{"id":46544,"date":"2012-04-08T18:13:02","date_gmt":"2012-04-08T16:13:02","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=46544"},"modified":"2012-04-10T10:51:37","modified_gmt":"2012-04-10T08:51:37","slug":"are-your-mobile-banking-apps-safe","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/cellular\/46544-are-your-mobile-banking-apps-safe.html","title":{"rendered":"Are your mobile banking apps safe?"},"content":{"rendered":"<p>How safe are your mobile banking apps? Not very, based on the findings of a 2011 study by digital forensics and security firm, <a title=\"viaForensics\" href=\"http:\/\/mybroadband.co.za\/vb\/showthread.php\/420228-viaForensics\">viaForensics<\/a>.<\/p>\n<p>According to the study, 25% of the mobile banking apps tested didn\u2019t provide adequate security: passwords, partial credit card details, payment history and transaction details were easily retrieved from the handset.<\/p>\n<p>What\u2019s more, another 31% of banking apps had less severe security issues with 44% offering adequate security.<\/p>\n<p>Mobile banking apps actually fared well in comparison to social networking and retail apps \u2013 none of these passed the security test \u2013 and only 9% of productivity apps made the grade.<\/p>\n<p>However, it is clear that banking apps are nowhere near secure enough when you consider the potential fallout from having banking details compromised.<\/p>\n<p>And when one considers the predictions that as consumers move more and more of their banking and shopping activities onto mobile devices, hackers and criminals are going to be increasingly targeting these devices.<\/p>\n<p>What\u2019s more, they have years of experience in the PC world to draw on, so all indications are that mobile security issues are going to evolve far faster than they did in the PC world.<\/p>\n<p>Surely banks and developers should have learnt these same lessons and be keeping ahead of criminals? Unfortunately several factors about the current mobile development landscape mean that security is left to the last minute, or not even considered at all, rather than being a priority from the get-go.<\/p>\n<p>These factors include a focus on speed to market and grabbing marketshare, outsourced development projects running over time and budget, and hiring software developers with little security experience.<\/p>\n<p><strong>Beefing up mobile security<\/strong><\/p>\n<p>As ever in the fragmented mobile market, it\u2019s important to understand the various security capabilities of different mobile technologies and to offer transactional services accordingly:<\/p>\n<p><strong>USSD<\/strong><\/p>\n<p><a title=\"USSD - Unstructured Supplementary Service Data\" href=\"http:\/\/mybroadband.co.za\/vb\/showthread.php\/384163-USSD-Unstructured-Supplementary-Service-Data\">USSD<\/a> offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself. No matter how well a USSD service is implemented, it can never offer adequate levels of security so should be reserved for more basic services.<\/p>\n<p><strong>Mobile web<\/strong><\/p>\n<p>Despite including\u00a0SSL (secure socket layer) encryption, security on the mobile web is also problematic. For a start users\u00a0 have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also in many cases and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is in fact unsecure.<\/p>\n<p><strong>HTML5<\/strong><\/p>\n<p>Unfortunately the introduction of HTML5 is going to do nothing to improve security on the mobile web. Simply put, the specifications haven\u2019t considered security at all and new features, such as local storage, make security levels on the mobile web significantly worse than the status quo.<\/p>\n<p><strong>Applications<\/strong><\/p>\n<p>Mobile applications have the potential to offer the highest levels of security \u2013 but only if this is implemented properly. Too often apps are implemented without utilising security features, or are outsourced to software development teams with no security experience or knowledge. Then factor in variances across different operating systems and the fact that when under time or budget pressure, security becomes the last concern.<\/p>\n<p>Two things need to happen to provide customers with an adequate level of security when it comes to banking applications, both to avoid disaster and also to ensure that customers have the same level of confidence in the bank, irrespective of the channel they are using.<\/p>\n<p>Firstly, inherent security flaws need to be mitigated as far as possible. So rather than rely on standard SSL security and certification authorities on web browsers, run a standard, validated security stack that you know hasn\u2019t been compromised. Consider what data is being stored locally and don\u2019t store or transmit passwords and other sensitive details as plain text.<\/p>\n<p>Even if inherent risks have been mitigated, only offer services suited to the functionality, security capabilities and user experience of each channel. So, for example, USSD should only be used for non-critical transactions such as balance statements, while a well-implemented app can be trusted to handle more complicated payments and transactions.<\/p>\n<p>Developing mobile services using a mobile enterprise application platform (MEAP) with a built-in, externally verified security stack is the best way to deliver the most suitable service for a mobile channel while still remaining conscious of the channel-specific security concerns.<\/p>\n<p><em>* This report was prepared by Virtual Mobile Technologies.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>25% of mobile banking apps don\u2019t provide adequate security, says Virtual Mobile Technologies<\/p>\n","protected":false},"author":23,"featured_media":46546,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,27],"tags":[35,2996,3336,10198,6769],"class_list":["post-46544","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cellular","category-security","tag-headline","tag-mobile-banking","tag-mobile-security","tag-online-banking-security","tag-virtual-mobile-technologies"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/46544"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=46544"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/46544\/revisions"}],"predecessor-version":[{"id":47380,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/46544\/revisions\/47380"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/46546"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=46544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=46544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=46544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}