By Roy Urrico
Throughout the pandemic, financial institutions, including credit unions, have increasingly depended on mobile apps for business continuity while asking accountholders to stay alert for cybercriminals. They increasingly turn to cybersecurity firms like San Francisco-based Appdome, whose mission is to protect the mobile economy and the people who use it.
“Mobile consumers have shifted to mobile banking apps to save, pay, transfer money, etc.,” Tom Tovar, CEO and co-creator of Appdome said. He pointed out this trend transformed traditional financial institutions to mobile-first banking businesses and led to a huge increase in mobile banking participants.
As a result, protecting the mobile banking experience or channel as well as mobile banking revenue leaped to an uppermost concern for financial institutions’ security teams globally. “Where the consumer goes, hackers and digital thieves will go. It is a race to see who gets to the mobile consumer first — the mobile bank or the hacker,” Tovar noted. “The FBI said it expects cyberactors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking Trojans and fake banking apps.”
Tovar maintained, “It’s not enough to protect the business data and the app. You have to protect the consumer data. Your users have shifted to using your mobile app as your primary storefront. So, if your mobile app is your business, secure it.”
Attacks Targeting Mobile Apps
Mobile banking apps have the highest trust levels among mobile apps, according to Appdome’s COVID-19 mobile consumer survey. “But that trust can easily be broken if the app suffers a breach,” said Tovar.
Even more threatening is attacks on mobile banking apps are becoming very targeted and much more sophisticated. Some can even bypass some multi-factor authentication protections. The hazard is real and growing. They comprise all of the typical threats, from phishing attempts using SMS (short message service/text), email and even in-app messaging services, to man-in-the middle attacks, Tovar held.
In many cases, these attacks aim to install malware, often via a Trojan, such as Cerberus. Tovar indicated this Cerberus Trojan abuses Android accessibility features developer options enabling unknown sources to escalate privileges, allow remote access and update malware on target systems. For example, according to reports, hackers reverse-engineered Google’s authentication flow using Cerberus and extracted two factor authentication credentials from mobile apps to mimic and bypass Google Authenticator.
There are other threats. “In the first half of 2020, we saw the emergence of the Eventbot malware, which specifically targets mobile banking apps,” Tovar said. It masquerades as Microsoft or Adobe apps, and, like Cerberus, can intercept SMS messages to obtain multi-factor authentication codes for account takeovers and data theft. “Newer and more sophisticated variants continue to pop up thanks to auto-update capabilities.”
FX Trading Protection
In December one of the world’s largest foreign exchange (FX) banks, Grupo Financiero Monex, chose Appdome’s artificial intelligence-powered no-code platform to secure its FX trading mobile app, Monex Móvil.
Observing a growing danger to mobile banking apps in particular, the Mexico City-based Monex information security team recommended reinforcing the protection of the Monex Móvil app. Appdome and its Mexico City-based partner, Incident Response Team SA de CV Shield Force, worked with the Monex infosec team during an extensive proof of concept period.
Monex secured Monex Móvil with the all-in-one Appdome Mobile App Security Suite in just minutes with no coding required. Appdome’s platform fused a range of security capabilities into the app binary, including anti-tampering, data encryption, jailbreak/root prevention and man-in-the-middle prevention.
The Appdome platform provided Monex with an array of capabilities, including:
· Protection against app tampering and debugging.
· Obfuscation of the binary code to protect against reverse engineering.
· Encryption of application data, strings and metadata with AES-256 encryption.
· Rooting / jailbreak prevention, which stops the app from running on untrusted or banned devices.
· Securing the communication between the app and the backend to prevent Man-in-the-Middle and other TLS based attacks.
The Appdome Mobile Security Suite satisfied all Monex’ security requirements and passed multiple penetration tests.
“Monex Grupo Financiero has always made it a priority to offer the highest level of security to our clients in the financial services and products we offer,” said Luis De la Vega, CIO at Monex. “That is why we have decided to partner with Appdome, so that we can ensure that all of our transactions meet the highest standards of quality and security demanded by the market.”
Tovar explained, “We’re seeing tremendous traction with global financial services companies who, like Monex, are taking proactive action to secure their mobile apps and protect the people and business who rely on their apps.”
New Threats Need New Protection
Tovar pointed out now that mobile is center stage, protections like data encryption, shielding user credentials, and safeguards for the connection between the mobile app and the back-end, share the spotlight and are highly important. “You need to make sure of this basic bill of rights as we all shift toward that being the primary way that we interact with our banking.”
Tovar provided a “COVID-19 Bill of Rights” for mobile banking apps:
· Secure data storage with OWASP, M2 (Open Web Application Security Project, insecure data storage). Simply put, secure the user’s data at rest, i.e., stored locally by the mobile app.
· Provide Sufficient cryptography (OWASP M5). Use Advanced Encryption Standard, 256 bits or higher on all data elements in the app, including strings, preferences and resources.
· Secure communications (OWASP M3). Protect against man-in-the-middle attacks. There should be no reason hackers and thieves should see data that passes between an app and the back-end.
· Encrypt username and passwords. “Surprisingly, many apps don’t do this inside the app itself.”
· Protect users against fake apps. Most apps available in the app stores do not protect against tampering, reversing and similar threats, allowing malicious actors to create and distribute fake apps to prey on unsuspecting consumers.
· Protect users against keylogging. This is an add-on for protecting usernames and passwords, as malicious third-party apps can track and store user credentials added to apps.
“Anyone can use Appdome to add security capabilities such as man-in-the-middle prevention, obfuscation, encryption, app hardening, jailbreak/root prevention and more into any mobile app within minutes, without code or coding,” Tovar explained. “It’s a fast, guaranteed way for developers and organizations to ensure their apps are secure without delaying release dates.”
Tovar also suggested, “With the growing sophistication and number of attacks against mobile banking apps, credit unions can ensure their apps are safe and secure for their end-users without having to hire scarce iOS and Android security specialists.” He added, Appdome makes it possible to incorporate strong security without the time and expense of manually coding it in. “They can release their apps on-time without worrying about security. That’s a pretty big win for credit unions and their customers.”