¶ºÒõ¹Ý

Data Security 01-10-2014

Mobile Banking Creates Serious Security Concerns

¶ºÒõ¹Ý

Of all the mobile apps out there your personal banking app is likely to be the most secure, right? Wrong! A researcher recently discovered several security vulnerabilities in 40 personal banking apps from 60 of the world's biggest banks.

The research also found that almost half of the apps tested do not validate the authenticity of the SSL Certificates being presented.

According to a recent article posted on the , Ariel Sanchez from IOActive found that 90% of the apps contain non-SSL links.

"Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms." -Ariel Sanchez, IOActive

The need for SSL Certificate Authentication

All SSL is not the same. SSL is critical when making a secured connection. But a secure connection to a bad actor does you no good. When connecting securely to exchange login credentials, payment information, or private information, it's critical that you make a secured connection to someone you trust. Cheap SSL Certificates enable privacy, but offer no authentication that the organization on the other end is who they claim to be.

Hackers can obtain SSL Certificates, but high assurance Certificate Authorities like ¶ºÒõ¹Ý only issue SSL Certificates to parties that undergo identify verification. That means that when you see a ¶ºÒõ¹Ý certificate, you can be sure that the bank you're working with is really the bank you expect it to be, not a hacker with a phishing web site.

Validated SSL Certificates, especially Extended Validation or EV SSL Certificates with the green bar provide trust when creating a connection online. Secure SSL is more than just encryption, SSL done right means online trust.

Tips to Protect Yourself Online

Sanchez recommends that affected financial institutions take the following precautions:

  • Ensure that all connections are performed using secure transfer protocols
  • Enforce SSL Certificate checks by the client application
  • Protect sensitive data stored on the client side by encrypting it using the iOS data protection API
  • Improve additional checks to detect jail broken devices
  • Obfuscate the assembly code and use anti-debugging tricks to slow the progress ofÌýattackers when they try to reverse engineer the binary
  • Remove all debugging statements and symbols
  • Remove all development information from the production application

The next time you're presented with a $20 Cheap SSL Certificate, remember the adage "you get what you pay for". Authentication and trust matter, are you willing to put your organization's reputation at risk and putÌýcustomer data at risk?

Choosing the right SSL is first step in the process, followed by ensuring that connections are secured and that sensitive data stored is protected. Learn more about andÌýkeep your information safe.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for ¶ºÒõ¹Ý TrustCore SDK

10-31-2024

Announcing the GA release of ¶ºÒõ¹Ý Device Trust Manager