Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Elias Manousos
Elias Manousos

Financial Firms Must Assess App Store Risks

With mobile malware rampant, it is surprising only 18% of financial firms monitor for malware or copycat apps on a daily basis.

Mobile apps are a great way to reach the exploding population of smartphone and tablet users, as an increasingly large number of financial services firms have been discovering. But distributing these apps to the public opens those firms to a new set of risks.

Many mobile apps are distributed through third-party app stores, which are often not secure. The resulting exposure can put a service’s brand and reputation at risk -- not to mention the financial account credentials of its users, leaving the contents of their accounts vulnerable to cyberthieves.

Low security awareness
According to a recent survey by Osterman Research, 40% of financial services offer one to five apps to their customers, another 26% offer between six and 20, and 10 percent actually offer more than 20. (The rest offer none.) The average was 3.1 per firm, versus 2.5 per firm in other industries. Yet, the same survey found that a clear majority of app managers for financial services were unaware of the security issues involved in third-party app stores: 25% said they were unaware and 32% said they were slightly aware. Otherwise, 18% said they were somewhat aware, another 18% said they were pretty aware, and only 7% said they were very aware.

The problem with app stores is that, in many cases, their content is not policed, and malware can be posted there as readily as legitimate apps. For financial services (and other legitimate enterprises with mobile apps) this opens the door to copycat and stolen apps.

Fake apps abound
Copycat apps will look like legitimate apps, but have been repackaged to include malware that may facilitate spam, generate unwanted advertising, send for-fee SMS messages that run up the user’s bill, modify search results to send the users to paid advertisers, or steal the users’ login credentials so the hackers can drain the victim’s financial accounts. A survey by RiskIQ covering more than five million mobile apps indicated that 90% of leading brands have seen their apps copycatted.

Similarly, stolen apps are an issue for owners who rely on them for revenue. On un-policed sites they can be pirated, with revenue from the sales going to the pirates rather than to the legitimate owners. Pirated software, meanwhile, is often repackaged with the same kind of malware seen with copycatted apps.

Beyond the immediate negative impact on users, their mobile devices, and their financial accounts, network security can also be compromised when they log in using their infected devices. The resulting exposure of personal financial information and protected health information can result in violations of the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Payment Card Industry’s Data Security Standard (PCI DSS), and other laws and regulations intended to protect privacy. The likelihood of an infection being passed on is very real: Osterman Research found that 36% of mobile users employ their primary mobile device to share content with partners, customers and prospects; while 97% use their device to check email.

Malware is rampant
Furthermore, malware is usually found on apps running on the Android operating system. In fact, a survey conducted by the US Department of Homeland Security and the FBI found that 79% of mobile malware was on Android devices, with much of the rest running on Symbian devices. However, Android devices now represent the bulk of the smartphone market.

Meanwhile, the problem is clearly not going to go away by itself. Smartphone subscriptions are growing at a compounded annual rate of 25% and should reach 4.5 billion in 2018, says Erickson Mobility. Tablets and other mobile devices are growing at a rate of "only" 20%. Pew Research has found that half of mobile phone users download applications, making it the fourth most popular activity for users of mobile devices.

Fighting back
The answer to these security threats is continuous monitoring and management. App stores must be scanned for possible copycatted or stolen apps, or other rogue or malicious apps that could target its users. Unfortunately, this is often overlooked or not done thoroughly.

Osterman Research found that 21% of financial services firms never performed such scanning. Another 29% did it, but less than quarterly. As for the rest, 4% did it quarterly, 7% did it monthly, 21% did it weekly, and 18% did it daily.

Elias (Lou) Manousos is an internet security expert and CEO of RiskIQ, which helps the world's leading financial services companies protect their brands from fraud. He is also co-chair of the Online Trust Alliance (OTA) Anti-Malvertising Working Group and is responsible for ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters