2. EXECUTIVE SUMMARY 3
DIGITALIZATION AND MOBILIZATION 4
ADOPTING MOBILITY IN BANKING 5
5 TRENDS TO WATCH OUT FOR 6
THE BILLION DOLLAR BANK HEIST 7
RESEARCH METHODOLOGY 8
THREAT SCENARIOS 9
OUR FINDINGS 10
THREAT SEVERITY LEVEL 11
TOP THREATS 12
CONCLUSION 13
CONTENT
Mobile Banking in APAC | 2
3. Poised at the center of the world’s fastest growing and soon-to be-largest
wealth markets, the potential upside for Asia-Pacific’s private banks and
wealth managers is clear. Asia-Pacific is the highest growth region for
private banks and is soon expected to overtake North America as the
largest market for High Networth Individuals (HNIs) (Customers with
more than $1 million in investable assets).
With tremendous pressure from both stakeholders, investors and rivalry
from other financial institutions, banks are now being forced to go down
the path of innovation and technological change to ensure sustainability.
Most Asian banks have been seen to adapt well to change; however with
the opportunity that comes with change, also lays major security
concerns.
Appknox’s study with some of Asia’s top mobile banking players covers:
› How banks in Asia are innovating to keep up with trending
consumer demands.
› How mobile will be a central influencing factor in facilitating
change in banking.
› Key Trends Asian banks are experiencing and adopting.
› A bank heist that forever changed our view on hackers.
› Results obtained from the study conducted with over 100 top
mobile banking providers in Asia.
› A threat & vulnerability overview found with the 100 banks.
We foresee that banks able to adapt, embrace and restructure their
digital and in particular their mobile strategy to the changing dynamics
of the banking ecosystem, will be the ones in authoritative positions to
reap the benefits from APAC’s predicted growth trend.
“By 2018, the Asia Pacific region is expected to make up more
than one-third of global wealth, with its private wealth
forecast to reach $76.9 trillion.”
EXECUTIVE SUMMARY
Mobile Banking in APAC | 3
4. Banks are still struggling to devise the perfect cross-channel experiences for
their customers, experiences that take advantage of digitization to provide
customers with targeted just-in-time product or service information in an
effective and seamless way.
- McKinsey
As ideal as it seems, changing core banking systems to become truly digital
is not an easy task. However, traditional banks have to watch out against
new and nimble companies that are looking to enter the banking market
with newer technologies such as mobile, social pay, e-wallets etc. to
penetrate into the financial market space.
Embracing digital banking strategy - Best practices:
› Be quick to adopt digital strategies to cope with the new age
non-banking competitors.
› Leverage advanced analytics and Big Data to understand how
customers take decision in their digital journey.
› Go mobile first and accept mobile payments to provide a retail-like
experience to banking customers.
› Expedite delivery of banking services through digital.
Rise of DIGITALIZATION AND
MOBILIZATION in Banking
Mobile Banking in APAC | 4
5. Are you aware of your apps
vulnerabilities?
Find out where you stand using
Appknox’s free Appgrader
Grade Now
6. Mobile banking has existed for close to 15 years. However with the recent
boom in the smartphone market, mobile banking has turned from
convenience to a vital tool.
Bankers have been talking about using cell phones as a channel for
consumer banking almost as long as energy companies have been trying to
make solar power affordable, but it has taken a confluence of factors to
make mobile banking a reality.
Why banks should go Mobile...
› Rapid adoption of smartphones-
2 billion consumers worldwide to get smart(phones) by 2016.
› Shifts in consumer preferences-
Like automated teller machines (ATMs) and online banking services,
smartphones give consumers the power to perform actions like real time
payment, instant generation of bank statements, credit card payment and
many other such features.
› A significant capability build-out
The Global Mobile Banking Report 2015 claims that the adoption of mobile
technologies for banking has reached 60% to 70% of the total banking
population in India and China which is higher that the United States and
Europe.
› Product and services innovation
The mobile channel allows banks to offer customers features they cannot
find online, such as remote check deposit, person-to-person (P2P)
payments, and real-time fraud notification.
- Deloitte
ADOPTING MOBILITY IN
BANKING
Mobile Banking in APAC | 5
7. - Cisco
Mobile is already the largest banking channel for the majority of
banks by volume of transactions.
-KPMG
The Cisco Visual Networking Index Global Mobile Data Traffic Forecast (Cisco VNI) for 2014 to 2019
indicates there will be 5.3 billion mobile users and 11.5 billion mobile-ready devices, including 8.3
billion personal mobile devices and 3.2 billion M2M connections by 2019.
Mobile adoption rates are highest in so-called developing
countries – reaching 60-70% in China and India – rather than
developed nations, such as the US, Canada and the UK.
-KPMG
Innovation will be the focus for APAC banks in 2015. Many of
them now allocate up to 25% of their IT budgets on emerging
technologies designed to improve operations and services.
-IDC Financial
In addition to rapidly-growing consumer use of mobile banking
and payments, there has also been a clear global shift towards
interbank real-time payments.
