Zimperium's Mobile Security Blog

Securing Our Mobile Banking App

I recently talked with Julian Hall, senior vice president of enterprise architecture and application development at Security Service Federal Credit Union, to discuss what steps he and his team took in securing his credit union’s digital channels.

Julian has more than 30 years of software industry experience and has been with Security Service for the last 13 years, leading and growing the application development teams. Security Service Federal Credit Union is among the top credit unions in the nation and the largest credit union in Texas.

Julian and I talked specifically about why he initiated his research, useful resources he found, and which answers were difficult to uncover. The entire conversation is recorded in this webinar, or you can review a partial transcription below.

Topics include:

Julian: I’m the Senior Vice President at Enterprise Architecture and Application Development over at Security Service Federal Credit Union. I’ve been in the software industry now for 30 years.

I started as an IBM developer in England. I was working on the internals of CICS, the big online transaction processor. I had the privilege of working in the restructure of the security domains, which started me in security. From there at IBM, I branched out into worldwide consultancy, mainly in financial institutions, and I moved on to Siebel Systems, in their Financial Services Global Competency Center.

I was the Operations Architect for e-commerce at USAA for about five years, and I’ve been working at Security Service Federal Credit Union for the last 13 years. I’ve had the honor and privilege of being able to grow all of the application development teams and the associated initiatives that we’ve done across practically every line of business and business process we support.

I’ve lived through quite a lot of change over the industry over the years. I have seen things evolve from my home banking proprietary client-based account access, internet banking, mobile banking, wearables, and voice, those kinds of technologies.

What did you learn when rearchitecting your digital channel?

 

Scott: Can you explain to us what you learned when researching your digital channel?

Julian: It’s always been the case that the industry has been changing. Obviously, there’s been some radical revolutions that have gone on over the last 30 years. I’m used to seeing change happen and seeing how things come together. One of the things that was a little different on the digital platform world was how the industry was changing faster than the ecosystem of participants.

What I mean is there’s a whole different array of participants. Some from mobile banking providers, to security firms, to vendors, to utility tool providers, and all kinds of supported things for operational maturity and other parts, and it wasn’t an even distribution of how people were keeping pace with the changes.

I kind of liken it to how there are internal combustion cars and electric cars. Some elements stay the same and keep pace, and some things have radically changed. We all need tires. We all need steering wheels and dashboards, and windows.

However, when you start looking at motors and the kind of mechanics underneath, batteries, gearboxes, transmission… those kinds of things are all evolving as is the distribution of vendors and the services. Back in our world, it was patchy as to how much they were covering the total space of digital channels.

Some of the available information was not easy to understand – – whether or not there was a full assessment of the different aspects – – not because of any kind of desire, to mislead, or hide, or suppress it.

It was just the speed of change, the speed of emergence of the different parts of the digital self-service world meant that not everyone was up-to-date and had a complete picture of all different aspects of the digital banking world.

Scott: When you say “everyone,” can you put some boundaries on that? Are these people producing solutions or people looking for solutions?

Julian: Both. On one side, people looking for a solution were challenged and still are. In knowing the right questions, the right kinds of areas to start, where to go deeper into things.

Here’s an example – I can remember about 15 years ago when the first kind of ideas around mobile banking was starting to be formed and we started to go towards actual solutions out there.

There were some assumptions out there. Things like, “there’s only so much you can,” and “the platform device provider won’t let you touch this part of it.” iOS is another big example of artificial enclaves that were drawn around the purview of how you worked, or how you thought about your mobile banking solution.

And over time, those assumptions play themselves out. You realize, “that’s not allowable” or “that’s not permissible.” In this day and age, you can’t make assumptions anymore.

Here’s a good example of the litmus tests that I’ve been using on some of these areas: I’ll ask the question about, jailbreaking devices, and when you get back the answer, you can get an idea about how well someone or an institutional vendor is thinking about that.

Ten years ago, an answer might have come back and said, “well, yes, we check jailbreaking.” In this day and age, that question needs to be answered much more deeply because you need to understand how the devices are protected against jailbreaking.

What kinds of checks are going on because the bad guys are always adapting what it means to jailbreak a phone, and they have different mechanisms on how they hide what they’re doing.

Flipping the question backward and forwards, you get an idea on the maturity of the people talking in the mobile space about jailbreaking, what to do, and how deeply they think about the types of jailbreaking – – the ways it’s deceived, and the ways in which the bad guys are basically using that to hide what they’re they’re doing.

It’s one of the tests that we’ve been using to evaluate just a general sense of when you’re dealing with different participants in the mobile banking space.

We’ve been looking at some other areas beyond that, for instance, going deeper into the trusted nature of the clients that the devices that we have are showing that there is a space that is really becoming more established as a category now for folks.

What I mean by this is runtime application self-protection, RASP, and client-side detection – – those kinds of acronyms now are starting to gain traction with regard to being able to look at those things in a more critical way, and be able to evaluate exactly what’s going on with that device. Figure out what you can do to protect yourself against those kinds of threats – – like malware or other kinds of activity. You really have to take charge of your own analysis and evaluation of the things that are important to you because there isn’t a complete picture.

