• Article
  • 08 Apr 2019
Kirsty  WilliamsPhoto
Kirsty Williams

Are Financial Apps putting Customers at Risk?

Are Financial Apps putting Customers at Risk_.jpg + Listing Image

Like them or loathe them, we all put our faith (and our money) in the financial markets. Globally there are over 1 billion movements of money every single day.

It’s a staggering amount and will only increase as the world becomes increasingly dependent on electronic transactions over cash.

Cash is unlikely to ever vanish totally from our wallets as the tourist industry alone will always be a big contributor towards cash circulation.

However, we are all becoming more reliant on technology to both move and monitor our finances.

Conveniently there’s an app for that…

However, the problem with having an app is that it’s distilled the often-convoluted process of logging into your bank account to a simple tap.

This convenience seems to have come at a price. A recent research programme conducted by white hat hackers through Aite Group reverse engineered 30 Android versions of financial applications from eight different sectors from retail banking to auto insurance.

They discovered that the majority had serious security issues ranging from no binary code protection to private certificates and APIs hardcoded into the app.

This would allow hackers to break into the vendor’s servers and access customer information.

It’s worth noting that the research didn’t exclude iOS apps because they are secure, they just chose to focus on Android.

So, the implications are far-reaching indeed.

What can be done?

During the research project, it took, on average eight and half minutes to crack security and begin freely reading the underlying code.

Considering these apps are meant to be keeping user data safe, this is poor to say the least.

According to Aite Group, 83% of the apps tested stored data outside of the app's control. Meaning the data was stored on the phone’s local file system. This would allow a hacker – or in fact anyone at all – to copy the data on to a clipboard and potentially allow shared access with other apps.

There were other weaknesses too – including incorrectly deployed ciphers and insecure random number generators.

This would allow the data to be decrypted quickly and easily and allow hackers to manipulate or steal the data at will.

According to Aite Group the security issues are entirely avoidable. The research concluded that implemented application shielding and other security such as application binding, repackaging detection and tamper detection, data-at-rest encryption and key protection would be enough to protect the app and customer data.

While the organisations that own the apps must take their share of responsibility – much of the blame rests with the developers who seem to have a basic lack of understanding regarding app security.

This isn’t entirely surprising. Since the Apple iPhone and App Store changed the way we thought about how phones – and their applications – work there has been an explosion in both apps and app developers.

It’s easy to see why. Development costs are relatively low whereas earning potential is huge. In 2016 the app market was valued at $1.31 trillion. It’s expected to balloon to $6.35 trillion by 2021.

That means in 2016 the 3.4 billion app user community spent roughly $379 each across the year.

The problem is – much the same as anyone can set up any business and claim to be an expert, anyone can say the same about being an app developer.

And while a great many have the appropriate skills and knowledge inhouse to create secure apps that protect user information – some just use developer SDKs and nothing else.

That means high churn, low quality apps that are great for making money but not much else. In a saturated market the temptation for businesses is to work with the cheapest operator out there.

This is bordering on negligence, however, if what you’re developing is handling personal information, beyond connecting with an app store for in-game purchases.

In theory the respective app stores are meant to block apps with vulnerabilities so questions need to be asked there too.

This isn’t to suggest that tests aren’t being carried out but perhaps more rigorous tests – such as those carried out by Aite Group – should be put in place in order to protect their customers’ data.

The bigger issue

Part of the problem we have is that details are stored and moved around using methods that are – essentially – the same as they’ve always been.

Although an electronic transaction happens within moments, the information that is passed between the two banks (the purchaser’s and the seller’s) is no different than when payments were carried out via telephone or using post or courier.

Name, address, account number, sort code, current balance, value of sale.

This information flits up and down phone lines wrapped in layers of virtual armour. Although very hard to intercept, it’s not impossible. That means – with a single attack – a hacker can obtain everything they would need to empty your account.

Institutes – like insurers – harvest very similar information and store it on a server which means any vulnerabilities can be exploited to great profit by hackers.

Bank card information, date of birth, address, often national insurance numbers and other personal details are all there, ripe for the taking.

Or modifying.

Although there are fail safes against altering records, it isn’t impossible to disable them or erase any record of a change being made.

That means records can be subtly altered without anyone knowing until it’s too late.

Resulting in large amounts of money or information being stolen with little chance of recovery.

Online fraud costs the global economy as much as $600 billion a year which translates to around 0.8% of total world GDP.

But is there an alternative?

Although there’s always new security innovations, it’s essentially just adding layer upon layer of security on top of the data that is – at its core – vulnerable.

Blockchain could present an answer.

Blockchain

The technology behind cryptocurrency has a growing number of applications and companies of all types are scrambling to figure out how to apply it.

The truth is – because of how blockchain works it can be applied to any industry that involves the movement of data.

Essentia have developed a border control system to store passenger data. Thinking about how we move through borders and the largely static nature of a person’s information, it makes complete sense.

It can be used to certify data – such as energy usage, emission readings and taxation. All of which needs to be accurate for obvious reasons.

It’s also ideal for making payment – hence its application with cryptocurrency.

Applying blockchain to fiat currency transactions will no doubt rankle with some in the cryptocurrency community as the security of crypto is one of its main attractions.

But there is no denying that it would solve a lot of problems.

For example – blockchain works by creating a never-ending list of linked records (the blocks). Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data.

Or to put it another way, a cryptographic record of information that can’t be (easily) hacked and with both a reference to previous data and a date of time against it.

It also works on a consensus network. So, changes are verified by and recorded across the network. That network can be compromised of individuals or institutions but that’s largely irrelevant, the point is that it’s a permanent and identical set of records.

Any transaction or change to a record would need to be approved by the network. This means anyone trying to hack a block and change the information would be wasting their time.

Because the block wouldn’t match any information across the network, it would be rejected.

The only way to verify an unauthorised change would be to take over the entire network. The effort required to both hack the blocks and take over a consensus network wouldn’t be worth the reward.

The real benefit of all this is making payments incredibly streamlined. As any transaction would include details such as price, asset, and ownership. It would then be recorded, verified and settled within seconds across all nodes in the network.

A verified change registered on anyone ledger is also simultaneously registered on all other copies of the ledger. Since each transaction is transparently and permanently recorded across all ledgers, open for anyone to see, there is no need for third-party verification.

Similarly, there is nothing of value within the record of value (like bank details) to make it worth hacking. Bank details are – at this stage – irrelevant. The change request and transfer of ownership would trigger a balance enquiry.

If the individual or business lacked enough funds, then the change request would be rejected. Otherwise, the transfer of ownership would happen instantly, with a record of that transfer being recorded across nodes in the network.

Bank details no longer need to be shared.

Of course, there is deep scepticism within the financial markets about the use of blockchain. Others are trying to determine how it can be applied to current systems.

Whichever way the market moves there is no denying the potential applications. It would also reduce or even eliminate the threats posed by lax security. Or possible remove the need for it altogether.

 

KDC Resource are expert recruiters in cyber security and emerging technologies. If you’re looking for your next role, register your CV with us today or check out our latest vacancies.

If you’re looking to find leading cyber security talent, get in touch and we’ll be happy to support you.  

SEND US A MESSAGE