MyPrivateBanking Blog
Daily Comments on the World of Wealth Management

Posts Tagged ‘app security’

Internet Security: “Fight or Flee”

Monday, October 27th, 2014

(by Francis Groves, Senior Analyst)

Little by little Internet security is moving towards center stage. At MyPrivateBanking, we’ve been focusing on the importance of security issues in Internet and mobile banking in our reports on websites and mobile apps.

Two recent developments to hit the headlines were the attack suffered by JP Morgan Chase in August. This is suspected to have been the work of Russian criminal, not government hackers, who found a way into the bank’s systems through one or more of its older components. The hackers gained access to data about 76 million personal accounts and 7 million business ones, though no JP Morgan Chase customers suffered loss as a result.

Last week the launch of the iPhone 6 in China was accompanied by a widespread outbreak of ‘man in the middle’ hacking of purchasers first time connections to iCloud. In this case the new iPhone’s reputation for being highly secure may have been part of the problem. It is believed that the authorities may have initiated the attack because they are unhappy about the increased data privacy that Chinese citizens gain through the iPhone 6’s use of encryption. Given that Apple is hoping that the enhanced security of the iPhone 6 qualifies it with the Apple Pay app for use as a payment system, this widespread hacking is worrying.

Significantly, many (but not all) Chinese users would have received a warning from their browser that the verification certificate from iCloud was actually fake. But how many of them carried on regardless and ended up by compromising their log-in details?! The problem for many of us is that we need or want to use the Internet at such speed that we risk exposing ourselves and our money to danger. Maybe we do need to bring into play the split second responses to danger signals that we’ve inherited from our early ancestors.

We also need a lot more education from our financial institutions to develop a more vigilant mindset. The problem of Internet security and banking and payments systems is certain to grow in the coming months.


Why standardization of bank app security is great news

Wednesday, August 27th, 2014

MyPrivateBanking welcomes the news that the British Standards Institute has launched its standard for security of transactions on mobile apps. This means that the public will benefit from being able to check for the presence of BSI’s well-respected kitemark as its approval for the level of security for treatment of app users’ personal and financial details.

The first to receive the app security kitemark is Barclays Bank for its Pingit mobile payment service and mobile banking apps. In the longer term it is expected that the kitemark use will be extended beyond banking and finance to other commercial apps such as ones for (paid for) entertainment but clearly the need for easily understandable standards is most pressing for financial service users simply because it is here that security violations expose users to the greatest financial losses.

Here at MyPrivateBanking, we have long considered that easily understandable and verifiable security standards are a must in terms of what financial services companies owe to clients and this is especially in relatively new areas such as banking apps. Up until now reference by banks to existing standards for Internet security, such as ISO 27001 (on which the new kitemark is partly based) and 27032, has been patchy at best. The launch of a kitemark for financial app security, more consumer-oriented than ISO standards, is especially welcome. The new standard requires meeting security standards and regular follow-up checks and ‘penetration tests’ by the BSI. Hopefully, it will be adopted widely internationally.

The full name of the new standard is BSI KitemarkTM for Secure Digital Transactions’. BSI say that it has been developed to help consumers confidently and easily identify websites or apps they can trust with their financial and/or personal details.


Why banks’ communication fails on app security

Tuesday, May 28th, 2013

Apps are generally more secure than regular html webpages. There are several reasons for that, most prominently that apps are downloaded from a
walled environment, called app store. This holds also true for banking apps. We’ve asked our contacts at major retail banks worldwide about incidents of fraud through mobile apps. The answer is simple: basically zero. It may  be that Internet criminals have not learned yet how to break into mobile apps but for the time being, bank customers can feel somewhat safer using their mobile app than using web- based banking.

So, why do banks still get an “F” on mobile app security? It’s a communication problem. Our surveys show that many users don’t feel safe
using apps for banking transactions. One major reason is that they fear their bank accounts can be easily manipulated in case the mobile device is

Yet, despite the users’ uneasiness with mobile banking, banks communicate only very hesitantly about the security measures and precautions for mobile banking apps: 34% percent of banking apps contain no information at all on security and 42% fail to do so on privacy issues. This is one of the results of our recent Mobile Apps for Banking 2013 benchmarking report. In addition, the report finds that app store descriptions of mobile banking apps include information on security matters in only 64% of cases.

Banks should take these findings seriously. Mobile banking is becoming ever more popular but a significant portion of potential users are deterred by
security concerns. Every banking app and every app description should  display and explain security features of the app prominently. Users must understand that data encryption of banking transactions is as safe as on the fixed Internet. Log-in procedures and other safety measures should also be clearly communicated. Users’ perception of security will then be as strong as the actual security itself.