PSD2: How secure is the future of mobile finance?

By Mark Noctor | 25 April 2017

The ubiquitous smartphone has impacted almost every aspect of our lives, with apps now available for almost every conceivable daily task. As much as our lives have been changed by this development, however, the impact is felt much more keenly by service providers - and perhaps by none more so than financial services.

Mobile services have rapidly transformed banking, and research from consultancy firm CACI estimated that current account customers in the UK visited their accounts more than 895 million times via mobile apps last year alone, overtaking 705 million visits via computer and dwarfing the 427 million visits to branches.

The trend is only set to accelerate as the leading banks set their sights on mobile services as their main competitive battleground. The latest wave of new challenger banks such as Starling, Monzo and Atom have bet on an app-only approach, doing away with traditional infrastructure entirely.

With the new opportunities presented by digital banking comes a new attack surface for cyber criminals to commit fraud and theft. Financial institutions have long been equipped to deal with the monetary cost of criminal action against their customers, but cyber attacks carry a much higher cost in terms of damage to reputation and brand. Trust in security is an increasingly important part of choosing a digital service, and customers who leave because feel their provider did not protect them will be hard to win back.

The move towards open banking

While we can expect individual providers to continue to push the envelope in how they deliver banking and payment services, the biggest change on the horizon comes from impending updates to the EU’s Payment Service Directive (PSD) coming into effect in 2018. The updated directive, known as PSD2, will enable bank customers - including both individual consumers and businesses – to conduct their finances through third-party providers.

The updated directive is aimed at providing more flexibility and freedom to users, with customers essentially being able to mix and match individual solutions and services as they see fit, without having to transfer money from their original accounts to create new ones. This extends to non-banking solutions as well – for example paying bills or transferring money via social media.

However, this increased flexibility comes with some major security concerns. In particular, the use of Application Programming Interfaces (APIs) that are essential to allowing different apps and systems to communicate also create new opportunities for cyber criminals.

Connecting with APIs

APIs are a set of instructions or routines that complete a specific task or interact with another system, whether it’s a server or application. APIs are increasingly popular with developers because they can be easily integrated into software to complete complex tasks. Within the context of banking and finance, APIs would ensure that various apps are able to communicate with other banks’ servers, as well as with other apps and services.

However, APIs can also provide attackers with the keys they need to access the systems. Most API Management Solutions use a simple authentication process to confirm that the client app on a device is genuine and has been authorised to access and utilise server assets – in this case retrieving customer data for comparison. The challenge-response exchange used for this is generally a cryptographic operation, which means that the mobile client will contain a secret key for an asymmetric cipher.

Decompiling an app’s code would give an attacker the opportunity to root out these keys, enabling them to trick the system into recognising them as a legitimate client and can connect with anything the API was authorised for. In the case of a financial app that has access to a bank’s server and payment and fund transfer capabilities, the impact would be like a bank robber finding the keys to a bank vault.

Deconstructing financial apps

While the potential threats around open banking and the use of APIs are still developing, there are also plenty of legacy issues that need addressing as apps become the mainstay of financial services.

One major issue is that most apps still lack binary protection. Ninety-eight percent of the top financial apps we have tested shared this weakness, creating a dangerous opportunity for attackers. Binary code is the core of an app’s make-up and tells a device how to read and execute an application. Accessing and modifying the binary can change how the app behaves, for example disabling security controls and bypassing other restrictions. Compromised apps can also be used as a vector for other attacks such as injecting malware.

78 percent of the apps we tested also lacked adequate transport layer protection. This governs the transfer of data from one end system to another – essentially whenever the app communicates with something, such as a server or another device. A lack of protection exposes the app to “Man in the Middle” attacks, where the hacker is able to intercept data by tricking the app into sending them data meant for another entity. Addressing this flaw is crucial as the market for P2P lending and payment apps grows.

Defending against attackers

With mobile apps set to dominate the financial services scene for the foreseeable future, it is essential that developers can protect them from attackers seeking to break into them to steal cryptographic keys or reverse engineer them.

Application hardening techniques should be a standard part of the development cycle, something which is usually done after testing and just prior to the release of the app to the appstore. Hardening techniques include obfuscation, which renders code into unusable scrambled code to attackers. Hiding text encodings, encryption, and changing easy-to-understand program symbol names, will also make it much more difficult for an attacker to exploit the code. Other techniques to prevent tampering include debugger detection measures which will detect if the application has been executed in a debugging environment used by hackers to probe for weaknesses, rather than on a real device. Checksums can also be hidden within the code, triggering an alert if the code is altered during runtime.

Cryptographic keys should be the main priority as they are used for key tasks such as binding devices to accounts and proving user identity. One of the most effective ways of protecting keys is white-box cryptography, and cryptographic key data in the Host Card Emulation solutions commonly used by payment apps will be kept safe even after extensive penetration testing by experienced hackers.

The good news for consumers is that many of the leading financial service firms have already adopted these and other advanced security measures to keep their applications safe. However, with the market becoming increasingly crowded there are still many apps lacking in crucial security. As the market matures and user awareness grows, security will be a key differentiator, and apps will need to prove that they are taking the threats against them seriously if they are to compete. 

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development