Examining Security Risks of Mobile Banking Applications through Blog Mining Wu He, Xin Tian & Jiancheng Shen Old Dominion University, Norfolk, VA, USA whe@odu.edu; xtian@odu.edu; jshen@odu.edu Abstract bile banking is disparate, fragmented and distributed in This paper provides an in-depth review of the security as- different outlets such as academic articles, white papers, pect of mobile banking applications. The authors employed security threat reports and news articles. The authors em- blog mining as a research method to analyze blog discussion ployed blog mining as a research method to analyze blog on security of mobile banking applications. Security risks, discussion on mobile banking applications. Best practices protection strategy/best practices and future security trends are summarized to help banks and consumers mitigate the are summarized to help banks and consumers mitigate the security risks of mobile banking. security risks of mobile banking applications. Introduction Literature Review Many people are using their mobile devices such as smart Mobile banking has been developed as an effective and phones to access various online services on a daily basis. convenient channel for financial institutions to distribute In particular, mobile banking applications are increasingly their services to clients (Mallat et al., 2004; Nie & Hu, becoming popular. Many banks are offering mobile bank- 2008; Lin, 2011; Elkhodr et al., 2012). Mobile banking ing services which allow bank customers to check balance makes financial services easily accessible for customers in their personal account, to transfer funds between ac- through a handheld device (Singh et al., 2010). However, counts and make online payments anywhere and at anytime the wide use of smartphones is also accompanied with an by simply using mobile banking applications installed on equally alarming rise in mobile malware (Seo et al., 2012). their mobile devices (Elkhodr et al., 2012). Moreover, cus- Security is considered as a priority for many mobile bank- tomers can receive alerts from banks such as overdraft ing customers. A survey found that when it comes to mo- alerts, low balance warnings, recent large transactions, and bile banking, 31% of customers are willing to pay for add- so on (Panja et al., 2013). ed security features, 63% are willing to switch accounts for Unfortunately, mobile malware has been increasing in one with better security features, and 71% are willing to frequency and sophistication in the past five years and has switch accounts to one that guaranteed losses would be caused a variety of damages including leaking of sensitive reimbursed (Heggestuen, 2014). financial data, financial loss and identify theft (He, 2013). Cyber security experts suggested that the cyber-attacks In particular, mobile banking apps have attracted the atten- against financial services institutions are becoming more tion of many cyber criminals (Panja et al., 2013). There are frequent and more sophisticated (Cuomo, 2014; Ryan, a lot of concerns with the security aspect of mobile bank- 2014). Overall, there are several cyber security concerns ing since mobile devices are vulnerable to threats, attack with regard to mobile banking. Security on mobile banking and loss (Claessens et al., 2002). is complicated because of the variety of mobile devices In an effort to address the increasing threat, researchers and platforms (He, 2012; Lee et al., 2013). The security and security vendors have been developing new practices, and privacy of sensitive financial data is one of the main techniques and solutions to reduce security risks associated concerns in acceptance of the mobile banking applications with mobile banking applications. To help readers under- (Elkhodr et al., 2012). The limited privacy protection expe- stand the state-of-the-art in this fast-moving area, the au- rience and fewer resources of independent developers de- thors synthesize the related discussions in literature and crease the effectiveness of cyber security protection on the provide an in-depth review of the security aspect of mobile mobile applications (Balebako & Cranor, 2014). The weak banking. Currently, the discussion of security risks of mo- and rigid authentication provided by signature, PIN, pass- word and Card Security Code (CSC) in mobile banking 0.49 seconds. We selected the top 100 records as the data have numerous flaws and loop-holes (Edge & Sampaio, set. These top 100 blog posts were saved as text files on 2009). the hard drive for text mining and analysis. A well-known To prevent the cyber fraud, and facilitate a safe and ro- text analytics tool named NVivo 10 was used for text min- bust mobile banking system, many cyber security experts ing and analytics. We mainly used NVivo 10 software to have provided pertinent frameworks and methods for mo- conduct various query searches and cluster analysis in or- bile banking security solutions. Edge and Sampaio (2009) der to find interesting patterns, connections, and key provided a comprehensive survey of existing research in themes. account signatures, an innovative account profiling tech- nology that can improve the fraud detection mechanisms. Fatima (2011) posited biometric based authentication and Blog Mining Results identification