MyPrivateBanking Blog
Daily Comments on the World of Wealth Management

Archive for the ‘app security’ Category

Biometric authentication to go mainstream in 2016

Friday, January 8th, 2016

Digital banks become more and more attractive to millennials who expect secure and convenient banking solutions when on-the-go. Atom Bank (based in the UK) is the latest online bank promoting innovative features that put brick-and-mortar retail banks and wealth management firms under pressure as they have difficulties to keep pace with the latest technology trends. Atom Bank uses a combination of biometric technology empowering clients to authenticate password-free by means of face and voice recognition technology. Another example is the more staid USAA financial conglomerate that already uses IdentityX, the biometric platform by Daon.

The increasing popularity of biometric authentication methods will surely challenge the banking industry and tech giants like Google to offer improved client experience and secure login options. Google’s new password free login allows invited users to sign in their Google account by responding to a notification sent to their smartphone; the new login option fails to add security to mobile users whose smartphones have no lock-screen protection or fingerprint identification option in case their smartphone is stolen. Google will be challenged to offer something more secure and customer friendly – something that could be delivered by biometric authentication.

Client habits and potential regulatory hurdles may slow down the move to biometric authentication but we have no doubt that the future lies beyond manual passwords and (SMS) token. The future will offer a seamless digital experience to every client – from log-in throughout the complete customer journey.

 

Forget passwords. Pay with a selfie!

Wednesday, October 28th, 2015

From passwords to two-factor authentication, bio-authentication, and tokenization, both consumers and cybercriminals have forced the online and mobile banking industry to come up with innovative and convenient security technologies. The latest functionality announced to be available to US e-commerce consumers in the middle of 2016 is MasterCard’s new facial recognition-based identification method. Online retailers will be able to authorize a transaction by taking a snapshot of their face and blinking once (to prevent fraudsters from holding up a picture of the retailer and fooling the system).

Particularly popular with Millennials or the ‘selfie-generation’, using selfies to authorize transactions is a clear advantage to passwords/ PINs as it saves consumers from remembering complicated combinations of numbers or letters.

Just like other biometric authentication functionalities, ‘pay by selfie’ is surely on-trend but it remains uncertain how secure the new technology is. Biometrics that rely on static information like face recognition or fingerprints can be easily faked; the case of the German defense minister Ursula von der Leyen’s fingerprint cloned just from photos is a solid proof in this sense.

The retail banking industry is rushing its way in offering consumers innovative mobile technology functionalities but the next generation of mobile banking apps needs to include stronger security features to make cyberattacks impossible.

 

Mobile banking: How a convenient user experience may threaten your clients

Friday, August 7th, 2015

The smartphone business is booming with breakout successes like the iPhone 6 and 6 Plus and the mobile usage is growing at a fast-pace to the detriment of laptops/ internet from home use. It should not be surprising that criminals have also adapted to the new trends and more than 1.3 million unique smartphone attacks have been reported from January to October 2014.

While one of the main causes is the increasing amount of mobile transactions and payments, the multitude of digital communication tools like the real-time apps helping advisers improve communication with their clients also keep clients engaged with their mobile devices. High-net worth clients are attractive targets for mobile security breaches as they mostly manage their wealth while on the way and use unsecured Internet access points (see our report on the mobile behavior of the affluent and HNWI).

But what are the main factors driving security breaches of mobile apps in the banking field? MyPrivateBanking’s recently released report on Mobile Apps for Wealth Management 2015 found that secure client authentication is still being neglected by many wealth managers. Few of the evaluated wealth managers /private banks are using the gold standard to protect clients’ data by making use of a full two-factor authentication procedure plus adding a multi-layered anti-fraud framework. Striving to provide their clients with a convenient, easy-to-access information, some wealth management apps even allow users to log-in with only their 5-digits passcode thus ignoring the fact that these weak security measures make their clients easy prey for hackers who illegally try to access personal data.

One of the main areas of risk, which is often being neglected by banks, is that criminals are targeting not only the secured spaces where transactions are being made by clients but also other apps/features where they are able to identify personal data (for instance address, birthdate or trivial things like shopping coupons). Putting together this information can easily lead to so called identity theft, enabling criminals to break into even better secured systems.

Wealth managers should think hard about an integrated and broad security strategy, even if they have to sacrifice a bit of convenience for their clients to gain gold standard security.

 

Why wealth managers need to communicate about app security

Wednesday, June 17th, 2015

Given the recent waves of massive security breaches and the increasing data manipulation, high-net-worth clients are justified in being anxious about their personal data being stolen and used by hackers and fraudsters.

Banks and wealth managers continue to ignore the fact that their clientele and prospective clients do not want to lose control over their information. As our new report on Mobile Apps for Wealth Management 2015 shows, out of the evaluated mobile core apps of 30 leading wealth managers worldwide, only 40% use the app store to inform clients about security.

Security measures of most mobile banking apps are not clearly communicated in the available app stores. An accurate description of banking or trading apps should certainly make it clear how users’ personal data is being used and protected in the app.

Initiatives that already give users the right and ability to learn what security measures banks integrate in their apps are successful in inspiring a feeling of transparency and trustfulness. Keeping the language easy to read and reflected in a clear and concise style is key to inform about the app’s necessary high security and encryption standards.

Wealth managers need to understand that their wealthy clients expect to be informed about an app’s security means before downloading it.

