Thwarting fintech security threats at the mobile application layer
In the old days of security, CSOs thought “when not if”. Now, it’s more like “what’s next?”.
Despite heightened security awareness, it’s alarming when 97 percent of financial institution apps tested in a recent study lacked adequate protection creating vulnerability to reverse engineering or decompiling. Given that 63 percent of smartphone users have at least one financial app, the overall risk is enormous.
With the cost of digital attacks in the banking industry reaching $18.3 million annually per company, something definitely isn’t working right. The good news is that there are intelligent, durable ways to defend fintech data assets. Let’s find out how you can make your organization’s mobile payment security something you can depend on.
Layers of mobile device protection
Mobile device security consists of several layers. For hardware, secure booting requires all loaded software to be digitally signed by an approved author. At the operating system layer, both iOS and Android have built-in security features, such as virtual sandboxes that limit malware app damage. Meanwhile, iOS drive encryption comes standard while some Android users may have to enable this feature.
The application layer, however, might be the most complex in terms of security. App installation pulls in potential risk, and the dynamic nature of apps can open new security holes.
What are the main requirements for secure mobile payment apps?
Alignment with industry standards & security regulations
In the US, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to safeguard sensitive customer data. To be GLBA compliant, fintechs must inform customers about how they will share sensitive data. Plus, you must inform customers of their right to opt-out if they do not want their personal data to be shared with third parties. All financial institutions must apply specific protections to customers’ private data in accordance with a written information security plan. The details are outlined in the FTC’s GLBA Safeguards Rule.
In 2019, the FTC proposed changes to the GLBA which may include the requirement to encrypt all customer data, use multifactor authentication data access, and implement further access controls to prevent unauthorized users from accessing customer information.
Compatibility with traditional payment services and financial environment
Digital secure payment services should be compatible with traditional payment services and financial environments, such as banks and credit card companies. This requires a mutual co-existence and implies the use of existing services and infrastructure. Both new and traditional transaction avenues should be available to minimize user friction. Finally, operational disruption and the cost of implementation should be minimal.
Detect and prevent fraudulent transactions
Mobile payment security faces two major types of transactional fraud: fraud committed by a merchant collecting the digital payment, or fraud committed by someone using stolen credentials to make a payment. Merchant fraud can be prevented by thorough Know Your Customer (KYC) due diligence, including close examination of their online and offline footprints.
Non-merchant payment fraud involves using stolen credentials such as a stolen card, password theft, mobile phone breach, phishing, and phone call scams. Some strategies used to exploit mobile app weaknesses include:
- Reverse engineering - Builds a hostile copy of your app to reveal back-end function. Can expose encryption algorithms, source code edits, and more.
- Shadow APIs - API does not appear as a compromised endpoint, and the attacker appears as an approved user escaping network filters.
Building a secure fintech app in 2020
To mitigate risk, today’s most robust fintech security strategies typically include:
Implements an additional layer (or layers) of authentication, such as personal question answers, SMS confirmation code, or biometrics (fingerprint, face, etc.).
Mobile app shielding
Mobile application shielding hardens application security at the source code level. This happens through advanced code obfuscation (scrambling), string encryption, control flow obfuscation, and metadata obfuscation. While not affecting app function, code scrambling makes the code nearly impossible to understand.
White-box cryptography uses mathematical techniques and transformations to generate hybrid app code and keys for more secure encryption. This prevents keys from being located or extracted from the app. The exact details of how white-box cryptography functions is unique to each designer.
By inserting tracking code, this can detect if your code has been altered or attacked. Meanwhile, key protection uses a combination of mathematics and cryptography to ensure your keys remain protected at all times. When they encounter multiple layers of difficulty, hackers typically move on to easier targets.
For optimal security, data-in-transit requires secure storage and periodic rotation of encryption keys and certificates. Only designated apps should be able to connect to backend web servers, for example, by using certificate management. Also, automated threat detection services can detect attempts to move data beyond defined boundaries. Lastly, data-in-transit security can be improved by authenticating network communications via protocols, such as IPsec.
Smart cloud choice
A public cloud SaaS application should only be accepted from a vendor who has a verified, well-implemented security strategy. Hybrid cloud allows for the creation of a private cloud just for your company within an SaaS firewall. Private cloud offers maximum security and control, however, you must purchase and maintain the software and infrastructure.
Secure your APIs
In addition to encryption and obfuscations, API security can be improved with transport layer (TLS) security, certificate authority validation, and certificate pinning. Meanwhile, segmentation authorizes only certain users to have access to specific API resources.
Fintech security of the future
A comprehensive fintech security strategy never rests, and new methods emerge quickly. For example, biometrics is believed to be a superior barrier of defense against fraud. Biometric authentication is fast becoming affordable, practical, and widely available. Providers in the sector are partnering with banks, financial institutions, payment processing firms, and smartphone manufacturers.
Meanwhile, the power of AI/ML technologies and data analytics improves the detection of irregular data patterns and suspicious transactions. The ability to quickly and efficiently process large volumes of data is a cornerstone to any security measure.
Additionally, as pertaining to payments, CNNs (Convolutional Neural Networks) can improve customer profiling and fraud intent detection. CNN models process complex data sources capturing qualitative as well as quantitative threat data. Combined with the benefits of AI speed and efficiency, CNN becomes a formidable force to thwart fraud.