Security

09:00 AM
Elias Manousos
Elias Manousos
Commentary
50%
50%

Financial Firms Must Assess App Store Risks

With mobile malware rampant, it is surprising only 18% of financial firms monitor for malware or copycat apps on a daily basis.

Mobile apps are a great way to reach the exploding population of smartphone and tablet users, as an increasingly large number of financial services firms have been discovering. But distributing these apps to the public opens those firms to a new set of risks.

Many mobile apps are distributed through third-party app stores, which are often not secure. The resulting exposure can put a service’s brand and reputation at risk -- not to mention the financial account credentials of its users, leaving the contents of their accounts vulnerable to cyberthieves.

Low security awareness
According to a recent survey by Osterman Research, 40% of financial services offer one to five apps to their customers, another 26% offer between six and 20, and 10 percent actually offer more than 20. (The rest offer none.) The average was 3.1 per firm, versus 2.5 per firm in other industries. Yet, the same survey found that a clear majority of app managers for financial services were unaware of the security issues involved in third-party app stores: 25% said they were unaware and 32% said they were slightly aware. Otherwise, 18% said they were somewhat aware, another 18% said they were pretty aware, and only 7% said they were very aware.

The problem with app stores is that, in many cases, their content is not policed, and malware can be posted there as readily as legitimate apps. For financial services (and other legitimate enterprises with mobile apps) this opens the door to copycat and stolen apps.

Fake apps abound
Copycat apps will look like legitimate apps, but have been repackaged to include malware that may facilitate spam, generate unwanted advertising, send for-fee SMS messages that run up the user’s bill, modify search results to send the users to paid advertisers, or steal the users’ login credentials so the hackers can drain the victim’s financial accounts. A survey by RiskIQ covering more than five million mobile apps indicated that 90% of leading brands have seen their apps copycatted.

Similarly, stolen apps are an issue for owners who rely on them for revenue. On un-policed sites they can be pirated, with revenue from the sales going to the pirates rather than to the legitimate owners. Pirated software, meanwhile, is often repackaged with the same kind of malware seen with copycatted apps.

Beyond the immediate negative impact on users, their mobile devices, and their financial accounts, network security can also be compromised when they log in using their infected devices. The resulting exposure of personal financial information and protected health information can result in violations of the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Payment Card Industry’s Data Security Standard (PCI DSS), and other laws and regulations intended to protect privacy. The likelihood of an infection being passed on is very real: Osterman Research found that 36% of mobile users employ their primary mobile device to share content with partners, customers and prospects; while 97% use their device to check email.

Malware is rampant
Furthermore, malware is usually found on apps running on the Android operating system. In fact, a survey conducted by the US Department of Homeland Security and the FBI found that 79% of mobile malware was on Android devices, with much of the rest running on Symbian devices. However, Android devices now represent the bulk of the smartphone market.

Meanwhile, the problem is clearly not going to go away by itself. Smartphone subscriptions are growing at a compounded annual rate of 25% and should reach 4.5 billion in 2018, says Erickson Mobility. Tablets and other mobile devices are growing at a rate of "only" 20%. Pew Research has found that half of mobile phone users download applications, making it the fourth most popular activity for users of mobile devices.

Fighting back
The answer to these security threats is continuous monitoring and management. App stores must be scanned for possible copycatted or stolen apps, or other rogue or malicious apps that could target its users. Unfortunately, this is often overlooked or not done thoroughly.

Osterman Research found that 21% of financial services firms never performed such scanning. Another 29% did it, but less than quarterly. As for the rest, 4% did it quarterly, 7% did it monthly, 21% did it weekly, and 18% did it daily.