 

The coming of app search and what it means for banks

Saturday, January 10th, 2015

(by Francis Groves, Senior Analyst)

So far, it has been taken for granted that mobile apps cannot be searched effectively  by Internet search engines. App use and Internet use are still different activities, often complementary but not seamless. For ordinary lay-people using the Internet and mobile apps this characteristic unsearchability of apps is hidden in plain sight. It’s been taken for granted up until recently but things look as if they are about to change.

According to the New York Times (6th January, 2015) the race to develop app search tools is on, with major players such as Facebook and, not surprisingly, Google looking at ways to crack the problem of creating a generation of apps that are searchable in the same way that websites are searchable. There are also a number of start-ups, such as Quixey (who already have an app to search apps on a single device) and Branch Metrics, who are trying to develop the winning technology. The particular advance Branch Metrics have achieved is the ability of one app user to share in-app information over the Internet in such a way that their friend/contact can be directed to the appropriate app store page to download the app and access the app service for themselves. For the time being, searching across apps with an equivalent to Google Search is a challenge still waiting to be overcome.

Talk of searchable apps not only seems mind-boggling but calls into question our understanding of what mobile apps are. Up until now they’ve been tools to help us but now how should we view them.

The advent of searchable apps will also raise a whole range of questions relating to the use of mobile apps in financial services. For those financial service companies that have seen the wisdom of branching out into mobile apps, they have combined a few key advantages that could begin to be undermined by the arrival of app searching. Firstly, the confidentiality of one’s personal banking app suits the bank customer just fine. Like your wallet, no one is supposed to be poking around in your banking app except you. Just like a wallet, the contents of your banking app are probably terribly boring, pretty predictable and intensely personal and private. So, if apps become searchable, we’re going to have to become used to distinguishing between the new searchable apps and the ones that stay as private and secure as they were before (you hope). Could apps in general lose some of their attraction if some of them lose that dedicated-to-me quality? Users may not like having to identify and remember which apps are the new sociable (or leaky, depending on your point of view) apps and which are the safe ones.

And doesn’t the possibility of a universal app search mechanism ultimately mean that even apps that are currently equipped with robust security - as financial service providers’ apps should be - are going to become less secure in the end? At the very least, banks are going to have to shout louder to clients about their personal app security.

We’re not sure if 2015 will see a real breakthrough in app searchability - the existence of rival technologies may severely restrict the effectiveness of any one app search engines - but we certainly think that this is something that the finance industry should be on the look-out for.

Happy New Year.

 

Internet Security: “Fight or Flee”

Monday, October 27th, 2014

(by Francis Groves, Senior Analyst)

Little by little Internet security is moving towards center stage. At MyPrivateBanking, we’ve been focusing on the importance of security issues in Internet and mobile banking in our reports on websites and mobile apps.

Two recent developments to hit the headlines were the attack suffered by JP Morgan Chase in August. This is suspected to have been the work of Russian criminal, not government hackers, who found a way into the bank’s systems through one or more of its older components. The hackers gained access to data about 76 million personal accounts and 7 million business ones, though no JP Morgan Chase customers suffered loss as a result.

Last week the launch of the iPhone 6 in China was accompanied by a widespread outbreak of ‘man in the middle’ hacking of purchasers first time connections to iCloud. In this case the new iPhone’s reputation for being highly secure may have been part of the problem. It is believed that the authorities may have initiated the attack because they are unhappy about the increased data privacy that Chinese citizens gain through the iPhone 6’s use of encryption. Given that Apple is hoping that the enhanced security of the iPhone 6 qualifies it with the Apple Pay app for use as a payment system, this widespread hacking is worrying.

Significantly, many (but not all) Chinese users would have received a warning from their browser that the verification certificate from iCloud was actually fake. But how many of them carried on regardless and ended up by compromising their log-in details?! The problem for many of us is that we need or want to use the Internet at such speed that we risk exposing ourselves and our money to danger. Maybe we do need to bring into play the split second responses to danger signals that we’ve inherited from our early ancestors.

We also need a lot more education from our financial institutions to develop a more vigilant mindset. The problem of Internet security and banking and payments systems is certain to grow in the coming months.

 

Why standardization of bank app security is great news

Wednesday, August 27th, 2014

MyPrivateBanking welcomes the news that the British Standards Institute has launched its standard for security of transactions on mobile apps. This means that the public will benefit from being able to check for the presence of BSI’s well-respected kitemark as its approval for the level of security for treatment of app users’ personal and financial details.

The first to receive the app security kitemark is Barclays Bank for its Pingit mobile payment service and mobile banking apps. In the longer term it is expected that the kitemark use will be extended beyond banking and finance to other commercial apps such as ones for (paid for) entertainment but clearly the need for easily understandable standards is most pressing for financial service users simply because it is here that security violations expose users to the greatest financial losses.

Here at MyPrivateBanking, we have long considered that easily understandable and verifiable security standards are a must in terms of what financial services companies owe to clients and this is especially in relatively new areas such as banking apps. Up until now reference by banks to existing standards for Internet security, such as ISO 27001 (on which the new kitemark is partly based) and 27032, has been patchy at best. The launch of a kitemark for financial app security, more consumer-oriented than ISO standards, is especially welcome. The new standard requires meeting security standards and regular follow-up checks and ‘penetration tests’ by the BSI. Hopefully, it will be adopted widely internationally.

The full name of the new standard is BSI KitemarkTM for Secure Digital Transactions’. BSI say that it has been developed to help consumers confidently and easily identify websites or apps they can trust with their financial and/or personal details.

 
Subscribe