The success of the smartphone and the ease of use it brings has led consumers to perform a variety of financial transactions using mobile devices, such as mobile banking, remote deposits, mobile commerce, and so on. In fact, the mobile payment market worldwide is expected to increase at a compound annual growth rate of 20.5% between the years of 2016 and 2024. North America and Asia Pacific are leading regional markets due to early acceptance for newer technology.
The success of the smartphone and the ease of use it brings has led consumers to perform a variety of financial transactions using mobile devices, such as mobile banking, remote deposits, mobile commerce, and so on. In fact, the mobile payment market worldwide is expected to increase at a compound annual growth rate of 20.5% between the years of 2016 and 2024. North America and Asia Pacific are leading regional markets due to early acceptance for newer technology. The North America market will be worth an estimated $321 billion by 2024 and the Asia Pacific market will be worth $753 billion by 20241. Another report predicts that, in the United States, mobile wallets are expected to surpass the use of both credit and debit cards by 20202.
Although the aforementioned popularity of mobile technologies has greatly simplified the use of day-to-day financial operations for the end user, it has definitely brought headache to companies developing the apps and providing the back end of such operations. The costs of dealing with cybercrime incidents has reached the point where it is now a major threat to the corporate bottom line. For instance, a study released in 2017 showed that the average annual cost of cybercrime for companies and institutions providing financial services was over $18 million3. In fact, financial services has the highest annualized cost of cybercrime when compared to a range of other industries such as $14 million for aerospace and defense, $13 million for technology and software, and $12 million for health care. This is only logical because as with any crime, cybercriminals tend to attack the most lucrative targets that results in the highest payoff. Given the high potential financial losses associated with software-based attacks on financial institutions, it is imperative that companies take concrete steps to ensure the security of their mobile apps, whether outward or inward facing.
In addition to the demand for these services, there is an overwhelming awareness and concern around security and fraud. Among non-mobile banking users, more than 57 percent say mobile banking is unsafe, and an additional 18 percent state they don’t know if mobile banking is safe or not. In another study by Deloitte, of the respondents who do not use a mobile device for financial services, 61 percent cited security issues as the prime reason.
Security researchers from the University of Birmingham, UK, developed a tool called “Spinner” to perform semi-automated testing on mobile phone apps3. The tool revealed a serious flaw in many high profile banking apps . Unfortunately, standard tests were not able to detect the vulnerability contained inside the “certificate pinning” technology that was used to improve security. Due to this, penetration testing was not able to identify the issue of not having proper hostname verification. The vulnerability allowed for a “man in the middle attack” allowing an attacker to possibly retrieve usernames, passwords and PINs.
In another research study involving 30,000 mobile devices with one or more banking apps installed, malicious mobile-banking software threatened up to 10 percent mobile banking customers4. Some of the malware includes bots aiming to steal customer bank accounts and this type of malware has grown more then 50 percent since 2017. The bogus logins are convincing enough to where 36 percent of worldwide respondents were fooled by the fake log-in screens.
While mobile payments will continue to evolve and become competitive advantages for financial institutions, the methods that hackers use are evolving even faster. Consumers want to trust mobile transactions, therefore, it is imperative that financial institutions take the necessary steps to protect their apps by making them harder to attack.
Intertrust Code Protection White Paper 2017