Mobile applications play an increasingly important role in our lives -- and the current global lockdown due to the COVID-19 situation has led to a surge in the download of financial technology or fintech apps. According to research by the deVere Group, the coronavirus pandemic has fuelled a massive 72% rise in the use of fintech apps in Europe. But while this spike in adoption and usage provides encouraging news for the fintech industry, these mobile apps present a real threat, with hackers looking for new ways to bypass software defences, or to exploit security vulnerabilities.
To retain their expanding base of new users, fintech companies must therefore adopt strong security practices, to ensure the financial integrity of their mobile apps and underlying infrastructure, and to preserve the integrity of their own brand reputations. This is imperative for them if they wish to maintain customer trust. And the only way for fintech operators to achieve this is by understanding the risks involved, and the best methods of managing and mitigating them.
With the coronavirus now having infected millions of people worldwide, quarantine and precautionary lockdown measures are forcing many individuals to have to conduct their daily business online. Fintech mobile apps are a convenient and readily accessible tool for this, and the upsurge in their use observed by deVere is being mirrored elsewhere. For example, one gold-purchasing app reported a 718% increase in its traffic during a single week in March, and through its app, a bank in the Philippines has been recording more than double the usual number of registrations for its online banking service.
Open banking APIs (application programming interfaces) are changing the fintech space by giving consumers more choice in how they manage their finances. Measures like PSD2 (a European regulation for electronic payment services) are having similar effects, by giving third party service providers access to bank infrastructure. However, with increasing numbers of consumers accessing their financial data through third party services, the attack surface available to bad actors is also expanding.
A recent study by ImmuniWeb reveals that, despite being well-funded, 98% of the world’s top 100 fintech startups are vulnerable to web and mobile application attacks. 100% of them have security, privacy, and compliance issues relating to abandoned or forgotten web applications, application programming interfaces (APIs) and sub-domains. All of the fintech mobile apps tested in the research contained at least one security vulnerability of medium risk, while 97% have at least two medium or high-risk vulnerabilities.
In the initial stages of their development, fintech organisations are often able to create new products and solutions at high speed, because they’re unburdened by complex IT infrastructure or data governance requirements. But as they mature and gain wider integration with the affairs of their consumers -- especially through vehicles like mobile apps -- an expanding base of customer data and assets marks fintech operators out as tempting targets for cyber criminals.
A number of security vulnerabilities have been identified in both fintech startup and banking applications, which include the following:
Malicious actors can exploit vulnerable code as an entry point to a fintech app’s infrastructure and network. The ImmuniWeb research indicates that 56% of fintech mobile app backends have serious misconfigurations or privacy issues related to SSL / TLS configuration, and insufficient web server security hardening.
Fintech mobile apps frequently rely on third party services and solutions -- often several at a time. Systems designed and operated by different developers can create compatibility issues and challenges to cyber security, increasing the attack surface, and making it difficult to identify all potential sources of vulnerability.
Many fintech operators use cloud services to provide regular, scalable performance at a lower cost. With large volumes of data moving across different cloud platforms, administrators may have difficulty maintaining visibility and governance across the various distributed environments.
The Account Information Services (AIS) section of PSD2 allows for the collection and storage of information from a customer’s different bank accounts in a single place, allowing customers to have a global view of their financial situation, and easily analyse their expenses and financial needs. Its Payment Initiation Services (PIS) help to initiate payments from consumer accounts to a merchant’s account by creating a bridging interface that fills in the information needed for the bank transfer (amount of the transaction, account number, messages, etc.) and informs the merchant of the transaction.
PSD2 also allows clients to make payments to a third party from a fintech mobile app using any of the client’s accounts (whether they belong to this entity or not).
All such operations impose compliance requirements on fintech app operators, as do transactions under GDPR (which requires consumer consent for data sharing among providers) and other regulatory regimes. Managing and meeting these demands may constitute a governance and security headache for fintech operators, especially startups, who may not have access to large security teams or experts.
Users of fintech mobile apps must typically access the various services provided by the platform using mobile device authentication and authorisation. If unprotected or poorly implemented, these mechanisms can provide opportunities for malicious actors to clone digital identities, and gain access to customer data or assets.
Fintech organisations looking to distribute or manage mobile apps should keep a comprehensive and up-to-date inventory of all software, components, and data assets located in their external attack surface. These assets should be ranked according to their threat level and priority, to enable security managers to map out actionable strategies for risk assessment and remediation.
Besides continuous security monitoring of their external attack surface, ImmuniWeb recommends that fintech operators should test new code for their mobile apps before and after deployment to production, and adopt a DevSecOps approach to application security.
Mobile app attestation (a system enabling remote apps and the fintech platform to mutually authenticate each other, according to pre-defined security rules) should be used as a complement to user authentication.
API security must not be overlooked. As well as authenticating users, it’s essential to ensure that only the official app, operating in an uncompromised environment, can access backend API services. Attestation is an important component in ensuring this.
Adoption of fintech mobile apps was already on the rise before the coronavirus pandemic, and with the convenience and self-service aspect of the technology, its popularity looks set to last well into the months and years ahead.
In any event, security vulnerabilities for fintech mobile apps will remain a concern. Organisations with limited resources and expertise may benefit from off-the-shelf, easy to use, and highly effective solutions from independent service providers.