforceable policies, but actually dive into the technology with these regulations so that they have a meaningful impact on consumer safety. The most desirable result would be a requirement for financial services apps to undergo an independent security audit, include app level security controls, and have a designated C-level executive responsible for overseeing and implementing secure app development practices within the organization.
Application security controls for mobile financial apps should be dictated by a standard developed by the cybersecurity industry. We have seen in the past what happens when legislators who are not necessarily experts in a specific industry write laws and regulations. While well-intentioned, they typically end up with glaring holes and fail to achieve what they were set out to do. The cybersecurity industry is in the best position to develop a standard that achieves the goal of protecting consumers and financial services institutions. Beyond that, whatever standard is established should be actively managed to evolve alongside the cyberthreat landscape.
How to protect apps
We understand that passing regulations takes time. In the meantime, financial services institutions need to move forward on their own, educating themselves on mobile app security and adopting best practices. Valid guidance exists but is overly broad in its recommendations. Institutions should re-examine their security posture for mobile applications with an eye toward identifying and mitigating real risks rather than simply complying with regulation. An approach that combines security and privacy can significantly reduce the risk to both the institution and consumers. For example, properly implementing authentication between the app and server can help ensure that the app running in a browser or mobile device is protected and has a right to access sensitive data in the data center.
In terms of the app itself, developers should use code obfuscation or app hardening techniques to make it more difficult to decompile and reverse engineer the app’s source code. In the case that an attacker still manages to tamper or modify the code, the installation of sensors can alert developers to the activity so that they can react appropriately. The storage and usage of data within the app and between the app and data center, must be protected using encryption and proper key management.
Financial services institutions are subject to laws and regulations that are designed to protect consumers. Those protections must be extended to mobile apps and the security of those mobile apps. Financial institutions should not be allowed to expose their customers to undue risk in the digital age. It’s time for legislators and the industry to wake up. All apps that touch a consumers’ financial profile should have security and privacy controls that protect consumer data as an industry standard.