1mobileSecurity issues are on everybody’s mind and top priority for any business industry, especially for financial institutions. Online banking must be safe, whether done in front of a PC or on the road from a mobile device. Since all banks are aware of that, they introduced a new procedure to secure online bank orders, in addition to the dial-in data and the password with the transaction number: With the mTAN, pushTAN, photoTAN or chipTAN processes, banks now offer their customers a wide range of possibilities to generate their TANs, depending on the type of device available, demand of convenience and mood.

When asking the banks, all these procedures of course provide the highest security and protection against cyber-attacks and manipulations. But it is a fact that online banking can never be absolutely secured, as both malicious hackers and the enlightenment proving, well-informed security researchers generally prove on a regular basis.

The upcoming three day congress Interpol World 2017 will talk about all that, kick-starting the expert event on July 4, 2017 with discussions and speeches that aim to shed light on the “dark side” of cyberspace and the future of security.
“Changes in technology, society and the law make new crimes possible. Attitudes are changing too. The implications of these shifts are complex. This is clearly seen in the way law enforcement and businesses have had to adapt to deal with risks and opportunities presented by an ever-changing internet”, Interpol states.

For instance, not even the TAN apps, which were considered safe, are immune to malware today, hackers have already proven that they can redirect online referrals as they wish or create them themselves. Precondition for the manipulation of such a transaction is, however, that the banking app and TAN app are installed on one device – and that’s the crux of the matter.

By using different banking applications on a single device, the user indirectly bypasses the two-way authentication, which is technically important. If this device is now compromised and infected with malicious software, a hacker ultimately has access to both applications and gets a chance that way to manipulate transactions. And as we know, there is no shortage of infected devices that the potential cyber attackers can make use of in the process, considering that dangerous malware such as Godless or Hummingbad could already successfully force its way into the official Google Play store.

It is believed, for instance, that there are around ten million infected Android devices worldwide, but iOS devices are not immune either to attacks of this kind. Usually, after the security gaps become known, the outcry in the media is vast and the reactions of the affected banks and financial service providers rather cautious. Some appease the parties involved, some claim to be unaware or simply indicate to fully compensate those affected. Anyway, that can’t be the right way.

The fact is, that there can be no absolute security, which is self-evident. Therefore banks cannot necessarily be held responsible for any kind of cyber-attack. And yet, they must do everything they can to eliminate security gaps and weaknesses in software and applications. It’s their duty to provide their customers with the best possible security - from the use of innovative software solutions to the elucidation and correct instruction of the users.

The financial industry should therefore welcome and embrace investigations conducted by ethical hackers, which by no means intent to cast a damning light on the financial institutions, rather making security risks visible to banks and their customers. The direct exchange with security experts is simply a good opportunity for the banks concerned to develop new solutions and make their applications more secure. This applies of course not only to the financial sector. In times of mobile computing and the Internet of things, protected applications are maybe even more important than ever for medical device manufacturers, the automotive sector or critical industrial plants.

By Daniela La Marca