Fingerprint technology far from foolproof for banking apps

A new approach to mobile user protection should focus on self-defending apps that provide an integrated, dedicated and secure solution to cyber-crime threats suggests Tom Lysemose Hansen

Fingerprint technology far from foolproof for banking apps
Fingerprint technology far from foolproof for banking apps

Biometric technology has begun to establish a foothold in the UK banking sector at a time when the banks are only beginning to map the essential contours of cyber-security risk for established technologies. Banks have recently pioneered the software on mobile banking applications in the form of bypassing the two-step verification process for a one step fingerprint identification method, which has been lauded as having benefits in terms of security and convenience.

Initial indications would suggest that consumers have been quick to adopt the technology, however public dialogue on the efficacy of its deterrence on cyber-criminals is limited, as is the literature on application security that surrounds it. The onus is now on the banks to ensure they do not find themselves woefully ill equipped to deal with the ever-changing vectors of cyber-fraud.  In a recent report Gartner has predicted that 75 per cent of mobile applications will fail the most basic security tests in 2015, so it is pertinent that the banking industry adopt a security-led approach that does not weaken security in favour of user convenience.

Removing the two step security process in favour of fingerprint identification certainly does not eliminate the issue of malware compromising the banking app as the malware simply waits for the user to complete the two factor authentication process or fingerprint indentification before taking over the application to compromise the transaction and user details, thereby jeopardising customer confidential data.

Firms and developers need to fully appreciate the environment in which mobile applications run. The days of deploying an insecure poorly developed app are gone as apps are now operating in a high-threat environment we all know as the internet.

Many financial institutions are currently spending substantial amounts of money on central security systems, and spending far too little time on securing the customer's identity on mobile phones or PCs and they need to start taking action to protect their apps used by their customers.

The financial industry should adopt proactive solutions to stop malware attacks before they do any harm; this can be done without changing the customer experience. User protection must focus on app vulnerabilities rather than threats to ensure a safe mobile banking experience, even on devices that have been previously compromised. The implementation of self-defending apps is one that can provide an integrated, dedicated and secure solution for the end user to the perils of cyber-crime.

The new approach should be whitelist-based and one where the burden of responsibility is shared at the app level, moving responsibility from the device user to the app provider, likely to be a financial institution. Furthermore,  banks need to broaden their perception of security, which has often been seen as too narrowly linked to money fraud. A wider all encompassing approach that includes sensitive personal information handled within the app would leave banks well positioned to stop damaging malware attacks now and in the future.

Additionally, in today's environment the security architecture of mobile devices does not work well with traditional mechanisms like anti-virus, so it is pertinent to implement further security features at the app level. Ideally apps should be self-defending to withstand the hazards of cyber-crime. With the adoption of this approach the attack is blocked by the application itself, and the application continues to operate securely which creates a balance of user friendliness with strong security protection.

Gone are the times when firms could afford to leave security as a mere afterthought in software manufacturing. It is becoming an increasingly important concern during development as applications become more accessible over networks and consequently become vulnerable to a wider variety of threats. Security measures built into applications will go some way to offset the risks against stealing, or modifying sensitive data, which can have a negative effect upon users. As technology matures the institutions should not simply prioritise the chance to give consumers the simplest form of access to their finances, but rather should offer the most secure banking experience.

A synchronised and prevention-led approach by both financial institutions and developers can prove invaluable in the battle against crime on the mobile platform and offers the chance to circumvent a vicious cycle where money gained from fraud is reinvested in malware tools, further strengthening their arsenal and their revenues. 

Contributed by Tom Lysemose Hansen, Founder of Promo