Financial Technology Industry

MOBILE SECURITY
BRIEF

Securing Mobile Apps is Critical to Fintech Success

Banking and financial services are the vanguard of digital transformation.

Even under the burden of heavy regulation, fintech upstarts and established institutions have introduced a variety of game-changing innovations, and they’re just getting started. From e-payment and cryptocurrency systems to digital wallets, e-loans, and micro-investing, mobile apps are integral to the fintech ecosystem. Personal and business transactions are increasingly virtual, bringing unprecedented convenience to the consumer and extraordinary operational efficiencies to financial firms of all kinds.

Mobile apps are a far cry from Fort Knox — no matter how securely your apps are built, the cyber hygiene of your end users’ mobile devices is out of your control. The potential consequences of unmanaged mobile devices are serious — the whole point of the financial system is to protect and grow our financial resources. If fintech services can’t guarantee protection, consumers will fail to adopt their newly offered innovations and the fintech business will fall behind its competitors.

Financial services technology is in a period of rapid change.

As banks, lenders, investment firms, and other fintech companies race to capture the attention and trust of populations that increasingly prefer to take care of business by smartphone, the ecosystem is in flux. Traditional institutions are partnering with startups, the Millennial influence is growing, regulatory rollbacks continue, and new business models take root online at an astonishing pace.

The public interfaces with all these innovations through mobile apps. The widespread adoption of online financial services depends in large part on trust, which requires secure and private mobile apps. The threat of public breach notifications, penalties, reputational damage, and operational outages looms large over the whole industry. The cautionary tales abound — the ripple effects of disasters at Equifax, JPMorgan Chase, SWIFT, and many more continue to roil the financial sector and its governing bodies.

Mobile app risks are rising rapidly in fintech services.

The risks include: financial and insurance fraud, public trust, and the confidentiality, integrity and availability of sensitive data. Banks and other financial firms have just as much on the line as consumers — insecure apps enable hackers to drain funds, steal privileged credentials, cripple operations, and install cryptomining malware.

Financial institutions have always been heavily targeted by organized cybercriminals seeking to steal money, commit fraud, and exfiltrate records full of personal identifying information (PII). Organized cybercrime syndicates and state-sponsored hackers have turned up the pressure in recent years. Sophisticated attacks on banking infrastructure make larger heists possible. But the widespread adoption of fintech mobile apps increases the attack surface exponentially. Every unmanaged device in the installed user base becomes a threat to the integrity and sustainability of the fintech enterprise.

Security scenarios to consider.

Can the customer view their financial records while using this mobile app? If so, their personal finances may be exposed by hackers or leveraged in ransomware attacks. The PII can be used in creating unwarranted claims against the individual, including identity theft and fraudulent credit card and loan applications.

Can the customer transfer funds through the mobile app? If so, it provides an entry point directly into a financial institution’s network. It may also provide additional data on other private individuals to whom funds were transferred. This may provide further access into other financial institutions and businesses partners.

Banks have best-of-breed security. Why can’t they secure mobile fintech apps?

Mobile endpoints create enterprise risk.

Mobile device management solutions (MDM, EMM) are device-centric and so cannot provide any control over the devices belonging to the end-users of a public facing app. Those unmanaged endpoints run the app’s executable code, and that code can be accessed and altered by a compromised operating system. The executable code for web applications and services resides primarily on enterprise systems, and can be protected and monitored accordingly. Mobile app code resides primarily on the mobile device itself.

Without a solution like HackGuard, the executable code of mobile apps cannot be monitored, protected, or remediated. There’s a rule of thumb for public-facing apps that might surprise any financial organization that’s new to the app publishing business. Let’s call it the 200 Rule: The typical organization with 1000 employees can assume they have around 200,000 public app users. That’s 200,000-plus smartphones, tablets, and notebooks over which you have no control. Until you have detailed information about the health of the environments your app is operating in, your attack surface is expansive and your security team is blind.

Mobile apps can open the vault to hackers.

Successful fintech apps have millions of public app users. No up-and-coming service provider wants to empower hackers with millions of possible tunnels into their networks, systems, and equipment. The damage from attacks on mobile apps is not confined to end-users and the costs associated with helping them recover from fraud or service outages. Hackers can also compromise the app’s communication with the host (banking) systems in order to exfiltrate records and privileged credentials, which can in turn be leveraged in further attacks, extortion schemes, and corporate espionage.

It’s not about writing better code.

