Will LaSala, Director of Security Solutions, Security Evangelist, OneSpan
The holiday shopping period often kicks off with Black Friday. And as technology evolves, the way consumers interact with retailers is also changing. Of the £1.39 billion spent online on Black Friday last year, 39 percent of those purchases were made via smartphones, presenting a new target for cyber-criminals to exploit. Indeed, criminals are increasingly targeting customers via mobile online banking apps, particularly seen in the rise of SIM swap fraud. This involves hijacking phone numbers to gain access to mobile accounts, and has increased by 60 percent since 2016. And with UK customers having already lost £500 million to scams in the first half of 2018, there’s an urgent need for banks and financial institutions to place mobile application security at the top of their agendas. In light of this, here are four ways they can up their app security game:
1 – Employ strong authentication, consider adaptive methods and tools
To ensure they stand the best chance of securing data and reducing the risk of fraud on Black Friday, all mobile apps should be secured with strong, user-friendly, multi-factor authentication. This means that if a hacker wants to gain access to an account, they would need a combination of at least two out of three authentication methods – including something you know (such as a PIN), something you have (such as an authentication app) or something you are (such as a fingerprint or facial).
Banks and financial institutions should also consider adaptive authentication tools. These take into account, in real-time, user, device and transaction data, to then determine the precise authentication requirements needed for each transaction.
Banks should continuously analyse a user’s activities, environment and behaviours, to help detect transactions that are out of the ordinary. This is particularly important around the holiday shopping season, but should be employed all year around. If a customer starts logging in to their mobile banking app from an unfamiliar location in Scotland, when they usually make payments from London, a certain risk score may prompt a request for a one-time password (OTP), while a higher risk score may prompt the user for both an OTP and fingerprint scan (e.g., for a transfer of £10,000 to a foreign bank account).
2 – Application shielding technology
All bank and financial mobile applications should be able to protect themselves in untrusted or compromised environments, to mitigate the risk of fraud. Application shielding technology can detect and prevent app-level intrusions in real-time. So even if a user unknowingly downloads malware – by jailbreaking their device, connecting to unsecure public WiFi, or not updating their software – the app itself is not compromised. This means that any data and transactions made within the app will stay secure.
Application shielding technology also prevents attackers from injecting malicious code into an app, and repackaging it for distribution in unofficial marketplaces, or websites, as was seen with the popular Fortnite app earlier this year.
3 – Stay compliant with industry standards
Industry standards are a great way of setting a benchmark that all banks and financial institutions should adhere to, and ensuring their offerings are protected from the latest threats and vulnerabilities on Black Friday and beyond.
Complying with the upcoming PSD2 regulations well in advance of the deadlines will stand banks and financial institutions in good stead to protect mobile apps ahead of the holiday shopping period. It includes a Strong Customer Authentication requirement, which involves mandatory two-factor authentication, and Transaction Risk Analysis to prevent, detect and block fraudulent payments. This takes into account elements including payment patterns, behavioural analysis, location of payer and payee, information about the device used to conduct the payment, and the ability to collect data from multiple channels.
4 – Educate customers
Banks and financial institutions should provide clear communication and guidelines for their customers, offering advice on how to stay secure. Popular shopping periods, such as Black Friday, Cyber Monday and the run-up to Christmas present tempting opportunities for hackers looking to target customers with social engineering attacks and phishing emails. Customers should be educated on how to spot these, and what to avoid. Furthermore, if a bank or financial institution knows that a phishing email is impersonating them they should send notices to customers warning them.
With the holiday shopping season upon us, banks and payment providers need to make sure they’re prepared for the annual shopping rush, and that hackers don’t take advantage of the upsurge in transactions to target customers. By taking into account the above four steps, banks and customers will both be protected, not only at Christmas, but for life.
