The Pradeo Lab, a worldwide leader in mobile devices and applications security, analysed the mobile applications of 50 of the world’s top 100 banking establishments to identify security breaches. It discovered on average every app was vulnerable to seven security threats: that is, 100% of the 50.
Data from the BBA, the leading trade association for the UK banking sector, says there were 11 million banking app logins a day during 2015, a 50% rise for 2014***. American Federal Reserve stats show that 71% of people using mobile banking services are confident about the security of mobile banking transactions**. In fact, it is estimated that the security failings revealed in the Pradeo test could affect over half a billion, or 500 million, people worldwide.
“Our job is to provide solutions to prevent threats generated by mobile applications and mobile device environments. We chose to make an assessment of the threats targeting banking applications because of their importance. We were very much not expecting what we discovered as our analysis evolved.” explains Clément Saad, Founder and President of Pradeo.
Mr Saad explained that what is worrying is not only the number of establishments concerned, but also the number of techniques that worked when the company checked potential security approaches. “We did not settle for a demonstration of the vulnerability of each application in front of a simple keylogger, but their weaknesses facing more than twenty threats. Not a single banking app successfully passed our exam, and on average, and each app was susceptible to seven breaches.”
Potential cybercriminals attack banking apps with a number of different goals: stealing passwords, spying into account behaviour, retrieving transaction validation codes to name just a few.
Many malicious actions are within the reach of many computer geeks. Under the disguise of a game or a utility, “malware” lies in wait before working silently on thousands or even millions of devices as was the case with the malware Marcher.
Should users be concerned? For Clément Saad, while the implications of his company’s findings are far-reaching, the priority is to equip banks with the right tools to beat cyber criminals in a rapidly evolving digital landscape: “We limited Our study to 50 banks. Chances are that apps from other banking establishments are also at risk and that consequently, the number of impacted users is potentially very significant. While there have not yet been any major security issues with banking apps, banks need to address these issues. This is why Pradeo develops these tests as well as the solutions. The world of mobile applications is relatively young compared to the web and it is evolving quickly. It takes time to better understand this new environment and face the threats linked to it.”