Mobile Banking Apps – the Digital Threats to Banks

Ben Harknett, VP EMEA, RiskIQ

A report from the British Bankers Association found that the use of desktop internet banking fell for the first time in 2016, with many people now opting for mobile apps to do their banking. Living in such a fast-paced, connected generation, it is becoming second nature to turn to our mobile apps for convenience and efficiency.

 This growing reliance comes with expectancy that organisations have measures to protect the digital existence of its valued customers. All technology, however, has potential risks and it is becoming more crucial than ever that organisations know how to protect against these, particularly when it comes to the existence of malicious apps.

 In August this year, RiskIQ undertook a review of mobile apps owned by, or leveraging brands of 45 top UK companies. It revealed that the number of malicious apps in the UK has grown by 130% since 2015. These malicious apps include unofficial mobile apps posing as a brand but actually developed to steal valuable data and ultimately money.

 Where official apps, which are available through official app stores, go through rigorous testing from a functionality, performance and security perspective, as well as being continually monitored post-release to maintain the most secure user experience; unofficial versions are becoming more common through unofficial app stores or through links leading directly to an app which may be leveraging a brand.

With the demand for immediacy when it comes to online banking, and with the tactics of cyber-criminals becoming increasingly sophisticated, what can banks be doing to help protect customers, the business and reputation?

Our research actually shows that despite the banking industry maintaining tight control on apps appearing in unauthorised app stores, it is still experiencing the biggest growth in these apps compared to other industries.

Organisations must educate customers to ensure that when they are downloading any apps they are not only from trusted stores, such as Google Play or the Apple App Store, but also to scrutinise the information about the app before downloading. Unfortunately, it’s not uncommon for people to blindly click accept on terms and conditions before even reading past the first sentence. When this happens with a copycat or compromised app it’s pretty much guaranteed that the information being siphoned will be used for malicious purposes and more often than not, for fraud. Key questions customers should ask are: does the developer name look valid, is the app rated and if so is the rating good, how many people have downloaded the app, etc. During installation they should pay attention to what permissions are being requested and whether they are reasonable for the app in question and spend some time reviewing the license agreement, paying particular attention to how collected data will be used.

 Banks themselves must combat mobile threats by monitoring where their apps are located across the hundreds of different app stores, ensuring they are only in their approved stores list. They also need to continuously monitor for instances of impersonation or claimed affiliation across that same app store ecosystem and have offending apps taken down in a timely manner. Regardless of whether the company owns or is aware of these rogue apps, when customers experience their data being stolen and used maliciously, they become a victim and blame immediately falls on the doorstep of the organisation itself. Acting proactively will help to protect not only the reputation of the organisation, but its confidential data and that of its customers.

Ben Harknett, VP EMEA, RiskIQ

A report from the British Bankers Association found that the use of desktop internet banking fell for the first time in 2016, with many people now opting for mobile apps to do their banking. Living in such a fast-paced, connected generation, it is becoming second nature to turn to our mobile apps for convenience and efficiency.

 This growing reliance comes with expectancy that organisations have measures to protect the digital existence of its valued customers. All technology, however, has potential risks and it is becoming more crucial than ever that organisations know how to protect against these, particularly when it comes to the existence of malicious apps.

 In August this year, RiskIQ undertook a review of mobile apps owned by, or leveraging brands of 45 top UK companies. It revealed that the number of malicious apps in the UK has grown by 130% since 2015. These malicious apps include unofficial mobile apps posing as a brand but actually developed to steal valuable data and ultimately money.

 Where official apps, which are available through official app stores, go through rigorous testing from a functionality, performance and security perspective, as well as being continually monitored post-release to maintain the most secure user experience; unofficial versions are becoming more common through unofficial app stores or through links leading directly to an app which may be leveraging a brand.

With the demand for immediacy when it comes to online banking, and with the tactics of cyber-criminals becoming increasingly sophisticated, what can banks be doing to help protect customers, the business and reputation?

Our research actually shows that despite the banking industry maintaining tight control on apps appearing in unauthorised app stores, it is still experiencing the biggest growth in these apps compared to other industries.

Organisations must educate customers to ensure that when they are downloading any apps they are not only from trusted stores, such as Google Play or the Apple App Store, but also to scrutinise the information about the app before downloading. Unfortunately, it’s not uncommon for people to blindly click accept on terms and conditions before even reading past the first sentence. When this happens with a copycat or compromised app it’s pretty much guaranteed that the information being siphoned will be used for malicious purposes and more often than not, for fraud. Key questions customers should ask are: does the developer name look valid, is the app rated and if so is the rating good, how many people have downloaded the app, etc. During installation they should pay attention to what permissions are being requested and whether they are reasonable for the app in question and spend some time reviewing the license agreement, paying particular attention to how collected data will be used.

 Banks themselves must combat mobile threats by monitoring where their apps are located across the hundreds of different app stores, ensuring they are only in their approved stores list. They also need to continuously monitor for instances of impersonation or claimed affiliation across that same app store ecosystem and have offending apps taken down in a timely manner. Regardless of whether the company owns or is aware of these rogue apps, when customers experience their data being stolen and used maliciously, they become a victim and blame immediately falls on the doorstep of the organisation itself. Acting proactively will help to protect not only the reputation of the organisation, but its confidential data and that of its customers.