As mobile users have increased their number of financial transactions and activities, they have also become targets by those looking to exploit them. Mobile apps are also often used to gain access to back-end systems. Let’s take a look at the financial security standards and regulation in 2022 that will highlight the challenges organizations face in protecting this rapidly growing channel and the rest of their organization.
Top 2022 Financial Security Regulations and Recommendations
Banks, insurance companies, and financial organizations are expected to comply with or follow the recommendations of standards organizations, as part of protecting people and their assets. The following are examples:
Identify Mobile App Risks and Report Cyberattacks
As part of the FFIEC (Federal Financial Institutions Examination Council) IT Examination Handbook, financial institutions and technology service providers are to identify and control mobile application risks. For more information on how to address these risks, see this article.
Ensure Security, Privacy, and Protect from Exploitation of Digital Assets
On March 9, 2022, President Biden outlined the priorities for a national digital asset policy, including “consumer and investor protection; financial stability; illicit finance; U.S. leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation.” In this executive order, he specifically called out the need to support technological advances while prioritizing privacy, security, combating illicit exploitation. With many, if not most people, using mobile wallets and apps to manage and transact digital assets, app makers are increasingly expected by users to protect mobile apps. See our global consumer survey for more on security expectations of mobile app users.
Adopt NAIC Insurance Data Security Model Law
The NAIC is the National Association of Insurance Commissioners. In an October 2017 report, the U.S. Treasury Department recommended adoption of the NAIC Insurance Data Security Model Law by all 50 U.S. states. The Treasury further recommended that adoption and implementation of the model by the states occur by 2022. So far 18 states have adopted the law.
In the law, as part of risk management, insurance agents and agencies need to mitigate identified risks to data security and implement the proper security measures. This includes:
- Place access controls on Information Systems, including controls to authenticate and permit access only to Authorized Individuals to protect against the unauthorized acquisition of Nonpublic Information
- Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy
- Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media
Protecting Financial Apps
Financial regulations are often put in place to protect end users and their assets. As people increase their use of mobile apps for financial transactions, bad actors will continue to use malware and other methods to give themselves special access to accounts and wallets. Along with targeting mobile apps, bad actors have also used mobile apps to obtain API keys, usernames and passwords, accessing and back-end servers and attacking them. As organizations face (1) an increase in attacks to the increased use of mobile apps (2) increase in sophistication of attacks on a mobile channel they don’t have the resources to address, they will need to prevent cyber attacks, protect mobile user data, preempt mobile fraud, and secure APIs in mobile apps.
Preventing Cyber Attacks
Mobile banking, fintech, fintech, digital asset and insurance apps are the targets of cyber attacks. These attacks include account takeovers, Man-In-The-Middle attacks, attacks that use debugging tools, tampering, reverse engineering, and repackaging. Learn about data entry and man-in-the-middle attacks and how app makers can protect mobile wallets.
Protecting Mobile User Data
There is a wealth of mobile user data in banking, fintech and insurance apps. It’s critical that app makers protect all consumer data, including user identities, credentials, claims, photos, geolocations, customer identity information, financial data. In addition, the data that needs to be protected is data-at-rest, data-in-transit and data-in-memory. One of the most important ways to protect mobile user data is data encryption.
Preempting Mobile Fraud
Synthetic fraud, overlay attacks and other abuses of mobile apps continue to evolve. Protecting from clickjacking, mobile banking trojans, remote access trojans is required to prevent the illegal transfer of funds or the harvest of confidential data. Reduce your fraud number by stopping the tools and methods used by fraudsters to dynamically and remotely implant malicious code.
Securing APIs in Mobile Apps
Current banking and financial API standards lack client-side API standards for security. Why is this an issue? Mobile apps contain hundreds of APIs that make thousands of calls to back-end servers daily. When unsecured APIs attach to mobile apps, they often allow cybercriminals to compromise the mobile app and the API backend, and make it easier for them to steal transaction and personal information. Gaps as a result of not having client-side API standards include:
- By allowing unsecured APIs to take over mobile apps, problems arise, including exposure of privacy-sensitive and transaction data, and authentication parameters in URLs; outdated protocols enabling attacks on third-party servers.
- It’s harder for clients to authenticate in a way for the server to trust that it is the correct application. There are no client-side standards today for uniquely identifying mobile apps.
- Some organizations that have implemented gateways may address some of the client-side API vulnerabilities. But gateways will not address a number of issues. Because there is rarely a single “gateway” point where protection can be enforced, mobile apps are an increasingly vulnerable area for organizations.
Application developers need an automated way to build comprehensive security and mobile fraud prevention into mobile apps in the absence of client-side security standards, without having to put a gateway in front of the API. Organizations need a way to communicate to each other what security features have been added and in what release. Without SDKs or coding, Appdome provides app makers an automated way to build security into their software development lifecycle.
To address security gaps with banking and financial API standards, encrypt API keys, API secrets, and the strings that denote the use of the API; obfuscate app structure, control flow and logic of the API; shield the API from tampering, debugging and reversing; protect the communication between the REST APIs and the backend server.
We’d Love to Help!
Protecting end users as technology evolves amidst world changes drives new regulations and standards. As more end users use mobile apps more often, preempting fraud and attacks as opposed to dealing with the attacks and fraud after they have happened saves organizations millions of dollars or more in lost funds, lost reputation and internal resources.
I’d love to help with your security project and help you overcome the challenges you are facing. Let me show how you can protect against threats to your mobile app. Please reach out to us for a demo!