SlideShare uma empresa Scribd logo

Mobile Banking Security: Challenges, Solutions

Cognizant
Cognizant

With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.

1 de 5
Baixar para ler offline
Mobile Banking Security: Challenges, Solutions To offer the best feature-packed online banking mobile applications that can be delivered, organizations need to carefully consider both functional as well as security implications to ensure that customers and assets are protected from malware and wrongdoers. Executive Summary There are over 1.2 billion smartphone users worldwide.1 Individuals adopt smartphones not only to surf the Internet but to download and use entertainment, information, social sites, shopping, travel and banking apps — among other things. This has led to numerous opportunities for organizations to roll out mobile applications that not only engage and drive loyalty but also garner additional revenue. Organizations are substantially increasing spend on mobile applica- tion development to help employees/customers increase their productivity while delivering a more intuitive user experience.2 Moreover, an increasing number of individuals are using mobile applications compared with traditional desktop/Web-based applications. A research report from ComScore shows that apps account for a majority of consumers’ mobile minutes, and 80% of their media time is spent on app usage compared with only 20% on Web browsers.3 Recently published data from MQA Research shows that consumer interest in mobile banking and payments services in the U.S. has increased significantly in the past two years. Roughly 75% of those surveyed say they would consider using mobile banking services if offered, compared with only 49% who expressed their willingness to try mobile banking services in a similar survey conducted in 2006.4 Globally, banks offer a variety of mobile banking services; and those banks that do not currently provide m-banking services claim they plan to do so in the near future to remain relevant, according to a recent survey conducted by the Aite Group.5 And according to a study from the University of Hamburg, Germany, m-banking mobile applica- tions are growing exponentially; roughly 69% of banks already offer such services.6 However, there is a downside to this market momentum. The MQA survey revealed that security remains a major concern in adopting m-banking. Approximately 72% of respondents said they worry about the security of accessing financial data on a mobile device. Nevertheless, 79% of respondents said they would sign up for account balance alerts by mobile. Our research on consumer segments reinforces the importance of security features for choosing banks that offer mobile banking.7 Addressing Mobile Security Mobile device productivity comes at a price — increased security risks. Mobile applications create yet another path into enterprise networks, cognizant 20-20 insights | july 2014 • Cognizant 20-20 Insights
2cognizant 20-20 insights Analysis and Recommendations Continued on next page Title Description Recommendations Authentication Strong authentication mechanism. Multistep authentication on secured XML-based Web services for user ID plus password and secure ID/SMS is recommended. An additional recommendation is to check for user location using a GPS during authentication. Authorization Allow authenticated users access only to business functionality to which they are entitled. After a user has authenticated, the application can check with the back-end services to determine if the user has the required access to the applica- tion data (i.e., whether the user is mobile-enabled or not). The client displays a secure navigation menu based on the entitlements/access rights of the user. The entitlements/access rights are checked at the back end for each request before making calls to business functions. Data Confidentiality Sensitive data should be kept in memory (and not on disk) only while it’s needed. The application must not store any sensitive data on the file system. Sensitive information should not be leaked through logs and error messages. The application cache manager should clear the data when the application operates in the background. If sensitive data needs to be handled on iOS, use C and not ObjectiveC. The logs and error messages should be suppressed using a tool like Dexguard8 for the Android platform and Arxon’s EnsureIT9 for iOS. Secure Data Cleanup All secure objects in the system (data requests, account data, user-related information etc.) must be securely wiped when a log-off is triggered. Secure objects and data structures should be cleaned when a log-off is triggered. In a case where application tampering is detected, the application should be forced shut. For checking if the application is tampered with, the Dexguard library can be used. In a case where a Webview API is used, then it should be cleared during log-off. Local Data Transfer Prevention The application should prevent any data from being locally transferred outside the application (e.g., copying it or sending it to an unauthorized external application). Remove the data from the clipboard when the app operates in the background so it cannot be transferred outside the application. Disable long press for sensitive fields. Connection Encryption All network traffic is encrypted. HTTPS protocol should be used to connect to the back-end applications. An additional white list of IP addresses and domain names should be maintained on the client side to prevent apps from talking to other domains not specified on the white list. OS Security Check Detect if the application is running on a jail-broken/rooted/malware-infect- ed device. Trusteer Mobile SDK10 is recommended. Trusteer provides a score on OS security updates and malware detection. Based on the score, the appli- cation can make the decision to close the app or the score can be passed to the back-end systems over a secured channel for further investigations/ actions.
3cognizant 20-20 insights Title Description Recommendations Jail-Break/ Rooted Device Check Application must prevent hackers from accessing the app in a case where the device is rooted or jail- broken. Trusteer Mobile SDK is recommended to check if the device is rooted. Trusteer provides a score if the device is rooted. Based on the score the application can take the decision to close the app or the score can be passed to back-end systems over a secured channel for further investiga- tions/actions. Root Tools is another open source API that can be used to conduct a rooted device check.11 Preprocessing/ String Obfuscating/ Symbol Stripping Eliminate any plain-text resources from the application’s bundle. This prevents malicious attackers from gathering insights on the applica- tion internals. The symbol table should be stripped, thus leaving only unresolved symbols and forcing an attacker to trawl for data in the runtime code, decrypt the binary or use more complex debugger tactics to obtain a map of the application symbols for class names, methods and function names. Dexguard/EnsureIT tool is recommended for this purpose. Dexguard/EnsureIT is used to preprocess the application code and encrypt the classes, methods and string constants. Dexguard is also used to obfuscate the plain-text files and static contents. Root Certificate Check To secure the communications with the back-end server, a certificate check should be created on the client side to ensure that it is signed by the organization. The SSL certificate should be bundled with the application. It should be encrypted using a tool like Dexguard/EnsureIT. The SSL certifi- cate should be checked to see if it is signed by the respective authority. If the certificate is not signed, then the app should be closed. Anti-Debugging Mechanism Application must prevent debuggers from attaching to it (e.g., to read sensitive data from memory in use by another running application). In the Android manifest, one can define debuggable property to be false. A tool like Dexguard/EnsureIT supports removal of logging, debug or test code for production release. Tamper Checking The application should check to see if it’s being tampered with. For example, debug flags can be checked to determine if the application is being debugged. A tool like Dexguard/EnsureIT is recommended. A tamper check can be conducted using the Dexguard library. The application should be checked for tampering during launch and should be closed if it is found to have been tampered with. Blacklisting Older Versions of the App It should be possible to block certain older versions of the app on the back-end server if there is a security breach. A server-side filter can be used to check for blacklisted application versions. If an app version is blacklisted, then the user will receive an error message and be asked to upgrade the app. Security Logging All security events that happen inside the application should be logged and sent to the back-end server. This is achievable using a secured Web service provided at the back end. All security events are temporarily stored on the device and sent to the server periodically. During log-off, the device data is sent to the server to ensure no confidential data remains on the device. Anti-pharming12 Protection The app should prevent the redirec- tion of its traffic to a malicious server by checking that the host-name look-up with DNS resolves to a white- listed IP. Trusteer Mobile SDK provides a feature to protect the application from anti-pharming. Custom implementation is possible to verify a URL against a preconfigured white list for every outgoing service call. Encrypt Assets Hide important data – like property files. A tool like Dexguard/EnsureIT can encrypt asset files transparently, so hackers won’t be able to abscond with them. Analysis and Recommendations cont’d Figure 1
cognizant 20-20 insights 4 allowing criminals, fraudsters and hackers to propagate malicious code. Sensitive data stored on a mobile device could be lost or stolen, leading to data breaches, compliance violations and expensive/embarrassing public disclosures. Large organizations recognize mobile device threats and vulnerabilities and understand that they need proper security protection. Just what types of security controls are needed? Figure 1 provides a list of top security requirements and suggested remedies. Looking Forward Given existing competitive market dynamics, even small banks now offer mobile solutions to their customers. Online banking, or for that matter any important financial mobile application rollout, takes on increased strategic importance since success there is critical to moving forward. Securing any and all feature-packed mobile apps is therefore exceedingly critical. New threats are always emerging so security architects need to be forewarned and forearmed on the trends and vulnerabilities to ensure their organizations’ mobile apps are safe and hard to hack, if not impenetrable, before they are imple- mented. Mobile applications and related security breaches receive much media attention and can undermine a company’s reputation. The above guidelines offer a comprehensive approach and tangible recommendations for defending mobile apps from security breaches. By building comprehen- sive security features into strategic, feature-rich mobile apps from the get-go, organizations can keep sensitive transactional and interactional data from the prying eyes of those who wish to do them harm over the near and long term. Footnotes 1 “There Will Soon Be One Smartphone For Every Five People In The World,” www.businessinsider.in/There- Will-Soon-Be-One-Smartphone-For-Every-Five-People-In-The-World/articleshow/21375608.cms. 2 “Why Your Enterprise Must Rethink Mobile App Development,” www.wired.com/2013/02/why-your- enterprise-must-rethink-mobile-app-development/. 3 “Mobile Marketing Statistics 2014,” www.smartinsights.com/mobile-marketing/mobile-marketing-analyt- ics/mobile-marketing-statistics/. 4 “Security: a major concern for the adoption of m-banking,” www.vasco.com/Images/Mobile_Banking_Security_VASCO.pdf. 5 “Corporate Mobile Banking: A Look at J.P. Morgan ACCESS Mobile,” www.jpmorgan.com/treasury/jpm_ access/doc/Corporate_Mobile_Banking_A_Look_at_JP_Morgan_ACCESS_Mobile.pdf. 6 “The Mobile Commerce Prospects: A Strategic Analysis of Opportunities in the Banking Sector,” www.postbank.de/postbank/docs/HamburgUP_Tiwari_Commerce.pdf. 7 “Segment-based Strategies for Mobile Banking,” www.cognizant.com/InsightsWhitepapers/Segment- Based-Strategies-for-Mobile-Banking.pdf. 8 Dexguard, www.saikoa.com/dexguard. 9 Arxon EnsureIT, www.arxan.com/products/mobile/ensureit-for-apple-ios/. 10 Trusteer Mobile SDK, www.trusteer.com/products/trusteer-mobile-sdk. 11 Root Tools, https://github.com/Stericson/RootTools. 12 Anti-Pharming, http://en.wikipedia.org/wiki/Anti-pharming.
About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 75 development and delivery centers worldwide and approximately 178,600 employees as of March 31, 2014, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: infouk@cognizant.com India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: inquiryindia@cognizant.com ­­© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. About the Authors Amit Tank is a Solutions Architect within Cognizant’s Banking and Financial Services Business Unit. He has over 12 years of industry experience across several industry sectors including (but not limited to) software product development, professional services, research and development, manufacturing engineering and software applications. Amit has architected, designed and developed critical business- centric enterprise applications for companies in the insurance, mortgage, banking and financial services industries. He earned his bachelor’s degree in engineering from NIT Durgapur, India and is a TOGAF 9 certified enterprise architect. Amit can be reached at Amit.Tank@cognizant.com. Chintan Desai is a Project Manager within Cognizant’s Banking and Financial Services Business Unit. He has 10-plus years of experience leading all phases of diverse technology projects, and more than seven years of computer programming experience using C and Java in projects involving mobility (Android), enterprise content management and portals. He received a bachelor of engineering degree in computer science from DDIT, Nadiad. Chintan can be reached at Chintan.Desai@cognizant.com.

Recomendados

Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKHappiest Minds Technologies
 
Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationIRJET Journal
 
IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities ForgeRock
 
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...CloudEntr
 
Mobile Technology In Insurance Industry
Mobile Technology In Insurance IndustryMobile Technology In Insurance Industry
Mobile Technology In Insurance Industrydheeraj_bhasin
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareChromeInfo Technologies
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512JoAnna Cheshire
 
Computer Application in Insurance Industry of Bangladesh
Computer Application in Insurance Industry of BangladeshComputer Application in Insurance Industry of Bangladesh
Computer Application in Insurance Industry of BangladeshFahim Rokon
 

Recomendados

Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKHappiest Minds Technologies
 
Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationIRJET Journal
 
IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities IAM for the Masses: Managing Consumer Identities
IAM for the Masses: Managing Consumer Identities ForgeRock
 
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...CloudEntr
 
Mobile Technology In Insurance Industry
Mobile Technology In Insurance IndustryMobile Technology In Insurance Industry
Mobile Technology In Insurance Industrydheeraj_bhasin
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareChromeInfo Technologies
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512JoAnna Cheshire
 
Computer Application in Insurance Industry of Bangladesh
Computer Application in Insurance Industry of BangladeshComputer Application in Insurance Industry of Bangladesh
Computer Application in Insurance Industry of BangladeshFahim Rokon
 
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET Journal
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
fn_sun_readiminds
fn_sun_readimindsfn_sun_readiminds
fn_sun_readimindsNagesh KP
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...happiestmindstech
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyVASCO Data Security
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
Advancing Identity and Access Management to the Next Level with Contextual Aw...
Advancing Identity and Access Management to the Next Level with Contextual Aw...Advancing Identity and Access Management to the Next Level with Contextual Aw...
Advancing Identity and Access Management to the Next Level with Contextual Aw...Enterprise Management Associates
 
Mobile Device Management Service: Yamana
Mobile Device Management Service: YamanaMobile Device Management Service: Yamana
Mobile Device Management Service: YamanaSoftweb Solutions
 
Rhea corporate presentation v2
Rhea corporate presentation v2Rhea corporate presentation v2
Rhea corporate presentation v2Mark Adam
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009Northwest Card Association
 
AIIM_White_Paper_AP-AR_2014
AIIM_White_Paper_AP-AR_2014AIIM_White_Paper_AP-AR_2014
AIIM_White_Paper_AP-AR_2014Patrick BOURLARD
 
How Technology Impacts the Insurance Sector - Raymond Kairouz
How Technology Impacts the Insurance Sector - Raymond KairouzHow Technology Impacts the Insurance Sector - Raymond Kairouz
How Technology Impacts the Insurance Sector - Raymond Kairouzsigortatatbikatcilari
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Datacard
 
Intelligent underwriting workbench
Intelligent underwriting workbenchIntelligent underwriting workbench
Intelligent underwriting workbenchArtivatic.ai
 
Mobile Banking Webinar
Mobile Banking WebinarMobile Banking Webinar
Mobile Banking WebinarMax Freiert
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque AttackMinded Security
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryMinded Security
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 

Mais conteúdo relacionado

Mais procurados

IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET Journal
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
fn_sun_readiminds
fn_sun_readimindsfn_sun_readiminds
fn_sun_readimindsNagesh KP
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...happiestmindstech
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyVASCO Data Security
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
Advancing Identity and Access Management to the Next Level with Contextual Aw...
Advancing Identity and Access Management to the Next Level with Contextual Aw...Advancing Identity and Access Management to the Next Level with Contextual Aw...
Advancing Identity and Access Management to the Next Level with Contextual Aw...Enterprise Management Associates
 
Mobile Device Management Service: Yamana
Mobile Device Management Service: YamanaMobile Device Management Service: Yamana
Mobile Device Management Service: YamanaSoftweb Solutions
 
Rhea corporate presentation v2
Rhea corporate presentation v2Rhea corporate presentation v2
Rhea corporate presentation v2Mark Adam
 
AIIM_White_Paper_AP-AR_2014
AIIM_White_Paper_AP-AR_2014AIIM_White_Paper_AP-AR_2014
AIIM_White_Paper_AP-AR_2014Patrick BOURLARD
 
How Technology Impacts the Insurance Sector - Raymond Kairouz
How Technology Impacts the Insurance Sector - Raymond KairouzHow Technology Impacts the Insurance Sector - Raymond Kairouz
How Technology Impacts the Insurance Sector - Raymond Kairouzsigortatatbikatcilari
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Datacard
 
Intelligent underwriting workbench
Intelligent underwriting workbenchIntelligent underwriting workbench
Intelligent underwriting workbenchArtivatic.ai
 

Mais procurados (14)

IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
 
fn_sun_readiminds
fn_sun_readimindsfn_sun_readiminds
fn_sun_readiminds
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategy
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios Exercise
 
Advancing Identity and Access Management to the Next Level with Contextual Aw...
Advancing Identity and Access Management to the Next Level with Contextual Aw...Advancing Identity and Access Management to the Next Level with Contextual Aw...
Advancing Identity and Access Management to the Next Level with Contextual Aw...
 
Mobile Device Management Service: Yamana
Mobile Device Management Service: YamanaMobile Device Management Service: Yamana
Mobile Device Management Service: Yamana
 
Rhea corporate presentation v2
Rhea corporate presentation v2Rhea corporate presentation v2
Rhea corporate presentation v2
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009
 
AIIM_White_Paper_AP-AR_2014
AIIM_White_Paper_AP-AR_2014AIIM_White_Paper_AP-AR_2014
AIIM_White_Paper_AP-AR_2014
 
How Technology Impacts the Insurance Sector - Raymond Kairouz
How Technology Impacts the Insurance Sector - Raymond KairouzHow Technology Impacts the Insurance Sector - Raymond Kairouz
How Technology Impacts the Insurance Sector - Raymond Kairouz
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise Authentication
 
Intelligent underwriting workbench
Intelligent underwriting workbenchIntelligent underwriting workbench
Intelligent underwriting workbench
 

Destaque

Mobile Banking Webinar
Mobile Banking WebinarMobile Banking Webinar
Mobile Banking WebinarMax Freiert
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryMinded Security
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
Electronic and mobile banking
Electronic and mobile bankingElectronic and mobile banking
Electronic and mobile bankingBilal Malick
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
Online banking
Online bankingOnline banking
Online bankingPreet Raj
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 

Destaque (20)

Mobile Banking Webinar
Mobile Banking WebinarMobile Banking Webinar
Mobile Banking Webinar
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE Advisory
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concern
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
 
Electronic and mobile banking
Electronic and mobile bankingElectronic and mobile banking
Electronic and mobile banking
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
Online banking
Online bankingOnline banking
Online banking
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 

Semelhante a Mobile Banking Security: Challenges, Solutions

SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Techugo
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech applicationnimbleappgenie
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
7 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 20227 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 2022Cerebrum Infotech
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxmadhuri871014
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...madhuri871014
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisIRJET Journal
 
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays
 

Semelhante a Mobile Banking Security: Challenges, Solutions (20)

SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech application
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
7 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 20227 Steps to Boosting Your App Security in 2022
7 Steps to Boosting Your App Security in 2022
 
Securing mobile apps in a BYOD world
Securing mobile apps in a BYOD worldSecuring mobile apps in a BYOD world
Securing mobile apps in a BYOD world
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile application
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault Analysis
 
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
 

Mais de Cognizant

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 

Mais de Cognizant (20)

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition Engineered
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 

Mobile Banking Security: Challenges, Solutions

  • 1. Mobile Banking Security: Challenges, Solutions To offer the best feature-packed online banking mobile applications that can be delivered, organizations need to carefully consider both functional as well as security implications to ensure that customers and assets are protected from malware and wrongdoers. Executive Summary There are over 1.2 billion smartphone users worldwide.1 Individuals adopt smartphones not only to surf the Internet but to download and use entertainment, information, social sites, shopping, travel and banking apps — among other things. This has led to numerous opportunities for organizations to roll out mobile applications that not only engage and drive loyalty but also garner additional revenue. Organizations are substantially increasing spend on mobile applica- tion development to help employees/customers increase their productivity while delivering a more intuitive user experience.2 Moreover, an increasing number of individuals are using mobile applications compared with traditional desktop/Web-based applications. A research report from ComScore shows that apps account for a majority of consumers’ mobile minutes, and 80% of their media time is spent on app usage compared with only 20% on Web browsers.3 Recently published data from MQA Research shows that consumer interest in mobile banking and payments services in the U.S. has increased significantly in the past two years. Roughly 75% of those surveyed say they would consider using mobile banking services if offered, compared with only 49% who expressed their willingness to try mobile banking services in a similar survey conducted in 2006.4 Globally, banks offer a variety of mobile banking services; and those banks that do not currently provide m-banking services claim they plan to do so in the near future to remain relevant, according to a recent survey conducted by the Aite Group.5 And according to a study from the University of Hamburg, Germany, m-banking mobile applica- tions are growing exponentially; roughly 69% of banks already offer such services.6 However, there is a downside to this market momentum. The MQA survey revealed that security remains a major concern in adopting m-banking. Approximately 72% of respondents said they worry about the security of accessing financial data on a mobile device. Nevertheless, 79% of respondents said they would sign up for account balance alerts by mobile. Our research on consumer segments reinforces the importance of security features for choosing banks that offer mobile banking.7 Addressing Mobile Security Mobile device productivity comes at a price — increased security risks. Mobile applications create yet another path into enterprise networks, cognizant 20-20 insights | july 2014 • Cognizant 20-20 Insights
  • 2. 2cognizant 20-20 insights Analysis and Recommendations Continued on next page Title Description Recommendations Authentication Strong authentication mechanism. Multistep authentication on secured XML-based Web services for user ID plus password and secure ID/SMS is recommended. An additional recommendation is to check for user location using a GPS during authentication. Authorization Allow authenticated users access only to business functionality to which they are entitled. After a user has authenticated, the application can check with the back-end services to determine if the user has the required access to the applica- tion data (i.e., whether the user is mobile-enabled or not). The client displays a secure navigation menu based on the entitlements/access rights of the user. The entitlements/access rights are checked at the back end for each request before making calls to business functions. Data Confidentiality Sensitive data should be kept in memory (and not on disk) only while it’s needed. The application must not store any sensitive data on the file system. Sensitive information should not be leaked through logs and error messages. The application cache manager should clear the data when the application operates in the background. If sensitive data needs to be handled on iOS, use C and not ObjectiveC. The logs and error messages should be suppressed using a tool like Dexguard8 for the Android platform and Arxon’s EnsureIT9 for iOS. Secure Data Cleanup All secure objects in the system (data requests, account data, user-related information etc.) must be securely wiped when a log-off is triggered. Secure objects and data structures should be cleaned when a log-off is triggered. In a case where application tampering is detected, the application should be forced shut. For checking if the application is tampered with, the Dexguard library can be used. In a case where a Webview API is used, then it should be cleared during log-off. Local Data Transfer Prevention The application should prevent any data from being locally transferred outside the application (e.g., copying it or sending it to an unauthorized external application). Remove the data from the clipboard when the app operates in the background so it cannot be transferred outside the application. Disable long press for sensitive fields. Connection Encryption All network traffic is encrypted. HTTPS protocol should be used to connect to the back-end applications. An additional white list of IP addresses and domain names should be maintained on the client side to prevent apps from talking to other domains not specified on the white list. OS Security Check Detect if the application is running on a jail-broken/rooted/malware-infect- ed device. Trusteer Mobile SDK10 is recommended. Trusteer provides a score on OS security updates and malware detection. Based on the score, the appli- cation can make the decision to close the app or the score can be passed to the back-end systems over a secured channel for further investigations/ actions.
  • 3. 3cognizant 20-20 insights Title Description Recommendations Jail-Break/ Rooted Device Check Application must prevent hackers from accessing the app in a case where the device is rooted or jail- broken. Trusteer Mobile SDK is recommended to check if the device is rooted. Trusteer provides a score if the device is rooted. Based on the score the application can take the decision to close the app or the score can be passed to back-end systems over a secured channel for further investiga- tions/actions. Root Tools is another open source API that can be used to conduct a rooted device check.11 Preprocessing/ String Obfuscating/ Symbol Stripping Eliminate any plain-text resources from the application’s bundle. This prevents malicious attackers from gathering insights on the applica- tion internals. The symbol table should be stripped, thus leaving only unresolved symbols and forcing an attacker to trawl for data in the runtime code, decrypt the binary or use more complex debugger tactics to obtain a map of the application symbols for class names, methods and function names. Dexguard/EnsureIT tool is recommended for this purpose. Dexguard/EnsureIT is used to preprocess the application code and encrypt the classes, methods and string constants. Dexguard is also used to obfuscate the plain-text files and static contents. Root Certificate Check To secure the communications with the back-end server, a certificate check should be created on the client side to ensure that it is signed by the organization. The SSL certificate should be bundled with the application. It should be encrypted using a tool like Dexguard/EnsureIT. The SSL certifi- cate should be checked to see if it is signed by the respective authority. If the certificate is not signed, then the app should be closed. Anti-Debugging Mechanism Application must prevent debuggers from attaching to it (e.g., to read sensitive data from memory in use by another running application). In the Android manifest, one can define debuggable property to be false. A tool like Dexguard/EnsureIT supports removal of logging, debug or test code for production release. Tamper Checking The application should check to see if it’s being tampered with. For example, debug flags can be checked to determine if the application is being debugged. A tool like Dexguard/EnsureIT is recommended. A tamper check can be conducted using the Dexguard library. The application should be checked for tampering during launch and should be closed if it is found to have been tampered with. Blacklisting Older Versions of the App It should be possible to block certain older versions of the app on the back-end server if there is a security breach. A server-side filter can be used to check for blacklisted application versions. If an app version is blacklisted, then the user will receive an error message and be asked to upgrade the app. Security Logging All security events that happen inside the application should be logged and sent to the back-end server. This is achievable using a secured Web service provided at the back end. All security events are temporarily stored on the device and sent to the server periodically. During log-off, the device data is sent to the server to ensure no confidential data remains on the device. Anti-pharming12 Protection The app should prevent the redirec- tion of its traffic to a malicious server by checking that the host-name look-up with DNS resolves to a white- listed IP. Trusteer Mobile SDK provides a feature to protect the application from anti-pharming. Custom implementation is possible to verify a URL against a preconfigured white list for every outgoing service call. Encrypt Assets Hide important data – like property files. A tool like Dexguard/EnsureIT can encrypt asset files transparently, so hackers won’t be able to abscond with them. Analysis and Recommendations cont’d Figure 1
  • 4. cognizant 20-20 insights 4 allowing criminals, fraudsters and hackers to propagate malicious code. Sensitive data stored on a mobile device could be lost or stolen, leading to data breaches, compliance violations and expensive/embarrassing public disclosures. Large organizations recognize mobile device threats and vulnerabilities and understand that they need proper security protection. Just what types of security controls are needed? Figure 1 provides a list of top security requirements and suggested remedies. Looking Forward Given existing competitive market dynamics, even small banks now offer mobile solutions to their customers. Online banking, or for that matter any important financial mobile application rollout, takes on increased strategic importance since success there is critical to moving forward. Securing any and all feature-packed mobile apps is therefore exceedingly critical. New threats are always emerging so security architects need to be forewarned and forearmed on the trends and vulnerabilities to ensure their organizations’ mobile apps are safe and hard to hack, if not impenetrable, before they are imple- mented. Mobile applications and related security breaches receive much media attention and can undermine a company’s reputation. The above guidelines offer a comprehensive approach and tangible recommendations for defending mobile apps from security breaches. By building comprehen- sive security features into strategic, feature-rich mobile apps from the get-go, organizations can keep sensitive transactional and interactional data from the prying eyes of those who wish to do them harm over the near and long term. Footnotes 1 “There Will Soon Be One Smartphone For Every Five People In The World,” www.businessinsider.in/There- Will-Soon-Be-One-Smartphone-For-Every-Five-People-In-The-World/articleshow/21375608.cms. 2 “Why Your Enterprise Must Rethink Mobile App Development,” www.wired.com/2013/02/why-your- enterprise-must-rethink-mobile-app-development/. 3 “Mobile Marketing Statistics 2014,” www.smartinsights.com/mobile-marketing/mobile-marketing-analyt- ics/mobile-marketing-statistics/. 4 “Security: a major concern for the adoption of m-banking,” www.vasco.com/Images/Mobile_Banking_Security_VASCO.pdf. 5 “Corporate Mobile Banking: A Look at J.P. Morgan ACCESS Mobile,” www.jpmorgan.com/treasury/jpm_ access/doc/Corporate_Mobile_Banking_A_Look_at_JP_Morgan_ACCESS_Mobile.pdf. 6 “The Mobile Commerce Prospects: A Strategic Analysis of Opportunities in the Banking Sector,” www.postbank.de/postbank/docs/HamburgUP_Tiwari_Commerce.pdf. 7 “Segment-based Strategies for Mobile Banking,” www.cognizant.com/InsightsWhitepapers/Segment- Based-Strategies-for-Mobile-Banking.pdf. 8 Dexguard, www.saikoa.com/dexguard. 9 Arxon EnsureIT, www.arxan.com/products/mobile/ensureit-for-apple-ios/. 10 Trusteer Mobile SDK, www.trusteer.com/products/trusteer-mobile-sdk. 11 Root Tools, https://github.com/Stericson/RootTools. 12 Anti-Pharming, http://en.wikipedia.org/wiki/Anti-pharming.
  • 5. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 75 development and delivery centers worldwide and approximately 178,600 employees as of March 31, 2014, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: infouk@cognizant.com India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: inquiryindia@cognizant.com ­­© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. About the Authors Amit Tank is a Solutions Architect within Cognizant’s Banking and Financial Services Business Unit. He has over 12 years of industry experience across several industry sectors including (but not limited to) software product development, professional services, research and development, manufacturing engineering and software applications. Amit has architected, designed and developed critical business- centric enterprise applications for companies in the insurance, mortgage, banking and financial services industries. He earned his bachelor’s degree in engineering from NIT Durgapur, India and is a TOGAF 9 certified enterprise architect. Amit can be reached at Amit.Tank@cognizant.com. Chintan Desai is a Project Manager within Cognizant’s Banking and Financial Services Business Unit. He has 10-plus years of experience leading all phases of diverse technology projects, and more than seven years of computer programming experience using C and Java in projects involving mobility (Android), enterprise content management and portals. He received a bachelor of engineering degree in computer science from DDIT, Nadiad. Chintan can be reached at Chintan.Desai@cognizant.com.