PFM (Personal Financial Management) refers to financial technology that helps users manage their money through visual charts and graphs. While this seems
- Sep 06, 2017
Sandy, UT (September 28, 2016) — Media reports of “Major security flaws found in 90% of top mobile banking apps,” have alarmed credit unions who already have or are considering the purchase of a mobile banking app.
It’s easy to see why mobi¢int users and their members are not subject to such security flaws through a look at the alleged weaknesses:
1. IO Interactive Labs Research found that 90% of mobile banking apps from 60 of the top financial institutions around the world contained non-SSL [insecure] links throughout their applications. This allows an attacker to create a fake login prompt or similar scam.
The mobi¢int App does not allow non-SSL links. Mobi¢int mobile banking apps are created without third-party involvement. Already being used by more than 200 credit unions around the united states, mobi¢int has a rich history of total integration with (accounts, cards, bill pay, etc.)
2. IO Interactive Labs Research also found that 40% of the audited apps did not validate the authenticity of the SSL certificates presented. This makes such apps susceptible to Man in the Middle (MiTM) attacks.
The mobi¢int App validates authenticity for every SSL certificate that is presented.
The mobi¢int App never uses Web views from third party URLs within the app. The only exception would be when a customer specifically requests it, however, all potential security threats are documented and explained.
4. Praetorian noted in their study (which included apps from the 50 largest credit unions) that 8 out of 10 mobile banking applications contain build and configuration setting weaknesses.
The mobi¢int App was not rushed to market, which was cited as the most likely concern from apps with insufficient attention to security. Meticulous care and structural control are always maintained within the mobi¢int product set. To combat such weaknesses the mobi¢int mobile banking apps are designed to be re-signed (application re-install, which will appear as an additional app icon in the app drawer) if the mobi¢int configuration file is changed. It should be noted that this particular weakness ONLY applies to Android users and those with jailbroken/rooted devices, information not provided in the Praetorian report.
5. When Arxan was interviewed they noted that counterfeit apps are on the rise, which may include toxic malware.
The mobi¢int Response is that which should also be the response of every supplier of technology: Educate, instruct, inform. Make members aware that the safest place to download apps is from the official marketplaces (Apple and Google Play). If apps are downloaded elsewhere the potential for exposure to counterfeit versions explodes. Advise the users with “jailbroken/rooted” devices to not perform banking or other sensitive activity on them. Additionally, know that companies such as Arxan, sell counterfeit detection tools.
In summary, the technology that is designed by a single developer does not just provide an enhanced user experience and the benefits of complete integration. Such products also provide the benefits of a secure and controlled environment.