As adoption of banking apps grows so does pressure to increase the range of capabilities the apps support, and that has security ramifications.
Mobile app-based banking continues to find favour, with more than two-thirds of Australians now using a mobile banking app or smartphone to do their banking. It also delivers the highest customer satisfaction rating of any banking channel, averaging an 89.4 per cent approval by customers of the big four.
As digital and self-service have been embraced by consumers, particularly in the form of increased use of apps, there’s inevitably pressure to build on that foundation.
A review of the apps of five major Australian banks last year found customers wanted to see more capabilities and functionality, particularly around money movement and management to improve financial wellbeing.
Some of these capabilities are being added via third-party-developed plugins created by fintechs, while other banks and credit unions are seeking to code these capabilities and features directly into the apps themselves.
Whichever the expansion strategy a key concern is that additional functionality brings with it additional security risks. The larger the range of functions that the app can perform, the greater the amount of data it is likely to be handling.
All of these functions combine to create a broad potential attack surface for threat actors, who may view an ever-expanding banking app as a target that continues to increase in value.
Good security provides confidence
In a recent Deloitte survey, building digital trust was rated as the most important business strategy for success by financial institutions in the Asia-Pacific.
One of the top five benefits that cyber security investments had in this area was providing “confidence to try new things”, the survey found.
This means that at least in some banks there’s a direct link between security and app capability growth; if a bank or credit union lacks confidence in their set-up, they are less likely to try new things that could increase their security risk or exposure.
Banks and credit unions alike are acutely aware of their critical infrastructure role and of the impact that a breach could have on customer confidence and goodwill. The critical nature of banking apps is often on display if they suffer downtime or degraded performance. Customer sentiment can turn quickly if they suddenly cannot perform critical tasks such as contactless payments at a supermarket register. And to be clear: these incidents aren’t often security related. A security-related impact could prove catastrophic, particularly from an erosion of digital trust perspective, let alone what exposures individual customers could have.
Fortunately, credit unions and banking institutions tend to take a very proactive, best-practice approach to cyber security, and this extends to the oversight of their apps.
Many, for example, have focused on upskilling the defensive capabilities of their development teams. Without this education and verification, a lack of expertise may lead to teams taking shortcuts and/or lapsing into human errors, which could trigger configuration issues and code-level vulnerabilities.
Importantly for banks, these vulnerabilities could raise risk thresholds to a point that’s incompatible with, or in breach of, their regulatory requirements. Stringent regulations – including the Payment Card Industry Data Security Standard (PCI-DSS), the EU’s General Data Protection Regulation (GDPR) and additional global and national initiatives – exist to address issues such as insecure data storage, insufficient authentication/authorisation, poor code quality and code tampering.
These standards create and drive vigilance among risk teams. In their pursuit of app expansion and increased customer satisfaction scores, it is important that developers or customer experience teams do not do anything that would undermine this vigilance and risk position.
Security upskilling and awareness
To lay the foundations to proceed confidently with banking app expansion, a holistic, people-driven security program is beneficial for creating the right mindset and foundational skills base.
A program that takes a dynamic approach based upon real-life threat management scenarios – as opposed to a static learning approach – will gain the most traction quickly. This can include the leveraging of motivational tools, such as rewards for successful “wins” and skills acquired.
Security learning pathways should also be available to everyone with a stake in the bank’s customer success. Developers are just one part of the ecosystem. Other parts of the organisation, such as application security professionals and senior management, also have key stakes in securing digital experiences and building digital trust. Executives, in particular, need to understand that security is not a “set it and forget it” discipline. A combination of tools and training is the most effective way to maintain the currency of security knowledge and best practices.
A positive security program focused on role-based education and awareness can lead to increased security engagement across the entire organisation, establishing the bank as “security-first”. From that position, unconstrained innovation can safely follow.
Pieter Danhieux is CEO and co-founder of Secure Code Warrior.
You are not authorised to post comments.
Comments will undergo moderation before they get published.