Elias (Lou) Manousos is an internet security expert and CEO of RiskIQ, which helps the world's leading financial services companies protect their brands from fraud. He is also co-chair of the Online Trust Alliance (OTA) Anti-Malvertising Working Group and is responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/25/2014 | 9:51:47 AM
Re: Why is iOS not targeted?
Good point. It seems that Apple's overly controlling (some say stifling) policies actually are a benefit when it comes to security.
johnsirghi
50%
50%
johnsirghi,
User Rank: Apprentice
6/20/2014 | 10:58:29 AM
manage
nice one
jasonzann
50%
50%
jasonzann,
User Rank: Apprentice
6/19/2014 | 10:04:44 AM
Re: Why is iOS not targeted?
iOS is much more closed with a single store controlled by Apple. Android, and its variations, are stood up and controlled decentrally. As an example, Google pulled out of China in 2009 and there are now more than 50 Android stores in China not assoicated with Google. Additionally, Android apps can be sideloaded, and as a result, there a number of 'ferral apps' that can be found on the end of URLs across the web.

These dynamics with Android provide flexibility for users and organizations that want to have direct relationships with users; however, it also introduces a tremendous amount of complexity that can foster a range of mobile threats. 
jspivey282
100%
0%
jspivey282,
User Rank: Apprentice
6/11/2014 | 6:02:09 PM
New and emerging RISK to the business- we better start now to understand these risk !
Excellent research by Osterman iluminating the NEW RISK to our organizations which I think are largely unrecognized due to the velocity and complexity of emerging technologies.  The risk described in this artilce describing the significance of "fake apps" enabling the attacking and stealing of our company secrets, breaches of credit card#'s, and fraud... puting our company at risk!  It is taking me awhile to understand these new risk, as they evolve everyday- but we can not ignore them.  If we do, the risk just start mounting making it even worse.

The volume of these new cybersecurity risk is overwhelming due to the increasing volume of technology growth.  Recent estimates that "Mobile devices are projected to put over half the world's population online by 2018 — some 3.9 billion internet users — according to Cisco's State of the Internet Report" released yesterday, June 10, 2014.  (http://www.chron.com/technology/businessinsider/article/By-2018-3-9-Billion-People-Will-Be-Online-Thanks-5542238.php).  

How do you start to scale your own operation to understand these risk, prioritize them against your own specific policies for that country and understand the significance of IMPACT to your business?

The article describes that the best solution is continuous monitoring and the mitigation/management of these new and evolving threats puting your organization at risk.

 
daekpon
50%
50%
daekpon,
User Rank: Apprentice
6/11/2014 | 1:46:13 PM
Re: Why is iOS not targeted?
given how many different flavors and versions of android are out there, that creates a larger footprint of code to find vulnerabilities in.  so I'd say it's easier to find vulnerabilities in android instead of ios.  as well, it's much easier to decompile and repackage android apps and then re-distribute them.  apple makes it harder via the encryption and their locked, single distribution point policy.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
6/10/2014 | 2:43:16 PM
Re: Why is iOS not targeted?
It's my understanding that Apple is more strict in terms of curating its app store, and that Android takes a more open approach to allowing people to post apps in its app store. That makes it more vulnerable. And given the huge number of apps in tehse app stores, it's difficult for an unknowing user to tell the difference between a legitimate app and a malicious one that mimics a legitimate one.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/10/2014 | 2:02:29 PM
Why is iOS not targeted?
iOS has a slightly lower marketshare than Android, but there are far fewer types of iOS devices. You would think it would make finding a vulnerability easier on a single type of device.

Yet, it seems that most of the mobile threats are found in android. Why is that?
More Commentary
Is Your Corporate Data Being Auctioned on eBay?
Researchers purchased 20 used Android phones to see what data they could retrieve using off-the-shelf recovery software. The results were astonishing.
Getting Social: Top Tips for Establishing a Social Media Plan
As the influence of social media channels continues to grow, organizations must have a handle on the regulations and the risks social can introduce to a firm.
Why Settle for Less in the Front Office?
Recent research shows that sell-side firms are less than satisfied with their order management system (OMS) technology. Many front offices, however, continue to make do with their current solutions. Are they selling themselves short?
BYOD Policy: Don't Reinvent the Wheel
Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.
The BYOD Challenge
Having a policy in place to manage mobile devices used by employees for work purposes is necessary in this current day.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video