Community banks are feeling extreme pressure to keep pace with cutting-edge customer experiences offered by tech giants and sophisticated digital products being launched by big banks. But a new app rushed through development could be laden with security pitfalls.
With no in-house app development team, smaller banks “are at the mercy of their provider,” said Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research. “Every year, our researchers somewhere find a ton of banking apps with something broken.”
The issue is that every bank has to meet specific security needs, but the demand to get an app to market puts pressure on outsourced app developers, and therein a gap can form. Developers may add code or features that, while enhancing the user experience, fail to pass security muster.
Banks are “turning around apps like they’ve never done historically,” said David Vergara, head of security product marketing at OneSpan, a Chicago-based banking cybersecurity and IT service provider. “But if you were to ask the app developers, because they’re stressed, if they had a choice [about] what they are going to focus on, 10 times out of 10, it’s going to be user experience.”
There are now over 6,000 consumer banking mobile apps in the U.S., the highest amount ever in the market, according to Malauzai Software, an Austin, Tex.-based app developer that was recently acquired by the U.K. fintech giant Finastra.
Such a crowded field presents a tempting target for hackers. A recent study of European apps found that several from major banks had a common flaw that could allow the theft of customer information, including passwords and PIN codes.
Cybercriminals are moving from just hacking for volume and finding the path of least resistance to being more sophisticated and targeted in their approach, Pascual said. “They are being very methodical and systematic in terms of how they build their profiles, do their own research and share on the dark web.”
The vulnerabilities extend to existing apps too, Pascual said, as updates may be made by vendor employees whose primary concern is not security.
Community banks relying on vendors, then, should start with setting some guidelines for app developers, Pascual said.
“There is much more of a focus as of late on either teaching developers to follow secure coding practices or to get them better tied into the security team so that the left hand knows what the right hand is doing,” he said.
Smaller banks should be vigilant about updates for apps they have licensed, and determine if the app vendor has secure development operations, Pascual added.
This can be achieved by annual vendor reviews, he said. The opportunity can also come during the search for a new mobile app provider, while converting to a new core provider, or if there are changes to be made to add new functionalities to existing apps.
When the tech team at Savings Bank of Walpole in New Hampshire gets an update from its app vendor for new mobile functionalities, such as fingerprint identification technology, they test the feature and consider how a potential fraudster might bypass it and break into the application.
“The vendor can tell you, ‘This is what we’ve done with this new feature,’ but you then have to take a look at it as a financial institution and decide whether or not it will work for you and your customers and your risk tolerance,” said Ingrid Hebert, e-banking officer with the company. The $415 million-asset bank uses Q2 as its mobile app provider.
But the bank has yet to reject a feature update from Q2 for security reasons. When the bank sees a potentially risky feature, it will create a better way to verify the customer’s identity.
In a new feature for external transfers, the vendor allowed the customer to submit their request, fund the external account and grant access to that external account and it was all an automated process, Hebert said. After testing the app, the bank implemented a callback to the customer during one of the processes.
“The industries outside of banking are dictating how we do banking,” she said. “So we have to provide customers with that user experience and make sure that it’s in a secure environment.”
Community banks also have to strike a balance with adding levels of authentication for their customers. It’s the consumer that drives the balance between user experience and security measures, said Jan Sterzinger, e-services manager at Forward Financial Bank in Marshfield, Wis.
“The consumers themselves have it in their minds, based on other apps that they see and interact with and they use, what they’re willing to do to use an app,” Sterzinger said.
The $440 million-asset bank based is in discussions with its vendor, Malauzai, on creating a business app with added levels of security for riskier transactions.
Clear Mountain Bank in Bruceton Mills, W.Va., conducts a yearly review of its mobile app vendor, Fiserv, and does a review whenever there is a product update. The $597 million-asset bank reviews Fiserv’s operational audit reports, financials and business continuity plans.
“We have had a mobile app since 2012,” said Kiley Jenkins, the bank’s chief information officer. “We try to secure things as best as we can before we see the fraud.”