Of course clean, secure-by-design app development is important. The good news is, that part is under our control and developers keep up with security requirements. But even when the developer has done everything right, the app can still be vulnerable. There are approximately 3000 open vulnerabilities in Android and iOS. As we know, any security that depends on users’ cyber hygiene and patching practices is bound to fail. Moreover, it’s all too easy for hackers to reverse engineer apps. The same goes for malware development — hackers can even buy exploit kits on the Internet.

Antivirus solutions are ineffective against attacks that target executable code.

Mobile antivirus is incapable of even accessing an app’s executable code. AppVision researchers have white hat hacked top US bank apps in order to further analyze the dynamics of mobile app security environments. They observed that none of the tested antivirus products generated alerts or warnings, having failed to detect the compromise to the app’s executable code. HackGuard was consistently successful in detecting and responding to these same attacks.

The vicious cycle of Advanced Persistent Threats (APT) is hard to stop.

Advanced malware exploits are designed to deliver a payload that doesn’t detonate immediately. In order to inflict maximum damage (and reap the most bounty possible), malware uses “dwell time” (the period from initial intrusion to detonation) to establish command and control, test system defenses, and spread to further devices. Ponemon Institute’s 2017 Cost of Data Breach Study pegs the average attack dwell time at 257 days (191 to identify, 66 to contain).

Far too often, due to lack of visibility, the financial institution doesn’t know the detonation has occurred and that funds, data, and credentials are being stolen. Traditional cyber security methods are unable to detect the malware because the activity is coming from a known (but compromised) mobile device, not from an unknown source that can be traced back to a suspicious IP address or pattern of hacker activity.

Updating compromised apps doesn’t work.

After a vulnerability or attack has been detected, app developers often waste time trying to find a flaw in the app, or developing and releasing new versions. There are multiple issues with this remedial approach. To start with, new versions of the app would have to be released as mandatory upgrades because end-users are notorious for ignoring update recommendations. Then there is the fact that hackers are watching for updates and can likewise quickly update their malware based on what they learned from the first stage of the attack, leading to even more damaging exploits.

Banks and fintech companies have no access to an end user’s compromised device; they can’t do forensics in order to the get to the root cause, and so the vicious cycle continues. AppVision’s HackGuard turns a repeating APT cycle that continues over several months into a simple, quick solution process, at the end of which losses have been avoided, and the event is ended with finality.

How can HackGuard help fintech companies protect their business and their customers?

Instantly protect and monitor your entire installed app base.

No matter where they wander in the world, your mobile apps can be made hack-proof with HackGuard technology and professional services. With an app-centric focus, this SaaS solution is purpose-built, affordable and easily implemented by all types of fintech organizations that provide mobile apps for their customers.

HackGuard is an Endpoint Detection and Response (EDR) solution designed specifically to protect mobile app executable code and provide deep discovery of an app’s operating environment. It is threat-vector agnostic, meaning it can protect against all types of attacks, including Zero Days.

Think of HackGuard as a guardian angel, lightly sitting on the shoulder of your mobile app, keeping it safe wherever it may wander. With HackGuard, you can deploy comprehensive protection in just minutes, and begin detecting attacks

Visibility is the best defense.

In the good old days, bank robbers wore ski masks. Now they hide behind foreign borders, proxy servers, and evasive malware code. HackGuard sends all collected device and app data to a cloud portal, through which granular reporting tools are provided. Each AppVision customer is provisioned with its own separate, securely encrypted database. A unified dashboard provides trend graphs, app activity gauges, install/launch charts, rolling reports, and detailed demographics for your installed app base. Datagrids are sortable and searchable. Alerts can be controlled through trigger and threshold settings.

With this kind of visibility, fintech organizations can protect their app, their systems, and their users by conducting rapid attack vector analysis. And most powerfully, with the granular attack data provided by HackGuard, it is easy to track the device characteristics that are being targeted and identify the users most at risk of compromise.

No code injections necessary.

Other mobile app security products inject foreign code or wrap protective code around apps. App developers are wary of these approaches: they require significant effort to implement, can interfere with app functionality, and can even break the app. The act of injecting anyone else’s code, even from a security solutions provider, effectively increases an app’s attack surface. While developers may have complete control over their own code, they cannot exert the same control over injected code, which makes a prime target for hackers seeking to do widespread damage.

AppVision’s HackGuard employs a different, innovative approach — requiring no injection, no SDKs, no need to touch multiple components of the app. In fact, HackGuard can be enabled for an app in under a minute on both Android and iOS.

Mobile app security is central to the future of fintech.

HackGuard is mobile app security that works all of the time, on every device, and against all kinds of attacks. If consumer trust is the linchpin of your entire business model, make sure HackGuard has your back — and your apps.