Most finance apps are at high risk of cyberattacks, new report shows
In conjunction with the coronavirus pandemic, a parallel endemic of cyber attacks has risen over the past year and a half. This is especially true for mobile banking, which has come under threat as more and more digital transactions take place.
Unfortunately, banks and financial institutions may not be as prepared for these cybersecurity attacks as they should be. In fact, 81% of financial apps can leak data, according to the 2021 State of Mobile Finance App Security Report done by digital rights management firm Intertrust.
In addition, an estimated 77% of apps have at least one critical vulnerability that hackers could expose, the report says.
“As mobile finance apps increasingly enter people’s everyday lives, it’s vital to understand the security risks associated with these apps and the ways to help mitigate them,” said David Maher, Chief Technology Officer and Executive Vice President at Intertrust.
While mobile finance apps have shifted in recent years to become the norm for everyday banking, their cybersecurity efforts will have to keep up to ensure that customers are protected. Malware remains the greatest threat to these financial institutions. In 2020, more than 156,000 new mobile banking trojans were detected, per the Intertrust report, which doubled the 2019 figure.
Many of these malware attempts have directly taken advantage of the pandemic by disguising themselves as COVID-19 contact tracing apps. But when installed on a phone, they then gain control of a user’s banking app and reel in information like PIN and account numbers.
Other popular hacking methods have included targeting peoples’ cryptocurrency accounts. In one notable malware attack on crypto wallets, hackers set up an apparent cryptocurrency converter that was available to download on Google Play. They then used that to infect devices with the Cerberus trojan malware when downloaded, which is able to steal banking info, secretly survey phones and intercept communication.
There are thought to be hundreds of these fake cryptocurrency apps that steal users’ financial data once they are downloaded to a device.
These serious threats are not just limited to the Google Play store and Android. Intertrust’s report shows that 70% of finance apps on Apple’s iOS have at least one critical vulnerability. The bad news for Android fans, however, is that nearly every Android finance app (97.5%) had more than five security flaws, compared to less than a third of iOS banking apps with that many issues.
The most common vulnerabilities across devices include insecure data storage, insufficient cryptography and insecure communication.
The report also noted there are large discrepancies in the security of financial apps in different regions. Intertrust reports that the United Kingdom performed the best of any region measured when it comes to the cybersecurity of its banking apps. A mere 7% of UK financial apps had more than 10 vulnerabilities, compared to 38% of such apps in India and Southeast Asia, and 19% of U.S. finance apps.
Nearly half of payment apps tested are vulnerable to encryption key extraction, meaning that these apps can be hacked by cybercriminals, potentially exposing private data and confidential payment information.
“Poor financial app security puts both financial organizations and their customers at risk, especially given the rise in cyberattacks over the course of the pandemic,” Maher said. “This report shines a light on the ongoing threats and helps finance app vendors understand the importance of building in security mechanisms from day one.”
The report also delves into which type of finance apps are the most vulnerable. Intertrust found that banking apps had the most holes in their security frameworks than payment, investment or lending apps. Thirty-five percent of banking apps had more than 10 vulnerabilities and 81% had at least one critical security flaw. The most secure of these platforms were lending apps, largely because they are more limited in scope than traditional banking apps.
Intertrust’s report set out specific recommendations for developers of financial services mobile software. These recommendations include not storing sensitive data in insecure locations where it remains vulnerable to cybercrime. Instead, information should be protected using secure encryption tech or using strong data obfuscation technologies.
Adopting these strategies will be critical, as researchers in a separate report noted that phishing attempts against apps in the financial sector jumped by 125% in 2020. Beyond the financial losses, financial institutions face massive blemishes on their reputation while trying to compete in an industry that is driven by consumer trust.
The Intertrust report studied 160 publicly available mobile finance applications between iOS and Android devices in the U.S., the UK, the European Union and India. Among those, it analyzed apps dealing with the major financial sectors of payments, banking, investment trading, and lending. Intertrust used an array of techniques based on the OWASP (Open Web Application Security Project) mobile app security guidelines to perform the analysis.
You can see the full Intertrust 2021 State of Mobile Finance App Security Report here.
Disclosure: The article mentions a client of an Espacio portfolio company.