As Mobile Shifts From Trending to Necessity, CUs Must Assure Data Protection

In the middle of the coronavirus pandemic, credit unions, other financial institutions and retailers are increasingly depending on mobile apps for business continuity while asking consumers to stay alert for cybercriminals.

As the entirety of commerce shifts to mobile apps, consumers are at risk. Cybercriminals are already taking advantage of the pandemic and people’s increased reliance on mobile apps, a dependence that might have accelerated a trend already taking place.

Tom Tovar, CEO and co-creator of the Redwood City, Calif.-based Appdome, which provides a no-code mobile solutions platform, noted, “What’s true for credit unions is true for the whole financial services industry. The notion of going to a bank or a credit union or going to a store, shopping center or whatnot is declining very rapidly.” Tovar explained mobile is now center stage for how people transact, save and even communicate with their financial institution. In many cases, the coronavirus outbreak fast-tracked a shift already underway. “This is a big sea change. A lot of our customers are telling us this is an acceleration of something that was happening already. But now it has gone from being a trend to being a necessity,” Tovar said.

Tovar added, “What we’re finding is the projects and the strategies and the intentions that were there from the get-go within credit unions and banks, now need to be fully funded and need to be put on the hierarchy of priority.”

Many organizations, including credit unions and banks, requesting consumers choose mobile first and also asking consumers to practice safe mobile banking. “If that’s the case, then you have to start asking yourself, ‘What are the obligations and what are the expectations of the consumer and/or business during this time/?’” Tovar said.

The Appdome CEO pointed out now that mobile is center stage, protections like data encryption, shielding user credentials, and safeguards for the connection between the mobile app and the back-end, now share the spotlight and are highly important. “You need to make sure of this basic bill of rights as we all shift toward that being the primary way that we interact with our banking.”

Tovar maintained, “This isn’t necessarily a criticism of what’s going on, it’s an acknowledgement of what’s going on out in the world.” He added, “It’s not enough to protect the business data and the app. You have got to protect the consumer data. Your users have shifted to using your mobile app as your primary storefront. So, if your mobile app is your business, secure it.”

Appdome provided a COVID-19 bill of rights for mobile banking apps:

• Secure data storage with OWASP, M2 (Open Web Application Security Project, insecure data storage). Simply put, secure the user’s data at rest, i.e., stored locally by the mobile app.
• Sufficient cryptography (OWASP M5). Use Advanced Encryption Standard, 256 bits or higher on all data elements in the app, including strings, preferences and resources.
• Secure communication (OWASP M3). Protect against man-in-the-middle attacks. There should be no reason hackers and thieves should see data that passes between an app and the back-end.
• Encrypted username and passwords. “Surprisingly, many apps don’t do this inside the app itself.”
• Protect users against fake apps. Most apps available in the app stores do not protect against tampering, reversing and similar threats, allowing malicious actors to create and distribute fake apps to prey on unsuspecting consumers.
• Protect users against keylogging. This is an add-on for protecting usernames and passwords, as malicious third-party apps can track and store user credentials added to apps.