systems as new solutions to address the is- After reviewing the generated concept themes and clusters, sues of security and privacy, which imposes restrictions to the authors merged some sub-clusters manually. Finally, prevent individuals from accessing to certain physical three major clusters associated with the blog discussion spaces and electronic services. Elkhodr et al. (2012) pro- about security of mobile banking apps were identified. The posed the Transport Layer Security (TLS) protocol com- emergent clusters and main concept terms in the text were bined with a proposed trust negotiation method, which summarized in Table 1. A word cloud can be seen in Fig- authenticates the client, the mobile device used in access- ure 1. ing the bank account information, and the server. Ryan (2014), as a practitioner from Conference of State Bank Table 1. Main Blog Themes on Mobile Banking App Secu- Supervisors, suggested a four-step mobile banking risk rity assessment method, including classification of information, identify threats and vulnerabilities, measure risk and com- Concept clusters Main content municate risk. On the other hand, Pousttchi and Schurig Mobile Banking App Mobile malware (Trojans, (2004) suggested the security requirement for mobile bank- Threats & Vulnerabilities root kits and viruses), ing: data needs to be encrypted, access to the data must be phishing, third-party apps, authorized and the authorization has to be simple. Ease of unsecured Wi-Fi networks, use is a key factor for consumer acceptance of mobile risky consumer behavior. banking services (Jeong & Yoon, 2013). Countermeasures & best Anti-virus app, Encryption, Methodology practices two-factor authentication, security image, SiteKey, The authors employed a relative new research method one-time password, app called blog mining to find blogs that discuss security of update, layered security mobile banking applications. This method has been shown control to be very useful in information and internet research (Ru- Emerging security trends Biometric-powered bank bin et al., 2011). An analysis of active blogs can add cur- applications, big data for rency and relevancy to research studies (Chau & Xu, 2012; fraud detection, mobile He & Zha, 2014). As mobile banking is a young and fast- security SDK, intelligent moving area, many relevant discussions were posted by behavioral monitoring and technology consultants and security experts on blogs. analysis Thus, those blogs are a very useful data source for learning about concerns associated with mobile banking. A limita- tion with blog mining is that the information on blogs is not peer reviewed as journal publications and often repre- sents personal opinions and attitudes. One way to mitigate this limitation is to combine blog mining with an extensive literature search for a more comprehensive understanding of the topics that are under investigation. Specifically, we used Google blog search engine (http://www.google.com/blogsearch) to search for blogs using the keywords including “mobile banking security” and “mobile apps vulnerability”. Google Blog Search is specially designed to retrieve content from blogs that are freely and publicly available on the Internet. As result, over 200,000 results were found mostly from 2012-2015 in ten offer a downloadable update for the banking apps on third party app websites. These fake apps or fake app updates contain malicious codes to steal users’ bank account information (Huang, 2015).  Unencrypted Wi-Fi networks. Public Wi-Fi networks in coffee shops, libraries, airports, hotels, and other public places are often not secure. When mobile banking app users use unsecure wireless networks to check account balance, deposit checks and pay bills, cybercriminals can eavesdrop and steal their sensitive information (Legnitto, 2013).  Vulnerability of mobile banking apps. For example, many banking apps lack protection against reverse en- gineering of code (whiteCryption, 2014). Cybercrimi- nals can analyze the source code to steal account in- formation and other sensitive information. Protection Strategy and Best Practices A number of security mechanisms such as second factor authentication, data encryption, site key with security ques- Figure 1. A word cloud about mobile banking app security tions and images, registered mobile device authentication, and anti-virus apps can be adopted to enhance the security Furthermore, we manually examined the blog posts that of mobile banking applications (Cognizant, 2013; have the most appearance of the keywords to better under- Constantin, 2014; Lee et al., 2013; Chandramohan & Tan, stand their discussions and contexts. As we were particu- 2012; La Polla et al., 2013; White, 2013). We listed some larly interested in the main threats, attacks and vulnerabili- protection strategy/best practices for users and developers ties related to mobile banking applications, we presented a of mobile banking app respectively below. synthesis of main threats, attacks and vulnerabilities below based on what we found from the blog mining. Protection strategy and best practices for users Mobile Banking App Threats Table 2. Protection strategy and best practices for users We identified a variety of mobile banking app threats from (cited from