July 8, 2020

Online Banking Growth: New Security Challenges

by Rui Ribeiro

jscrambler-blog-online-banking-growth-new-security-challenges

Over the course of a few weeks, the digital component of banking services became key in every economy. Not only are we seeing large scale closures for physical branches, but fears of “infected” cash are prompting a change in how consumers are paying for goods and services. Electronic payments look more appealing now as a safer alternative to cash. Against this backdrop, and with the general upsurge in consumer digital banking, what are the key security concerns for banks?

Consumers are turning to digital and mobile banking in a big way. In some countries, their Central Banks are even advocating that consumers do so. For example, in the UAE the Central Bank has called on bank customers to take advantage of digital and online banking services as a measure to ensure the health and safety of residents amid the coronavirus pandemic. This digital banking trend is even extending to payments. In Italy, one of the first countries to order residents to stay home in a bid to prevent the virus from spreading, e-commerce transactions have soared 81% since the end of February, according to estimates by McKinsey & Co.

Amidst all the fear and worry that COVID-19 has generated, industry analysts have pointed out the significant opportunity for incumbents to make a move to digital - they feel that the winds of change in consumer behaviour might turn out to be permanent. On the consumer banking side, there will undoubtedly be more adoption of online options from traditional banks, and as people self-quarantine they will probably avoid bank branches too. The crisis has definitely provided all the ingredients for a move to digital where we will witness people moving to utilise all forms of digital financial services. In fact, one recent survey found that 84% of consumers expect banks to find ways to maximise digital interaction to keep them safe.

Major neobanks (a direct bank that operates exclusively online without traditional physical branch networks) are expanding rapidly. This is the case with Revolut who have recently launched in the U.S. market, N26 who are seeking to reach more European customers, and Nubank who are taking Latin America by storm after quickly surpassing 20 million clients. And we are already seeing signs across the globe of incumbents accelerating their digital presence and the release of new banking applications. For example, South Africa’s Nedbank is accelerating the rollout of its digital strategy across Africa as customers turn away from face-to-face banking.

However, financial institutions are still faced with new challenges as they prioritise the move to digital. This is certainly the case when implementing infrastructure and procedures to allow for online account opening - many financial institutions are challenged to open new accounts completely online, certainly a differentiating feature of fintechs, challenger and neo-banks. But perhaps a much more important challenge comes from keeping customers and their data safe.

Insofar as most digital banking providers rely on fast, agile product development to keep up with consumer demand, they often sacrifice security in lieu of quicker go-to-market. We’ve seen an increasing trend of banking applications built with JavaScript - a programming language that has a big ecosystem and the practice of reusing code. The shift to this new application development strategy requires banks to consider a whole host of new security threats.

Book a Jscrambler Demo

Web and mobile banking apps have a considerable attack surface - even if we discount code vulnerabilities and security testing tools like SAST and DAST. In that scenario where the teams that develop banking apps find and fix every single vulnerability in their JavaScript code, it will still be plain, easy to understand code. In much the same way that we can look at this code and understand how the banking application works, so can any attacker. And because these development teams are relying extensively on third-party code, they also need to be prepared to face web supply chain attacks.

And this is where banks must consider this additional threat and ask themselves, “What would it cost us if someone was to tamper with our code to find ways to exfiltrate our user’s data?”. At a time where so much is on the line, it is by asking more questions and instigating a holistic approach to security that banks will be able to keep their customers safe amidst this unforeseen acceleration in banking digitalization.

To protect the code of your banking platform with Jscrambler, start your free trial today.


Originally published by Rui Ribeiro on SC Magazine UK.