The growing mobile ownership rate, the emergence of more user-friendly banking apps, the tech-native younger generation, and, of late, the pandemic-induced shift to online, all create a fertile ground for mobile banking.

Unfortunately, the acceleration of banking app adoption today goes hand in hand with the increase of targeted security threats. In 2022, a month wouldn’t go by without a headline-making mobile banking attack or incident that resulted in stolen funds and sensitive personal information from thousands of users.

Security as an afterthought 

Nevertheless, a fair share of BFSI companies persists to treat security as an afterthought during and after mobile banking app development.

The 2021 State of Mobile Banking App Security report shows that 82% of enterprise executives consider mobile channels important. However, 39% of respondents did not run any vulnerability analysis or penetration tests on their mobile solutions.

Five-step guide

Neglecting a banking app’s security is a dead-end track that leads to severe financial repercussions

In the turbulent threat landscape of today, neglecting your banking application’s security is a dead-end track that leads only to severe financial and reputational repercussions.

Being banking software developers with a long-standing experience in cybersecurity, we devised a five-step guide to help financial institutions build shell-proof mobile banking apps, maintain them this way, and safeguard customers from mobile security troubles.

#1: Test security throughout SDLC and beyond

The safety of mobile banking is a subject of many regional and industrial standards, so companies traditionally design the security architecture of their apps around these guidelines and call it a day.

While regulatory compliance is vital, financial institutions often mistakenly bank on it alone and perform security-related activities late in the SDLC. As a result, there is a good chance pre-release quality assurance (QA) can discover deeply ingrained security flaws that will require fundamental corrections. What’s even worse, if the QA fails to do so, the app will be released with inherent vulnerabilities.

Threat modeling 

Engineers should not only implement security controls into the source code but also review it for bugs and flaws

The best way to make an app safe by design is to integrate security testing into the development lifecycle. At the start of the project, the team needs to explore relevant external and internal threats and, drawing on the analysis, specify security requirements for the application alongside functional and performance ones.

At the design stage, it’s a great practice to perform threat modeling, as it allows developers to understand which elements of the app require protection most and what security controls will fit the purpose. Also, during the application development, engineers should not only implement security controls into the source code but also review it for bugs and flaws at each iteration. Thus, all vulnerabilities are rooted out immediately, before the app goes to production.

#2: Implement a strong authentication layer

Access control is the foundation of security, and mobile banking is no exception. By equipping an app with a proper authentication mechanism, banks ensure that only the customer is allowed to view and manage their personal funds, while third parties, malicious and not, are kept out, thus eliminating the risk of unauthorised access.

Despite remaining a predominant user authentication method, passwords have long been showing their insufficiency in the modern threat landscape.

Two-factor or biometric authentication

Relying on physiological human characteristics to identify a person is highly accurate and spoof-proof

Two-factor authentication, on the other hand, has many uses in the financial industry, and app user verification is one of them. Requiring two separate forms of identification, commonly a password and a single-use code sent via SMS, push notification, or email is still a much stronger secure option than passwords.

Biometric identification is an authentication technology that gained traction only recently, but its efficiency propelled its adoption as a verification method in mobile apps across industries, with finance leading the way. Relying on physiological human characteristics, such as fingerprints, facial features, voice, or iris to identify a person, the technology is highly accurate and spoof-proof.

#3: Encrypt user data and communications

Financial institutions are no strangers to encryption. Most banks today leverage the virtually unbreakable 256-bit advanced encryption standard (AES) or equivalent methods to make customers’ personal and payment information inaccessible to unauthorised parties.

Needless to say, a mobile banking app should incorporate similarly robust encryption mechanisms to protect user data. It can be the customary AES, but it can also be another encryption technology that fits the app’s specifics better.

Transport Layer Security protocol

It’s necessary to bake in specialised encryption mechanisms for securing app-to-device communication

It is also important to secure the traffic between the app and the server, and the Transport Layer Security protocol (TLS) fits the bill here. Things can get more challenging if you plan on integrating your mobile app with wireless BLE and IoT technologies for proximity-based marketing, in-branch experience personalisation, and wayfinding.

In this case, it’s necessary to bake in specialised encryption mechanisms for securing app-to-device communication and ward off man-in-the-middle attacks.

# 4: Integrate in-app protection   

In recent years, due to the growth of malware targeting applications, bank customers were increasingly plagued with malicious software of all stripes. Of course, these days, there is strict oversight over financial cybercrime, and specialised law enforcement together with private-sector IT specialists usually take prompt measures to disarm emerging malware.

Nevertheless, considering the steadily growing adoption of mobile banking, malicious software targeted at new apps will continue surfacing monthly while the existing scripts will be upgraded to circumvent dedicated safeguards.

In-app protection

By relying on in-app protection, banks can efficiently shield their app from emerging attacks

To be a step ahead of the attackers, financial institutions need to embrace a more comprehensive approach and consider bolstering source-code security controls with robust in-app protection features. Designed by cybersecurity tech companies, in-app protection is a set of tools that can be easily integrated into an application.

These solutions typically include mechanisms for security monitoring and malware detection, network connection manipulation, and external tampering that vendors update on a regular basis. Thus, by relying on in-app protection, banks can efficiently shield their app from emerging attacks.

#5: Raise customers’ security awareness

Regrettably, after the release, your mobile banking app’s security is not completely in your hands. Users' poor choices can easily obliterate all the efforts towards building and maintaining the solution impregnable.

Some can turn off biometric authentication if they see no point in it, while others can click on a phishing link because it is sent from a domain looking just like yours. Hence, it’s not enough to deliver a highly protected mobile banking solution, you should also teach users how to render their app experience safe.  

Security education 

Banks need to educate their customers about the benefits and dangers of trusting third parties with app credentials

First and foremost, banks need to educate their customers about good mobile banking security habits, from the importance of strong passwords and the benefits of two-factor or biometric authentication to the dangers of trusting third parties with app credentials and using public networks when conducting financial operations.

However, banks should present this information in a detailed but engaging way, for example through short posts or animated videos, otherwise, there are a high chance customers will not bother to pay heed to it. 

Stay alert to stay secure

Over the recent years, mobile banking has burgeoned, but with this growth came a whole new set of threats, exploiting apps’ inherent vulnerabilities, loose security controls, and customer unawareness, with the burden of warding them off falling on their owners.

The battle for mobile banking security is ongoing, and to win it, banks need to respect security basics while also remaining open and flexible regarding emerging security tech.

Download PDF version Download PDF version

Author profile

Roman Davydov Ecommerce Technology Observer, Itransition

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?