Cognizant, 2013; Constantin, 2014; White, the blog mining results. They are listed below: 2013)  The mobile malware mainly include Trojans, root kits and viruses. Some common malware affecting mobile bank apps include Zitmo, Banker, Perkel/Hesperbot, Strategy Rationale Best Practices Wrob, Bankum, ZertSecurity, DroidDream and Keyloggers. Many of mobile malware are variants of Do not use Many people jailbreak To protect smartphone existing malware that affect computers and traditional mobile banking their smart phones in from various security online banking (Webroot, 2014; Shih et al., 2008). app on jailbreak order to get additional threats, users need to smartphone benefits. However, avoid jailbreaking or Cyber criminals have been refining these malware to jailbreaking smart phones routing their phone. target mobile devices for access to bank accounts and brings vulnerabilities to make them more resilient to security defenses. Below the operating system. are some common malware that affect mobile banking Do not install Many people try to install Install mobile banking apps. mobile banking applications from third apps only from official  Threats from third party applications. Third party ap- app from third parties, because they are bank website. plications on mobile devices could secretly tamper an parties free there. However, many free apps from third par- existing banking app that is already in the mobile de- ties contain virus vice and steal account information. Users are advised to download apps or app updates only from official Use mobile Mobile anti-virus apps Install recommended sources or trusted app stores. anti-virus apps will provide partial protec- antivirus products by tion from malware to help leading organizations  Phishing: Fraud Apps / Fake App Update. There are mitigate risks. such as PC Magazine many fake banking applications that claim to be official who have been testing on third party app marketplace. Cybercriminals also of- those antivirus products annually Security Log- Log all security events Store all security events ging related to the baking stored on the device first. Use secured Unsecured or unencrypted Do not connect to pub- application and then When users log out of the Wi-Fi network Wi-Fi networks may let lic Wi-Fi network when sent them to the back- application, the security when using the sensitive data exposed you use mobile banking end server for further events are sent to the serv- mobile banking to the hackers. app. checking and analysis. er. app Blacklisting Older versions of the Checking the version of Older Versions bank apps often have the app on the server side. Update mobile Banks regularly update Update the mobile of the App more security bugs and If the version is old, banking app their apps to fix bugs and banking app when the vulnerabilities block it and reminder the vulnerabilities. new version is released. user to update the app from official bank website Update mobile Mobile OS should be Update the mobile OS to avoid security breach. OS updated timely because as soon as possible after hackers may leverage the the update becomes SiteKey with They are mainly used as Adding an additional layer vulnerability of the OS to available. Security imag- part of the login process of identity verification to attack the mobile banking es and ques- to help users identify make phishing harder app tions and deter phishing. One-time A token is generated and It provides second-factor password sent to users by SMS authentication which addes Protection strategy and best practices for develop- message after the user additional security for ers of mobile banking apps accounts have been identity verification when verified. Then the user banking app users log in or enters the received performing certain transac- token in the appropriate tions. Table 3. Protection strategy and best practices for develop- field to access the mo- ers of mobile banking apps (cited from Cognizant, 2013; bile banking services. Constantin, 2014;White, 2013) Title Description Protection strategy/best practices Emerging Security Trends Secure transfer Make sure all connec- Ensuring all connections Some security experts and vendors propose new ways to protocols tions and communica- are made using secure mediate security risks associated with mobile banking tions are secure. transfer protocols apps. Below are some emerging trends we found from the Root Certifi- Securing the communi- Enforcing SSL certificate blog mining results. cate Check cations between the validation. The bank app client-side app and the backend server. needs to check the SSL  Integrating biometrics into mobile banking apps to en- certificate to see if it is hance user authentication. Biometric authentication signed by the respective authority. such as fingerprint scanning and voice recognition of- fers a promising way for identity and access manage- Encrypt sensi- Protecting the confiden- tive data tiality of data Encrypting sensitive data ment (Fatima, 2011). As personal biometric also has stored by the applications vulnerability, it is better to combine personal biometric by using the data protec- tion API with other authentication such as one-time password (OTP) and SiteKey for stronger personal identification Jail-Break/ and verification. To lower security risks, Improving jailbreaking Rooted Device bank apps must check detection Check whether the device is rooted or jail-broken.  