Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

Cyber Liability Insurance: Analysis Finds Security Gaps in Mobile Banking Apps

Stronger Security Protocols Needed, Cyber Insurance KeyStronger Security Protocols Needed, Cyber Insurance Key

There’s an app for everything now, simplifying our fast-paced lives so we can get things done more efficiently. The banking industry certainly has taken the lead on this with financial institutions giving consumers the ability to make check deposits, transfer money to other accounts, pay bills and much more – all on our smartphones and tablets. But how secure is the data on these mobile banking apps? And what type of cyber liability exposures and privacy issues do financial institutions face as a result of potential security breaches from mobile apps?

“With the increasing applications for smartphones, basically hackers are changing their focus on smartphones and tablets,” said Nima Dezhkam, principal consultant of Security Compass. “This is inevitable.” The problem, however, according to Denzham, is that mobile apps tend to value convenience over security. That translates to caching of sensitive information, less complex passwords and fewer authentication steps. “Antivirus software is not as common on mobile devices. And as people conduct more transactions through phones, the devices attract greater interest from virtual bank robbers,” said Denzham.

In fact, this month, authorities discovered a major security threat to mobile banking when a malware called Svpeng made its way from Russia into the United States. Once it infects a device, Svpeng looks for banking apps, then locks the device and demands $200 to $300 to unlock it.

What’s more, earlier this year when security analysis of mobile banking apps for iOS devices (Apple products, such as the iPhone and iPad) from 60 financial institutions worldwide was conducted, it revealed serious vulnerability to attackers and exposure of sensitive information. According to an article in PC World, security firm IOActive looked at how banking apps communicated with servers, the way in which data was stored, whether the data was compiled with security options and what information was exposed through logs. They also looked at vulnerabilities in the code that apps used.

The research surprisingly found that all tested applications could be installed and run on jailbroken devices. Jailbreaking refers to the process of changing the operating system running on an iPhone, iPod touch, or iPad to allow the user greater control over their device, including the ability to remove Apple-imposed restrictions and install apps and other content through means other than the official App Store. This is a real security risk as restricted resources can be accessed from other apps running on the device with a jailbroken device.

The analysis also revealed that while mobile banking apps typically use SSL encryption for sensitive communications, in 90% of the tested apps several non-encrypted connections were initiated during their operation. That means, for example, hackers are able to intercept traffic on an insecure wireless network, can inject JavaScript or HMTL code to display fake login prompts to the app’s user. The analysis, according to PC World, also revealed that even when using encryption 40% of the tested apps did not validate the authenticity of digital certificates they received from the server. This makes them vulnerable to “man-in-the-middle” attacks using fake certificates.

The researchers at IOActive recommend that developers of these banking applications ensure that all connections are made using secure transfer protocols, enforce SSL certificate validation, encrypt sensitive data stored by the applications by using the IOS data protection API, improve jailbreaking detection, among other measures.

The banking industry, while delivering convenience to its customers, must do all it can to protect their data and transactions taking place. In addition to securing their mobile apps, a comprehensive cyber liability insurance program should be secured to protect financial institutions in the event of a breach.

Axis Insurance Services specializes in providing cyber insurance for a wide range of industries. We would be happy to discuss your insurance program and how best to protect against security exposures. Give us a call at (877) 787-5258.

 

 

Source: PC World, AppStorm, The Pittsburgh Tribune-Review

Comments

comments

Blogged on: July 1, 2014 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions