The increasing popularity of financial apps on mobile phones can be attributed to simplicity and speed, though the popularity also poses serious security concerns. Account information is typically stored in one centralized location on the device, making it easy for a user to navigate and even easier for a hacker to access.
But according to James Lyne at online security firm Sophos, this poses a serious threat to consumers that will only intensify in coming years.
What can consumers do to stop it?
Beginning of the Wave
“The problem is that users may view these devices as eminently secure, when in reality they are just waiting to receive more attention from cyber-criminals,” Lyne says. “We are only at the beginning of the wave.”
The anticipated wave threatens the financial well-being of consumers nationwide — one reason consumers may be hesitant to trust even the most renowned financial apps with their personal information.
However, mobile security firm NowSecure suggests hackers are more than a reason why consumers shouldn’t trust such apps. Perhaps hackers are the very reason consumers can.
A Good Hack
A hacker can gain access to the personal data of thousands by breaching the security of a single company, but not all hackers use this information for fast financial gain.
Ethical hackers, or “white hat” hackers, leverage their technical expertise for the good of the company and consumer. Though they utilize methods almost identical to those of their criminal counterparts, ethical hackers are non-malicious hackers that expose and report security vulnerabilities, giving the company a chance to fix any flaws before a malicious hacker has a chance to exploit them.
The “white hat hackers” at NowSecure proved their worth during a Mobile App Security Study, testing the security protocol of 32 financial apps.
If the hackers were unable to access any compromising data, the app would receive a “Pass” rating. If minimal or trivial data was uncovered, the app received a “Warn” rating, while apps that allowed access to a password or other sensitive material received a “Fail” rating.
10 of the apps received a “Warn” rating. Eight failed the test altogether.
Mint.com Personal Finance, now rated as one of the top five financial apps in the App Store, failed as a result of storing sensitive account information directly on the phone — so much so that even the PIN was unencrypted, NowSecure found.
So why does the app have more than 20 million users?
A Valuable Lesson
In 2010, The New York Times published an interview with Aaron Patzer, the founder of Mint.com. Patzer ensured the financial data of users was protected with the same level of security as many financial institutions, encrypted and stored in a guarded, unmarked building.
“The only way to decrypt the user names and passwords from those servers, and to change the way the data is encrypted, is to use an encryption key that is broken up on five different smart cards carried by senior Mint.com executives,” Mr. Patzer said.
That was less than one year before the hackers behind the Mobile App Security Study easily accessed the user information and awarded the app a “Fail” rating.
Though the study’s success proves to be frightening, viaForensics believes the flaws found shed light on how the companies could improve their digital security.
For Mint.com, it was an opportunity to show their commitment to safe and secure practices, starting with the encryption of all user information and regularly hiring hackers to test the security systems in place. Gaining user trust became a top priority.
In fact, an increasing amount of ethical hacks in recent years is perhaps the very reason financial apps can be trusted, if at all. White hat hackers are often contracted by such companies in an effort to fine-tune security tools, adjust policies and identify training opportunities, according to industry analysts at Frost & Sullivan consulting firm.
This need for hacking is nothing new, though it certainly testifies to the dynamic world of mobile security.
Photo courtesy of Yasunobu Ikeda