As financial institutions work to provide mobile banking apps to customers clamoring for them, these organizations are struggling with offering the right functionality without giving the farm away to criminals. But all of that work is done under the covers and in an inconsistent manner across the industry, leaving customers to fend for themselves in evaluating whether or not their institution's mobile banking app is safe enough for their personal risk appetites.
In the meantime, the criminals are hard at work looking for ways to capitalize on the confusion and break the mobile banking model for their financial advantage.
"We've seen a continued, significant surge in chatter in the underground economy regarding research and development into mobile devices," says Steve Santorelli, director of global outreach at the Internet security research group Team Cymru. "That's for compromise of the operating system, but more importantly, compromise of the app. It took us a generation to persuade people that there's a risk involving malware on desktop devices. Everybody is massively moving towards mobile technology, and that psyche hasn't really yet transferred over to mobile devices. So we need to play a lot of catch up."
What's more, while we're playing catch-up, criminals are realizing that mobile may provide convenience to the user, but also to them as they dig for personal details on devices, says Craig Priess, co-founder and vice president of products and business development for Guardian Analytics.
"If you think about what the phone represents for a criminal, it's pretty amazing," says Priess. "Pretty much everything you want to know about a victim is all served up on a silver platter: all your contacts, social networks, your location, financial institution that you use. It's a really rich repository of information and it's not very secure."
Already, the crooks have made headway in leveraging mobility to attack mobile banking functionality and commit fraud, says Jaime Blasco, labs manager at AlienVault.
"The usage of mobile devices to perform financial activities has grown enough to be profitable to the bad guys who target these platforms," he says. "Zeus and SpyEye banking Trojans have adapted their techniques to steal mTANs [Mobile Transaction Numbers] on mobile devices. We see that hackers are adapting their techniques very quickly, and as long mobile banking continue to grow, we will see an increase in these kinds of threats."
In addition to banking Trojans, malware writers are also taking advantage of sometimes insecure app delivery mechanisms, especially on the Android platform, to serve up rogue applications meant to mimic legitimate apps. This may be problem as black hats try to trick users into downloading a "banking" app that's really not from the user's bank, Santorelli says.
Even when the app is legitimate, the user isn't necessarily guaranteed a secure banking experience. Financial institutions are generally cautious on their approach to these apps, but there has been some public misfiring as some institutions learn as they go.
"There are still institutions [such as Wells Fargo] that have pushed out mobile banking apps that stored client username and passwords in clear text format, so there is a long way to go," says Mike Meikle, CEO of information security consulting firm Hawkthorne Group, who points to Wells Fargo's very public 2010 mobile banking gaffe as an illustration of this phenomenon.
At the moment, though, security experts say that at many institutions the risk of mobile apps isn't that much greater than the risk of online banking, as these apps are generally pretty restricted.
"Due to not being able to secure data easily on the mobile device itself, mobile banking apps have largely been just clients to web banking services," says Mark Bower, vice president at Voltage Security. "There's no doubt that smartphones present a huge opportunity for banks to extend advanced new services right into the palm of the hand of their customers. But what's holding most back is the lack of consistent data security that can really push the boundaries of new revenue opportunities in mobile banking apps."
The question, of course, is what the triggers will be for demand versus risk to determine how soon some of those boundaries will be pushed. These are questions that can only be answered institution by institution. They may well also be answered by more focus on the fundamentals of fraud prevention and layered security.
"The simple reality is that there are risks inherent in any channel, but apps are not intrinsically riskier than other options. From a security standpoint, financial institutions need to recognize that consumers will be -- and are -- using these apps, and so they need to implement security strategies that takes that into account," says Eli Katz, vice president of enterprise strategies at 41st Parameter. "No element of a sensible layered security strategy exists in a vacuum and financial institutions need to provide their customers with the convenience of mobile solutions while maintaining strong security and fraud prevention capabilities."
Priess agrees, saying that in the end, his company believes that whether it is through online banking or mobile banking, users' endpoints should never be fully trusted by the financial institution. They need fraud prevention analytics to stop suspicious activity from ever going through.
According to Axelle Apvrille, senior mobile antivirus researcher at Fortinet, banks should also be doing more code review of apps and should try to think about creative ways of delivering the experience more securely.
"They need to be reviewed by independent and well-trained experts. Those experts need to know about malware, for instance, and not only consider security protocols," Apvrille says. "Triggering a safe, trusted mode on phones would be a good idea, such as a trusted display. There is a lot of ongoing research on Trusted Computing."
The problem is that this kind of advanced under-the-covers technology is not readily apparent to users who want to evaluate whether they should trust their bank's mobile banking services. For example, Priess says he personally uses mobile banking, but only because he knows his financial institution is a customer of his company and employs best practices around its mobile banking services.
Most consumers wouldn't ever know that. And they likely never will, due to the tight-lipped policy of these organizations, which feel that it would be divulging too much information to use security as a competitive differentiator.
At most, Priess says, consumers can look for future guarantees from institution as a gauge of how well they are doing to advance mobile security.
In the meantime, says Will Irace, vice president of threat research at Fidelis Security Systems, it may just be a matter of choosing pragmatically.
"Should we be wary of these new technologies because fraudsters will target mobile banking applications? Should we use them because they provide useful value? The answer is yes," Irace says. "I favor a pragmatic approach to risk. I'm absolutely certain there are vulnerabilities in mobile banking systems. I expect some of these vulnerabilities to be exploited, causing harm to bankers and their customers. But because I love the ability to deposit a check from my phone using its camera and my bank's app, I am an enthusiastic consumer of mobile banking technologies. This is no more nor less foolish than my decision in the 1980s to pay my bills electronically, or my decision each morning to get out of bed and face my daily commute."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.