Comment From Arxan on Security Risks of CMA’s Shared Banking Data Scheme

Winston Bond, EMEA Technical Director at Arxan Technologies, comments: “Today’s announcement from the Competition and Markets Authority that banks should offer all of their core services via mobile is great news for consumers seeking more freedom and flexibility, but could also leave the door open for an unprecedented cyber-attack if the banks are not able to meet the increased demand for security.

Cyber security remains a major concern for mobile financial apps, and all of the most popular apps we tested for our 2016 State of Application Security Report had at least one major security flaw that could be exploited by attackers. The most common issue is a lack of binary protection, which could allow cybercriminals to tamper with the app and steal personal data, and most apps also lack sufficient protection in the transport layer, potentially enabling thieves to intercept data transmissions.

APIs (Application Protocol Interfaces), which are a major cornerstone of the CMA’s plan for banks to share consumer data, can also provide an easy route for attackers if not properly secure. Most APIs use a simple authentication protocol to confirm access to server assets. The usual approach is a simple-challenge response exchange that relies on cryptographic keys to keep it secure. If attackers are able to break into the app and decompile its code, they can root out these keys and use them to connect to any authorised system – including the bank’s servers.

With mobile financial apps already providing so many attack vectors, both the banks and “approved firms” involved in the data sharing scheme will need to be even more vigilant in proofing their applications against criminals. The more data is shared and interconnected, the greater the risk of attackers being able to infiltrate multiple organisations to operate large scale data theft.

Advanced app hardening techniques such as code obfuscation and white box cryptography will help to protect against many of the risks inherent in mobile apps, but all parties involved must explore every available route to protecting this potential vast collection of data from attack. With data shared on this scale, there can be no weak links if the scheme is to succeed.”

Author: Dylan Jones

Share This Post On