New Forms Of Malware Make Bank And Retail Apps Vulnerable, Says Cyber Security Expert
Mobile apps are becoming big business for businesses.
Many bank customers now check their account balances or transfer funds through an app on their cell phones. Savvy retail shoppers can use a favorite store’s apps to learn about discounts, access coupons and find daily deals.
“The apps for financial institutions and retailers are getting greater use and that can be wonderful for business,” says Gary Miliefsky, CEO of SnoopWall (www.snoopwall.com), a company that specializes in cyber security.
But as with so many things in the cyber world, caveats are connected. Even as companies provide additional services through those apps, they may be putting their customers at risk for fraud.
“Most companies don’t realize just how vulnerable their apps are and what the potential is for leaking their customers’ personal information,” Miliefsky says. “And when that happens, it’s bad for business.”
He suggests a few reasons why most companies need better protection for their mobile apps:
• New forms of mobile malware are being widely deployed in the major app stores and can eavesdrop on a customer through a company’s app. “These new forms of malware are undetected by anti-virus engines and are able to circumvent encryption, authentication and tokenization,” Miliefsky says. “That makes it easy for cyber criminals to exploit the personal information of a company’s customers and commit fraud.”
• The PCI Data Security Standard requires merchants to protect credit-card holder data. Likewise, mobile-commerce providers must protect any payment card information, whether it is printed, processed, transmitted or stored, Miliefsky says. “Even though a customer has the breach on their mobile device, the retailer is responsible because it was their app that allowed the eavesdropping,” he says. A breach of credit-card information potentially could result in fines for the retailer, Miliefsky says.
• The FDIC requires banks that are providing an ATM-like online or mobile-banking experience to protect access to the confidential records of the consumer, the consumer’s bank account information, user name and password credentials, and bill payment and check-deposit services. Just like with retailers, it doesn’t matter that the breach happened on the customer’s mobile device, Miliefsky says. The bank’s app caused the problem because it allowed the eavesdropping, so “the risk and the responsibility is the bank’s not the consumer’s, he says. And, as in the case with retailers, banks could face fines for a breach.
“Businesses have become great at creating useful apps that their customers eventually feel they can’t live without,” Miliefsky says. “But the failure to secure that app is going to come back to haunt the business over the long haul.”
About Gary S. Miliefsky
Gary S. Miliefsky is CEO of SnoopWall (www.snoopwall.com) and the inventor of SnoopWall spyware-blocking technology. His company produces AppCrusher, which gives companies a detailed analysis of any vulnerabilities or risks in their mobile apps. Miliefsky is a founding member of the U.S. Department of Homeland Security and serves on the advisory board of MITRE on the CVE Program, and is a founding board member of the National Information Security Group. He’s also the original inventor of the NetBeat NAC product line which was recently acquired by SnoopWall to protect networks from the inside and against bring your own device (BYOD) mobile threats.
By Ginny Grimsley