Will LaSala, Director of Security Solutions, Security Evangelist, OneSpan
The holiday shopping period often kicks off with Black Friday. So that as technology evolves, the way consumers interact with retailers is also changing. From the lb1.39 billion spent online on Black Friday this past year, 39 percent of those purchases were created via smartphones, presenting a brand new target for cyber-criminals to exploit. Indeed, criminals are increasingly targeting customers via mobile online banking apps, particularly seen in an upswing of SIM swap fraud. This involves hijacking phone numbers to gain access to mobile accounts, and it has increased by 60 percent since 2021. With UK customers having already lost lb500 million to scams within the first half of 2021, there's an urgent need for banks and financial institutions to put mobile application security towards the top of their agendas. In light of this, here are four ways they can up their app security game:
1 – Employ strong authentication, consider adaptive methods and tools
To ensure they stand the very best chance of securing data and reducing the risk of fraud on Black Friday, all mobile apps should be secured with strong, user-friendly, multi-factor authentication. Which means that if a hacker wants to gain access to an account, they would need a combination of at least two out of three authentication methods – including something know (such as a PIN), something you have (such as an authentication app) or something like that you are (such as a fingerprint or facial).
Banks and financial institutions should also consider adaptive authentication tools. These will take into account, in real-time, user, device and transaction data, to then determine the actual authentication requirements needed for each transaction.
Banks should continuously analyse a user's activities, environment and behaviours, to assist detect transactions that are unusual. This is particularly important around the holiday shopping season, but should be employed all year around. If a customer starts logging in for their mobile banking app from a new location in Scotland, when they usually make payments from London, a certain risk score may prompt a request for a one-time password (OTP), while a higher risk score may prompt the consumer for both an OTP and fingerprint scan (e.g., for any transfer of lb10,000 to a foreign banking account).
2 – Application shielding technology
All bank and financial mobile apps should be able to protect themselves in untrusted or compromised environments, to mitigate the risk of fraud. Application shielding technology can detect and prevent app-level intrusions in real-time. So even if a user unknowingly downloads malware – by jailbreaking their device, connecting to unsecure public WiFi, or not updating their software – the app is not compromised. This means that any data and transactions made inside the app will stay secure.
Application shielding technology also prevents attackers from injecting malicious code into an application, and repackaging it for distribution in unofficial marketplaces, or websites, as was seen with the popular Fortnite app earlier this year.
3 – Stay compliant with industry standards
Industry standards are an easy way of setting a benchmark that banks and financial institutions should adhere to, and ensuring their offerings are safe from the latest threats and vulnerabilities on Black Friday and beyond.
Complying using the upcoming PSD2 regulations well in advance from the deadlines will stand banks and financial institutions in good stead to protect mobile apps ahead of the holiday shopping period. It offers a Strong Customer Authentication requirement, that involves mandatory two-factor authentication, and Transaction Risk Analysis to avoid, detect and block fraudulent payments. This takes into account elements including payment patterns, behavioural analysis, location of payer and payee, details about the device used to conduct the payment, and also the ability to collect data from multiple channels.
4 – Educate customers
Banks and banking institutions should provide clear communication and guidelines for his or her customers, offering advice on how to stay secure. Popular shopping periods, such as Black Friday, Cyber Monday and also the run-up to Christmas present tempting opportunities for hackers looking to target customers with social engineering attacks and phishing emails. Customers should be educated on how to spot these, and just what to avoid. Furthermore, if a bank or lender knows that a phishing email is impersonating them they should send notices to customers warning them.
With the holiday shopping season upon us, banks and payment providers need to ensure they're prepared for the annual shopping rush, and that hackers don't take advantage of the upsurge in transactions to target customers. By taking into account the above four steps, banks and customers will both be protected, not just at Christmas, but for life.