Mobile authentication: Transforming today's mobile banking threats into tomorrow's opportunities

Technology Digital transformation Banking Security
The complexity of threats in mobile banking is continually evolving – and fast. In our four-part ‘Securing the mobile banking channel’ blog series, we explore these threats, along with the trends and opportunities for banks within this essential digital channel.
In our first blog, we examined four best practice guidelines to securing the mobile banking channel. In this blog, we’re sharing how financial service providers (FSPs) that strike a balance between security and convenience in mobile banking can build loyalty and grow their customer base.
We also explore how institutions that aren’t leveling up their online security could open themselves — and their customers — up to the risk of mobile banking trojans, screen overlay attacks, and other dangerous malware.

Malware: The latest threats to online payments

The number of mobile banking users in the US is predicted to reach 217 million by 2025, and the number of mobile banking threats is scaling in parallel. According to a recent Kaspersky report, there are approximately 200,000 new mobile banking trojans — the highest ever reported over the previous six years.
These trojans are among the biggest threats to mobile banking security. Kaspersky shares that they hunt for digital payment and online banking data, and usually spread through (official and unofficial) app store downloads. They also emphasize that cybercriminals specifically target mobile users and are increasingly more interested in stealing financial data, and actively investing in the creation of new malware. This, of course, may lead to major losses for their targets.
“Cybercriminals are increasingly more interested in stealing financial data, and actively investing in the creation of new malware, which may lead to major losses for their targets.”
Screen overlay attacks are another common method these hackers use to compromise mobile banking data, especially usernames, passwords, and account numbers. Using multiple transparent layers (that either cover a portion of the actual app or imitate or hijack it altogether), fraudsters trick users into interacting with hidden malware content.
Together with attack vectors such as phishing, smishing, and keylogging to name a few, consumers’ data is at risk while using mobile banking apps. Which is why FSPs need to keep up-to-date with the latest technology and security standards to reduce digital banking fraud.

The evolution of banking security standards

In the US, the Federal Financial Institutions Examination Council (FFIEC) and National Institute of Standards and Technology (NIST) have issued guidances for mobile financial services in 2016 and 2019 respectively. And, while the recommended measures included promoting more sophisticated authentication measures, improving app security during the software development cycle and raising customer awareness — neither guidance has been updated since.
More recently, the adoption of regulatory compliance like EMV 3-D Secure payment authentication has been steadily growing. Especially with newer versions of the standard (after 3D Secure version 1), which place greater emphasis on the security of mobile banking apps.
Download our ebook: Beyond compliance with 3D Secure.
Learn more about 3D Secure and securing digital payments in our ebook: Beyond compliance with 3D Secure.
These compliance standards will continue to evolve to meet industry and consumer needs. But ensuring an up-to-date and compliant mobile experience also requires app design that is secure and intuitive.

Opportunities to improve poor mobile banking app design

If we consider that by 2024, the number of digital banking users will exceed 3.6 billion, and that 89% of Americans already use mobile banking channels, the opportunities presented by mobile banking are immense. However, the apps must be designed to be both secure and user-friendly.
Along with ensuring all compliance and security mandates are covered in the app design, developers should follow best practices in user experience (UX) and user interface (UI) design. These could include components like:
  • Biometric authentication and other hassle-free validation mechanisms
  • Your FI’s branding
  • Personalization, such as the customer’s name and photo
  • An intuitive layout that groups functions logically
  • Mobile-friendly navigation options like scrolling rather than searching through pages
  • Branch locations linked to map apps
The modern consumer expects your app to perform as smoothly and intuitively as all the other apps on their mobile. Without the basic app design principles in place, you risk frustrating your customers. If their mobile banking journeys are clunky and error prone, their trust in your institution will diminish rapidly – as will their interest in using your app.
“Digital-first journeys often lead to higher customer-satisfaction scores, and generate 10 to 20% more satisfaction than traditional journeys.”
McKinsey shares that digital-first journeys often lead to higher customer-satisfaction scores, and generate 10 to 20% more satisfaction than traditional journeys. This is 100% applicable to mobile banking app design. If the app is poorly designed on the front-end, they’re left wondering about the quality and security of the backend.

Overcoming operating system vulnerabilities in banking apps

Unfortunately, many banking apps unintentionally introduce vulnerabilities with their security measures. This could be through poor Secure Sockets Layer (SSL) implementation or certificate validation. SSL and Transport Layer Security (TSL) are the fundamental digital security protocols for encrypting data shared between computers and servers.
What's more, in their recent Mobile app security guide, Appdome shares that “Android and iOS operating systems are not secure”. They also add: “Hackers are developers too. As developers themselves, hackers know exactly when, where and how to attack your apps, users and backend.”
“Hackers are developers too. As developers themselves, hackers know exactly when, where and how to attack your apps, users and backend.”
As apps become more complex and connect with various third-party services, more vulnerabilities tend to creep in. As a result, mobile banking apps can become subject to:
  • Software vulnerabilities — often manifesting during the app development phase and must be resolved during this phase or the testing phase, ideally. Software vulnerability detection can help ensure apps are more secure and don’t require patches after release to reduce vulnerabilities.
  • Malware — fintech is every cybercriminal’s favorite challenge, and the number of banking trojans is growing rapidly as more consumers switch to the convenience of mobile banking.
  • Weak authorization measures — banks not dedicating sufficient resources to the security of their mobile apps opens them and their customers up to malware and other risks.
  • Third-party vulnerabilities — more third-party connections potentially mean a wider playing field for fraudsters.
  • Insider threats — when FSP employees can access the backend of an app and perform fraudulent activities like creating an account for themselves.
  • The weakness of mobile device ID — mobile devices are difficult to tell apart when weak device fingerprints are in play.
Digital certificates are one way to help secure mobile phones and tablets as they uniquely identify the specific device. This also turns the device into a reliable second factor of authentication.

Multi-factor authentication: A modern mobile authentication approach

Since fraudsters are experts at manipulating device IDs to impersonate a user, multi-factor authentication (MFA) comes highly recommended, especially when the solution provides real-time data on your customer’s digital transactions.
One-time passwords are also no longer a reliable authentication mechanism as they’re the easiest for fraudsters to crack. For instance, a study by Princeton University found 80% of SIM swap attacks were successful. Studies also show that SMS-based scams, also known as “smishing attacks,” soared by 328% in 2020 alone.
The best way to ensure secure mobile banking logins and transactions is by achieving a balance of security and usability. MFA enables your customers to transact securely on their mobile device. And by including passwordless authentication solutions like biometrics as one of the factors, customers can enjoy an uninterrupted user experience.

Keep an eye out for the rest of our Securing the mobile banking channel blog series. And, if you want to know how to offer secure, seamless customer experiences across all your digital banking channels, speak to one of our experts today.