Security

Due to the nature of the financial apps, they will always have to be concerned with how to protect the personal data entrusted to them - according to He et al. (2015), the understand-ing of “emergunderstand-ing threats, vulnerabilities and counter-measures” of bankunderstand-ing applications is

“critical to the future of mobile banking” (p.1).

As discussed in the PSD2 background (Section 1.1.1), all third party providers like this will require some certain, currently unspecified, level of security certification in order to pass authentication and be trusted by banks to use their APIs. This next section looks at how the public perceives the level of safety offered by mobile banking, along with common threats to mobile devices from applications.

Perceptions of Mobile Banking Safety

There is the suggestion by many papers that user adoption of banking apps is limited by negative perceptions of security (Ferris, Stahle, and Baggili (2014), Kim, Ha, and Park

(2015), Luo et al. (2010)), meaning a transparent and effective attitude to security may be key to persuading more consumers to make use of mobile finance applications. Ferris, Stahle, and Baggili (2014) suggest that it is a lack of knowledge from users that causes issues, as they are “wary of putting their financial resources in danger” when they are not sure what security concerns actually exist. This is backed up by research undertaken by the U.S Federal Reserve, as seen in Figure 2.2, that clearly shows that non-users are either unknowledgeable about or distrustful of mobile banking provision.

27%

Not a Mobile Banking User Mobile Banking User

Figure 2.2: U.S. Federal Reserve study on how 2280 interviewees felt about security of mobile banking for protecting personal information (Reserve 2013)

The public perception of mobile banking has also not been helped by high-profile breaches of online banking security in the UK. For example, in 2010 Barclays were accused of neglecting security in favour of usability when over-simplification of their online banking login page allowed illegal access by third parties (Smyth 2010), leading to increased security steps in the login process. However, Potter (2006) concludes that security cannot come at a decrease to usability and Gummerus and Pihlstr¨om (2011) suggests that ease of use is the most attractive thing about mobile banking. Viewing these alongside the risk of breaches points towards needing to achieve a balance of security and usability to earn and maintain a good public perception towards a given product.

Threats to Mobiles

There exist a number of different methods of attacking mobile devices that both bank applications and users have to be wary of and do all they can to avoid leaking sensitive information. A distinctive lack of academic research into the threats against banking apps led He et al. (2015) to adopt the novel approach of using blog mining to augment the relatively small quantity of published peer-reviewed literature. This research led to the discovery of the five primary threats for mobile banking: mobile malware, third party applications, fraudulent applications, unencrypted Wifi networks and app vulnerabilities.

Mobile Malware Malware is the category encompassing viruses, root kits and trojans.

Much of the mobile malware out there are variants of existing malware that affect tradi-tional computers and mobile banking (Webroot 2014). Cyber-criminals have refined these malware to specifically target bank accounts once on a mobile device, with efforts made to thwart new security defences built into mobile banking (He et al. 2015).

Third Party Applications TP applications, here defined as ones not downloaded from the official Android Market/iOS App store, can secretly tamper with existing banking apps on the device and be used to extract account data (He et al. 2015).

Fraudulent Apps Fake applications can persuade consumers that they are a different, legitimate application but can contain malicious code to steal users bank account login details.

Unencrypted Wifi Networks Public wireless networks are not always secure, with eavesdropping possible on these public forums by criminals that can be used to monitor other people’s use of mobile banking over Wifi to extract sensitive information (Legnitto 2013).

App Vulnerabilities Exploitable app vulnerabilities can be a serious issue when dis-covered by hackers. For example, many banking apps lacked protection against reverse engineering of code as of 2014 (Buckley and Varney 2014).

Ways to Counter Threats

The Android mobile operating system aims to help users understand the security concerns of apps by enforcing acceptance of permissions when installing new applications. Felt, Greenwood, and Wagner (2011)’s study on Android permissions concluded that the per-mission requirements are generally beneficial to system security, though in their study of nearly 1,000 applications they found that 93% of free applications required at least one

permission on installation that could be considered dangerous (p.80).

Kelley et al. (2012) concluded simply that “users do not understand Android permissions”

(p.78), leading most to simply ignore them. This is understandable given their findings that users are largely uninformed about the existence of any malicious activity at all that could come from the Android market and suggests that permissions alone cannot make the average user fully aware and so responsible for any questionable actions by their apps.

To help prevent malicious attacks on legitimate, non-fraudulent applications there have been a number of suggested approaches. Modern approaches to security in the apps include using two-factor authentication and suitably complex levels of encryption. Recently some banks have also started using the fingerprint readers present on some modern handsets, suggested as a potential authentication method along with voice recognition software by Fatima (2011). Personal biometrics do have their own vulnerabilities though, so it is best to combine these with other authentication methods for stronger verification (He et al. 2015).