Gartner helped us out with being able to point out some of the areas to look at, but I really advise that folks need to be cognizant of their own needs, own risks, go out, and look at many different sources. Review different perspectives to find out what kind of status we’re at in that particular part of protection and security and capability, and do it frequently because it is evolving, and it is changing.


Was there a specific mandate or was there some type of event that initiated your project?

 

Scott: Was there a specific mandate, or was there some type of event that initiated your project?

Julian: Absolutely. Not that long ago, there was a piece of malware that came to our attention called Anubis. I started to read a little bit about it, and I was fairly dismissive – – What is this thing? What’s going on? And what does that mean for us?

I wasn’t really giving it too much attention until I started reading more and understanding what was going on. I began to get more and more of an epiphany about just how much effort and research was going on with the bad actors of the world.

Seeing the effort that was going on, on this malware, to target specific financial institutions – – to tailor it, adapt it, and to do some sneaky things like waiting until the accelerometer was telling you that someone was moving around for it to then wake up and start transmitting information.

This kind of side by side app world, where a rogue app is pretending to be something but was harvesting information or doing other malicious things, started to open the door about just how much other stuff was out there and what was going on.

It then started to put further questions in my mind – – isn’t there something we can do better? Isn’t there something that we can do more proactively around this? What can we do to insulate our membership from any of this activity that’s going on?

That’s what got us looking more closely at the whole platform out there on Android and the Apple world. We started to ask questions – – What can we deduce? What can we know about the environment that our applications sit within so that we can get a finer focus on the level of trust that we can have on applications?

That was one of the key drivers in realizing that we need to start looking more closely at this newer threat, this maturing world happening in this space, and even the integrity around the iOS framework were now questions that needed answers. We needed to take a more serious look because evidently, there were things going on in the Apple world that we didn’t think were necessarily going on or allowed to go on.

How will COVID-19 and a renewed remote culture affect customer self-service or credit union employees after the coronavirus crisis?

 

Scott: How does the coronavirus crisis change your credit union employees? How does it change your remote self-service, your digital channels? What do you think we’ll see after this?

Julian: I think we’re likely to see an acceleration of the trends that have already been happening regarding cybercrime. One of the things that are interesting that I’ve seen some reports around – rather anecdotally – is how crime has radically reduced in the COVID world. Well, the bad guys are in self-isolation as well. There are many different types of crime that are not happening as much. Fraud, theft, robbery are just harder to enact when the population isn’t around.

The criminals, though, are still looking for their income streams, which may force them to start looking at other kinds of avenues of malicious activity. If some of that means those bad actors are now diverted into the e-commerce fraud world, card-not-present fraud, ID theft, and account takeovers. In the dark web, there are even facilities created for people who don’t have strong technology skills to be able to exploit and buy actions that are damaging for potential fraud and rather malicious activity.

With more people looking at this channel to detect any kind of malicious activity, there’s going to be more skills and investments. This is why I say the trends going on today may get accelerated by having that extra kind of participation and demand in that kind of market space.

When we look at this from the other side of the coin, from our memberships point of view, there’s a shift now. Their perceptions of how they’re conducting their transactions and the drive for more self-service are very much alive. Having certain amounts of services on our platforms is good, but in the post COVID world, people are going to say, “what I want to do is more without having to go out. I want to be able to do more and more of these kinds of transactions.”

That’s going to drive more services onto e-commerce platforms in the online banking and financial industry platforms. Meaning the level of security – the whole trust you are trying to understand – is going on when someone is interacting with you on your online services. That also means more attention must be paid as to what is the trust that you’ve got, which links back to what I said about bringing trust into focus. Doing so means you’re taking a wider viewpoint – – additional layers as to what makes up the whole perception of what you deal is and the level of trust you’re associating with this actor interacting with your site.

People working more remotely is another driver here. We’re going to have more people working from home, and you know that’s going to introduce more attack vectors for the bad guys to use through the home networks and the other equipment that’s now potentially available.

Even if it is just a small increase of what’s going on it definitely is a point where organizations need to pay attention and to think carefully about what is the totality of all of the different security layers you have in place for what they are not only doing now but also what they need to do in the future as a result of the change in habits that the post-COVID-19 world is bringing onto us.

What information were you looking for that was difficult to find?

 

Scott: When you were doing all your renewed research, you said that some information was difficult to find, or unavailable, or not readily accessible. Can you explain a little bit about what you’re looking for and why it was difficult to find?

Julian: One of the things that was difficult to find was the consistency of the information. We were really looking for comprehensive, unbiased, matured, current, honest advice about some of the state of services, and it was very much a case of a hodgepodge of information that was all over the place.

Some of it was contradictory, some of it was like-minded, but some of it was isolated, and it was very obvious that you had to plot your own course through the information as of today. It meant that really what you needed to do was have an iterative approach through all of the information that was out there to get many different kinds of reads on what was going on; what was possible; what was the emerging picture of what you can do.

