The Maryland university states that hackers attack mobile apps every 39 seconds, on average, 2244 times a day. According to the Accenture report, the banking industry lost $18.3 million due to cyber attacks on banks in 2018. Despite this, financial apps are selling like hotcakes. People like to manage their money on the go and want to do it without risk. If you’re going to launch a fintech app, you need to make it safe. In this post, we will name the weakest points of software development and share our experience in building a secure fintech app.
Where does the danger come from?
There are three levels of cybersecurity issues. They are
At the device level, attackers gain access to sensitive records on the phone, tablet, or any other device. Most often, they do it via the poorly coded app. Take, for example, Nissan Connect. No offense, but their app has android.permission.GET_ACCOUNTS and sends data via the HTTP protocol. It means that the app may collect information about other accounts, such as Gmail, Twitter, and so on. When this data goes through HTTP, any server can analyze and save traffic.
At the transit level, attackers can invade during data transfer. Most apps interact with many other services. For example, fintech apps contact the bank server to update a card balance or do the money transfer. If this data goes through an unprotected protocol, is unencrypted or poorly encrypted, it takes nothing to steal it.
At the server level, unauthorized users reach data in the cloud or on the app server. They can do it via backend APIs with security flaws. Also, it is easy to hack into the system if admins do not change standard passwords to CMS or make them too easy. In such a manner, hackers can copy, modify, and replace data right in the database of cyber banking.
What are the cybersecurity threats?
Now that you know where the danger comes from let’s take a look at real-life examples of financial cyber attacks.
Trojan virus is a malicious code that works within an app and steals sensitive data. In 2015, Lookout spotted Bancmarstealer. It is an Android trojan that infected nearly 600 financial institutions around the world. Two years later, it reminded about itself again. The virus pretends to be a legal banking app and steals the user’s credentials with the help of features in the Android system.
Deep attacks change the way the application works. Just recently, WhatsApp met with such kind of intervention. Imagine that hackers got the chance to edit the code of the app with a user base of 175 million. It means they reached the camera, microphone, location, photos, and other private data on users’ devices.
Keyloggers and Screenloggers, in contrast to the code attacks, do not penetrate the app. Instead, they sit inside the device and watch everything that happens around. As soon as the user launches a banking app, they start to record data.
Accessibility Framework attacks go through weak points in the operating system. The purpose of such a bank cyber attack is to pretend to be a real user. Thus, attackers trick the device and change phone setup, for example, disable the security settings.
Overlay attacks put a so-called layer on a valid app. This layer changes the application data and forces the user to edit the settings. As a result, the device remains unprotected, and malicious software gains access to personal data.
How to build advanced mobile security?
Now, let’s see what you can do to protect your app. Here are ten steps that will make your app safe:
First of all, it concerns the choice of a cloud provider. At Softensy, we give priority to AWS. With its enterprise cloud, we have successfully launched many projects. AWS has a stable system of protection against DDoS attacks. Besides, it provides fast emergency recovery in case of failures.
In addition to a reliable cloud, your infrastructure should contain the following:
- Immediate OS updates. You can use the Software Update Service from Microsoft and up2date tools from RedHat’s, so you don’t miss an important update.
- Separated drive for web files.It will protect system files and complicate access to passwords. Also, the data separation prevents specific attacks, such as Cross-Site Scripting (XSS) and data injection.
- HTTPS SSL certificate for secure data transfer. Today, it is a primary layer of protection. Browsers warn users if the mobile app does not support SSL.
A thought-out app logic
App logic is what a program does from a user’s perspective. The business logic of mobile banking covers managing personal finances – send money, make purchases, replenish an account, update the balance, and so on. To implement cyber security in banking, you should apply special means to each step of app usage. Here is what you can do:
- Store only essential data. For example, it is enough to have a token of billing method to make a payment. There is no need to keep the card number.
- Assign roles and permissions. Define features that won’t be accessible to all users. For that, use RBAC or ACL models.
- Deny simple passwords. Force users to utilize letters, numbers, and different registers. Accept no less than eight characters and insist on changing passwords once in 2-3 months.
- Set multi factor-authorization. You can ask to verify a transaction by entering a code sent via SMS or using the hardware token.
- Log transactions. If you detect a suspicious one, block it, and alert the user.
You need to set up algorithms that will quickly identify flaws in your code. There are plenty of tools for automated code vulnerabilities analysis on the market. For example, such tools as SonarQube or Veracode support a lot of different programming languages and do their job pretty good.
Here are a few more tips to keep your code safe:
- check input values
- review any information that you send to external sources
- be careful in granting rights to third-party applications
- defend against SQL injection
Kaspersky claims that 52% of business owners think their employees are the weakest spot in building online banking security. Not to consider the human factor is a huge mistake. People often make errors in configuration, lose their phones, or click on malicious links. To minimize risk, do the following:
- follow standards of ISO 27001 certification
- establish security policies and guidelines in your company
- backup important data
- set up the duties and influence area of each employee
- simulate the worst-case situations and rehearse how you will solve them
- sign non-disclosure agreement with the staff members
Security testers should work out not only standard user scenarios but also unexpected actions. A common practice is to use fake attacks to see how the application responds.
At Softensy, we follow the guidelines of the Open Web Application Security Project (OWASP). They recommend testing the following aspects to cover all the gaps in bank cyber security.
- app configuration
- security policy
- session management
- user input
- error processing
- business logic
- user-side vulnerability
The mobile application interacts with the backend through the API. In general, we lean on three pillars of API security – identification, authentication, and authorization.
- Identification occurs when the user enters personal data, such as login or username.
- Authentication occurs when the user confirms their identity; for example, scans a fingerprint. To enhance protection, you can use two-factor authentication.
- Authorization takes place when the system allows the authorized user to get in. Remember to set app zones that the user can access.
You need to take care of each of them, but you may also delegate these duties to specialized services, like Auth0.
The moment of data transfer is a very vulnerable place. At this point, attackers can steal vital records. To avoid such situations, encrypt the data you transfer. There are many cryptography techniques now. They are grouped into shared-key cryptography and public-key cryptography algorithms. Depending on the amount of data you want to transfer, the required simplicity or speed of the algorithm, you have a lot of options to choose from.
The US government regularly updates the list of algorithms and their parameters, such as key length and encryption mode. One of the most simple, fast, and easy to implement shared-key cryptography algorithms is AES. For public-key cryptography, ECC may be your choice.
According to the US regulation, you should encrypt the following data:
- Personal information (name, date of birth, address, social security number)
- Transaction data (account ID, shopping history, credit card payments)
- Financial data (reports, bills, payslips)
Block the payment feature if user behavior seems suspicious. The reason may be an expensive purchase or withdrawing money in an unusual place. Don’t forget that you act on behalf of the user. So, try to determine as soon as possible who committed the transaction. To do this, a bank employee can contact the cardholder by phone. If the user confirms the deal, unblock payments immediately.
Most users do not know how a fintech app collects and sends data. Share information. Add a link to the documentation or create a FAQ. Tell users what to do to prevent fraud. Among other things, advise the following:
- Download apps from official stores. There, they are carefully checked before being put on the “shelves.”
- Do not save the password on the device from which you log in.
- Avoid running the application in public Wi-Fi.
- Do not use jailbroken phones.
- Install antivirus.
Adhering to security in financial services
Technologies are growing and improving, and so are cyberattacks on banks. To create a secure application, you should stay up to date and be aware of the latest innovations. At Softensy, we always keep an eye on the trends in the fintech industry. If you have extra subject information, share it with us in comments.