-IDC Financial
Another popular APAC banking 2015 trend is the continued
growth of global RMB payments. In November 2014, the RMB
reached a new milestone when it overtook the Canadian and
Australian dollar as a global payments currency.
-IDC Financial
“By 2020an estimated 50 billion devices will be connected to the internet.”
5 TRENDS TO WATCH OUT FOR
Mobile Banking in APAC | 6
8. $1B 100 Banks 30 Countries 2 Years
1. Infection 2. Harvesting Intelligence
Intercepting the clerk’s screens.
3. Mimicking Staff
How the money was stolen?
Carbanak backdoor
sent as an attach-
ment.
Email with exploits
Credentials Stolen
100’s of machines infected in search of
the admin pc
Bank
Employee
Online-Banking
Money was transferred to
Fraudsters’ account
E-payment Systems
Money was transferred to
Banks in China and the US
Inflating Account Balances
The extra funds were pocketed
via a fraudulent transaction.
Controlling ATM’s
Orders to disperse cash at a
predetermined time.
Admin
Rec
Hacker
‘ A multinational gang of cybercriminals infiltrated more than 100 banks across 30 countries and
made off with up to one billion dollars over a period of roughly two years. ’
THE BILLION DOLLAR BANK HEIST
Mobile Banking in APAC | 7
- Kaspersky
9. See how Appknox helps
detect and resolve security
issues in your app
Book a free 20 minute session with
our security researchers
Request Demo
10. This research consists of mobile applications based on Android and available for
use in the APAC region of the Google Play Store. Only Android applications were
chosen to maintain consistency in comparison and analysis.
Why we chose banking?
Banking has always been central in our daily lives. Banks have also always had the
reputation of being an early adopter of technology, often innovators themselves. In
a world where mobile phones are the centre of technological innovation directly
impacting the lives of many, it was essential to study how security for banking
would cope with this magnitude of technological innovation and change.
How did we choose the apps?
We chose APAC to be our region of study, picking from 106 banking apps that work
and operate in this region and analyzed their Android applications across 14 threat
scenarios. There was no bias in selecting the apps. These include almost all the
banks that offer their services via a mobile app in this region.
RESEARCH METHODOLOGY
Mobile Banking in APAC | 8
11. 106banking apps 14threat scenarios
Hostnameverifier Allows all Hostname
Broken Trust Manager for SSL
Improper Content Provider Permissions
Insecure SSL Socket Factory Implemented
Broken Hostnameverifier for SSL
Remote Code Execution Through Javascript Interface
Application Logs
Derived Crypto Keys
Unprotected Services
Insufficient Transport Layer Protection
Application Debug Enabled
Improper Custom Permission
Unused Permissions
App Extends Web View Client
THREAT SCENARIOS
Mobile Banking in APAC | 9
12. 85%of the mobile banking
apps failed basic security
check!
50%of apps were found to
have atleast 4-6 loopholes
in them!
106mobile banking apps were
scanned
15%
85%
0-3 4-6 7-9
Number of Vulnerabilities
34%
54%
12%
OUR FINDINGS
Mobile Banking in APAC | 10
13. 67% of the threats detected were of HIGH SEVERITY.
24%low severity
9%medium severity
67%high severity
THREAT SEVERITY LEVEL
Mobile Banking in APAC | 11
14. Top5threats
“74%of the apps were diagnosed with the top 5 threats.”
Broken Trust
Manager for SSL
Remote Code
Execution
Through
Javascript
Interface
Unused
Permissions
Other Threats
Insufficient
Transport
Layer Protec-
tion
Derived CryptoKeys
24%
13%
15%
10%
12%
26%
TOP THREATS
Mobile Banking in APAC | 12
15. Along with using and reinventing old hacking techniques, cyber criminals are
constantly exploring newer sophisticated channels to exploit financial institutions.
The recent explosion of mobile app markets has paved a way for hackers to exploit
new hunting grounds.
According to a study conducted by PWC, 45% of Financial Services organizations
have suffered economic crime, compared to only 34% across all other industries.
Security threats are constantly evolving...
We put 106 mobile banking apps to the test, across 14 different threat scenarios.
Our study revealed that 85% of mobile banking apps were vulnerable to high,
medium and low security loopholes. Over 50% of apps were found to have at least
4 to 6 bugs in them. We also found that more than 74% of apps were diagnosed
with the top 5 threats on our checklist, making them extremely vulnerable to
attacks.
Standard Security Measures can only take you so far…
We’ve observed over the years, that despite security measures being ramped up,
hackers have still found their way around. It is evident through this study that
threats are still prevalent in several mobile banking apps. Mobile apps have
weaved their way into being a key component in digital banking strategy. It is vital
that banks pay equal importance to both innovation as well as security to
ensure maximum customer satisfaction.
462threats found in a
total of 106 apps across 14 threat scenarios.
CONCLUSION
Mobile Banking in APAC | 13