For instance, in the Anubis world:

  • It’s horrific, what’s going on?
  • All right, but is it alone?
  • What does that mean?
  • How many other kinds of malware are there?
  • How advanced are they?
  • How quickly are they changing?
  • What kinds of protections are available?
  • What are other people doing?
  • How pervasive are these things?

That information was very difficult to come by, and it meant you had to make some informed deductions around the status of what you could actually do….what kinds of things were possible.

That was very illuminating for us in saying all these things that we can do. There are mechanisms out there. There are some capabilities that have evolved that give us another chance to be able to have a better understanding as to what’s going on, what the overall context of the other processes was, and the activities occurring on that device relative to when an online banking type of transaction is going on.

That was important for us and a bit of a breakthrough. Now there are things that we can do, and we should be doing.

It was hard to get to, quite frankly, as I was saying that this is emerging, this is possible, this is a road that is now becoming much more of a road more traveled, and what people need to do is just bake-in another layer to the way they secure their applications.

How are you using your research to secure your digital channels and mobile experiences?

 

Scott: What are you going to do now? You’ve done this research; what are you going to do differently with your digital channels, and mobile experiences, and maybe some of the services that are coming online the next months?

Julian: The key thing is taking a closer look at how we think about trust, and how we think about risk in those kinds of environments.

It will inform what we do concerning capabilities that are available, and adjusting policies that are much more reflective of the level of trust that we have going on.

It is a set of ingredients that has to go on looking at what you’ve achieved with authentication, the device assurance that you have, and then the limits of the activity and the types of service/the expansion that you may be looking at with the things that you put on.

Those are all going to be things that we will look at differently and will be taking a closer idea at what that means for our different types of members. The kinds of things that we’re allowing them to do, the number of things that were going on, the frequency, the velocity of the things that are happening first. And then be able to say, “this is something we look at, something that we review or something that we decline.” But I think overall, this is going to definitely change as far as our perception, or our thought process on the actual device itself.

Mechanisms and controls that mobile banking apps should have

 

Scott: Are there some fundamental mechanisms and controls that mobile banking apps should have implemented? Maybe we can talk about at a minimum what they should have implemented and at a maximum?

Julian: One of the guidances that came out a long time ago, and it’s still true today, is from the FFIEC, when it talked about layered security and other kinds of names like defense-in-depth on different areas. That’s one of the key areas that continues here, but it may now be an expansion on the different types of layers.

You’re looking out beyond your organization with regard to what other actors are doing (good and bad); looking at some of your enrollment processes; looking at authentication; how you’re authorizing different transactions; the administration and monitoring that’s going on; and auditing is also important in our financial world.

As far as the controls that are put in place, there are obviously different dimensions to what controls the kinds of services that are out there. Every financial institution has their own tolerance to different risks. They have their own kinds of profiles that they associate with different kinds of activity – not just on the nature of the member of the client or customer that’s coming in- but also on the context of how it’s being conducted; where it’s come from; any other kind of frequency of activity that’s going on; then the amount of its transactional base.

The organization defines what is going to be an appropriate risk based on trust, the kinds of service, and other kinds of profile attributes associated with someone.

 

How to resist pressure if the business wants to run a financial app on a jailbroken or rooted device

 

Scott: How do you resist pressure if the business wants to run a financial app on a jailbroken or rooted device?

Julian: It’s an interesting question. A realistic question that comes up. You have to think about what is the worst-case scenario of what can happen? That means understanding what are the kinds of ways that your app can be used? What kinds of services are offered? If there are live-money transactions, big-dollar transactions, and significant kinds of things going on, that could be damaging for the organization reputation-wise or from other kinds of threats that could potentially go on.

It really comes down to outlying the kinds of risk and exposure that there may be on these different things, and it can be another uncomfortable conversation sometimes because you may point out some areas your organization may need to have extra investments.

So, for instance, it may be that if we’re going to allow a particular capability to get opened up on a jailbroken device, then we need to invest more in monitoring. We need to invest in people who will be able to look at this activity and review it more. We’re going to limit the amount of functionality that we have to do, or we’re going to put other kinds of controls in place, like step-up authentication, that goes on to evaluate if there is another authentication needed. Maybe there’s extra authentication that’s required.

It comes down to a case of helping the business understand what the exposure is that they could be opening up. But then also providing the alternatives around the extra reinforcements that could be invested in that would help to mitigate some of those things. Also, providing capabilities to be able to potentially suppress or even turn off any functionality that starts to show signs of compromising the organization.

It is a challenge, but we, as technologists, must always face. We are here to support the business. Ultimately, it’s a case of educating the business on the kind of risk and the worst-case scenario and the probabilities and likelihood in an objective way, and then presenting those kinds of investments that could potentially help mitigate what’s going on. It’s ultimately going to be left more as a business decision.

I often found that once people have a bit of an understanding about what they’re asking for and the consequences, they start to realize you need other organizational help. Risk management groups or different kinds of control groups within organizations can also provide that kind of input. Ultimately it’s a collective decision.

Scott: Julian, thank you for spending time with me and our audience today. I appreciate your insight.

Julian:My pleasure, Scott. Thank you.