THE MOBILE ATTACK SURFACE

Copyright © 2017 AccentureAll rights reserved.Accenture, its logo, andHigh Performance Delivered aretrademarks of Accenture. 172091

SECURITYCHALLENGES FOR BANKS

According to analysis and estimates by NowSecure, Inc. (NowSecure):1

The proliferation of mobile devices, applications (apps) and operating systems continues to drive innovation and expand the mobile ecosystem. However, this continued expansion may also create unique security risks around the storage and transmission of sensitive information via mobile devices.

ATTACK SURFACE: THE DEVICE ATTACK SURFACE: THE NETWORK

ATTACK SURFACE: THE DATA CENTER

• Wi-Fi (No Encryption/Weak Encryption)• Rogue Access Point• Packet Sni�ing• Man-in-the-Middle (MITM)• Session Hacking• DNS (Domain Name System) Poisoning• SSL (Secure Sockets Layer) Strip• Fake SSL Certificate

WEB SERVER• Platform Vulnerabilities• Server Misconfiguration• Cross-Site Scripting (XSS)• Cross-Site Request Forgery (XSRF)• Weak Input Validation• Brute Force Attacks

DATABASE• SQL Injection• Privilege Escalation • Data Dumping• OS Command Execution

BROWSER• Phishing• Framing• Clickjacking• Man-in-the-Middle• Bu�er Overflow• Data Caching

PHONE/SMS• Baseband Attacks• SMishing

MALWARE

SYSTEM• No Passcode/ Weak Passcode• iOS® Jailbreak• Android™ Rooting• OS Data Caching• Passwords and Data Accessible• Carrier-Loaded Software• No Encryption/ Weak Encryption• User-Initiated Code

APPS• Sensitive Data Storage• No Encryption/ Weak Encryption• Improper SSL Validation• Config Manipulation• Dynamic Runtime Injection• Unintented Permissions• Escalated Privileges

There are three areas in the mobile technology chain where parties may exploit vulnerabilities to launch malicious attacks; the device, the network and the data center.2

FOR MORE INFORMATION, VISIT:Accenture Finance and Risk: www.accenture.com/financeandrisk

Accenture Security: www.accenture.com/us-en/security-index

REFERENCES1. Secure Mobile Development Best Practices,” NowSecure. Access at: https://www.nowsecure.com/ebooks/secure-mobile-development-best-practices/.2. Ibid3. Mobile Banking Applications: Security Challenges for Banks, Accenture and NowSecure, April 2017.

Copyright © NowSecure, Inc. All rights reserved. The NowSecure name and logo are trademarks of NowSecure, Inc. and are used with permission.

Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. We disclaim proprietary interest in the marks and names of others.

35 PERCENTof communications sent by mobile devices are unencrypted and the average device connects to over 160 unique IP addresses daily.

As mobile devices continue to replace legacy hardware across organizations and industries, it is critical that security remains top-of-mind and is embedded within the app development lifecycle. With this in mind, Accenture and NowSecure collaborated to analyze the mobile threat landscape, specifically for customer-facing mobile banking apps.

ONE IN FOURmobile apps include at least one high-risk security flaw.

43 PERCENTof mobile device users do not use a passcode, PIN or pattern lock on their devices.

TOP SECURITY RISKS FOR MOBILE BANKING APPSTo assess the security of mobile banking apps against fraud and penetration attempts, static and dynamic analysis was performed using the NowSecure Lab Automated tool. The vulnerability assessment included customer-facing mobile banking apps from 15 unique North American financial institutions on both iOS® and Android™ operating systems (30 total apps).

All apps included in scope were publicly available and downloaded directly from the respective online app stores. A total of 780 tests were performed across the apps in scope. Overall, every app tested had at least one security issue.3 The top risks identified appear below.

Applications running on Android™ Operating System

Applications running on iOS® Operating System

WORLD-WRITABLE FILESCVSS 7.7 – 33%

WRITABLE EXECUTABLESCVSS 7.7 – 7%

BROKEN SSL (SECURE SOCKETS LAYER) & SENSITIVE DATA IN TRANSIT (WITH ENCRYPTION)CVSS 7.4 – 13%

OBFUSCATIONCVSS N/A – 60%

SECURERANDOMCVSS 5.5 – 73%

COOKIE “HTTPONLY” TAGCVSS 5.3 – 40%

TLS (TRANSPORT LAYERSECURITY) TRAFFIC WITHSENSITIVE DATACVSS 1.6 – 80%

APP TRANSPORT SECURITYCVSS N/A – 60%

DYNAMIC CODE LOADINGCVSS 4.3 – 33%

IMPACT VULNERABILITY SCALE:

Low

Medium

High

BANKINGMOBILEAPPLICATIONS

EMBEDDING SECURITY IN MOBILE DEVELOPMENT LIFECYCLEThe mobile development field is a complex environment that is constantly evolving, which creates a hyper-dynamic environment for developers. These complexities often increase the attack surface, with mobile devices constantly challenging the boundaries of an organization’s security perimeter. Mobile apps should, at a minimum, be developed with the same security standards as any other software asset.

Accenture has identified key principles to help organizations develop a comprehensive program for embedding security throughout the enterprise’s mobile lifecycle. Developing a strategy, grounded by six (6) key principles, allows banks to proactively address security vulnerabilities throughout the mobile development lifecycle and promote informed decisions around security risks.

Leading organizations recognize the expansion of mobile technologies within their enterprise and proactively seek ways to securely integrate them to further enable their workforce and achieve business goals by:

4. Understanding the impact across the organization and the processes needed to support it.

2. Identifying the resources and systems that are a�ected by the introduction of mobile technologies.

3. Selecting the technologies and implementing controls to meet requirements defined by business needs as well as compliance requirements.

1. Developing a mobile security strategy to properly integrate with the overall security and business strategy.

1. DEVICE 2. NETWORK

3. DATA 4. APPLICATION

5. USER ACCESS 6. GOVERNANCE & COMPLIANCE

TOP RISKS IDENTIFIED AND CVSS

COOKIE “SECURE” TAGCVSS 5.3 – 54%

CVSS: Common Vulnerability Scoring System