Integrating intelligent behavioral monitoring and analy- sis technology with mobile banking apps. Webroot Application must pre- (2014) recently developed mobile security SDK which Anti- Obfuscating the assembly vent debuggers from debugging attaching to it to avoid code and using anti- is designed to embed security within a mobile banking Mechanism debugging techniques to app, run in the background and deliver real-time threat the leak of sensitive data make reverse-engineering more difficult. intelligence to the bank for further data analysis and ac- tion. By employing a behavioral monitoring and analy- Debugging Do not leave any de- Removing debugging sis approach, banks can detect abnormal behavior more statements and develop- accurately and early. Specifically, behavior analysis statement bugging statement and ment information from the removal development infor- final products. can detect the behavior of the person who is using the mation to the hackers. mobile app and compare it with previous behavior or usage patterns. If abnormal behavior is identified, alert Claessens, J., Dem, V., De Cock, D., Preneel, B., & Vandewalle, messages will be sent out. J. (2002). On the security of today’s online electronic banking systems. Computers & Security, 21(3), 253-265.  Deployment of advanced big data analytics technology Cognizant (2014). Mobile Banking Security: Challenges, Solu- for fraud detection and behavioral analysis. Accurate tions. Retrieved on Feb 22, 2015 at and efficient behavioral analysis requires banks to de- http://www.cognizant.com/InsightsWhitepapers/Mobile-Banking- ploy advanced big data analytics to mine enormous Security-Challenges-Solutions-codex898.pdf volumes of security data to better identify trends of ma- licious behavior or abnormal behaviors indicative of an Constantin, L. (2014). Security analysis of mobile banking apps attack at the outset (Khosla, 2015). reveals significant weaknesses. Retrieved on Feb 21, 2015 at http://www.pcworld.com/article/2086320/security-analysis-of- mobile-banking-apps-reveals-significant-weaknesses.html Conclusion and Future Research Cuomo A. M. (2014). Report on Cyber Security in the Banking Mobile banking offers a lot of benefits to both banks and Sector. New York State Department of Financial Services. Re- consumers. However, security is a significant barrier to the trieved on Feb 22, 2015 at http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security wide adoption of mobile banking applications (To & Lai, .pdf 2014). As there are many security risks with the use of mobile banking applications, it is critical for both banks Edge, M. E., & Sampaio, P. R. F. (2009). A survey of signature and consumers to be aware of these risks and take steps to based methods for financial fraud detection. Computers & securi- mitigate the risks. Currently, there is lack of systematic ty, 28(6), 381-394. discussion in the literature about the security risks with mobile banking. In this paper, we identified some key se- Elkhodr, M., Shahrestani, S., & Kourouche, K. (2012). A pro- curity risks, protection strategy/best practices and future posal to improve the security of mobile banking applications. In security trends associated with mobile banking through ICT and Knowledge Engineering (ICT & Knowledge Engineer- ing), 2012 10th International Conference on (pp. 260-265). IEEE. mining relevant blog posts. As for future research, we plan to use the workflow Fatima, A. (2011). E-banking security issues–Is there a solution technology to simulate mobile banking security risks such in biometrics. Journal of Internet Banking and Commerce, 16(2): as how to simulate the attack on mobile check deposit so 2011-08. that we can better increase the security awareness of mo- bile banking app developers and users. We are also inter- He, W. (2012). A Review of Social Media Security Risks and ested in studying the use of biometric mechanism in mo- Mitigation Techniques. Journal of Systems and Information bile banking applications and the balance between security Technology, 14(2), 171-180. and usability for mobile banking applications. He, W. (2013). A Survey of Security Risks of Mobile Social Me- dia through Blog Mining and an Extensive Literature Search. Acknowledgment Information Management and Computer Security, 21(5), pp.381– 400. This work was supported in part by the U.S. National Science Foundation under Grant SES-1318470 and SES- He, W., & Zha, S.H. (2014). Insights into the Adoption of Social 1318501. Media Mashups. Internet Research. 24(2), pp. 160-180. Heggestuen, J. (2014). The Future Of Mobile And Online Bank- References ing: 2014. Retrieved on Feb 02, 2015 at http://www.businessinsider.com/the-future-of-mobile-and-online- banking-2014-slide-deck-2014-10?op=1 Balebako, R., & Cranor, L. (2014). Improving App Privacy: Nudging App Developers to Protect User Privacy. Security & Huang, S. (2015). The South Korean Fake Banking App Scam. Privacy, IEEE, 12(4), 55-58. Retrieved on Feb 02, 2015 at http://www.trendmicro.com/cloud-content/us/pdfs/security- Chandramohan, M., & Tan, H. B. K. (2012). Detection of mobile intelligence/white-papers/wp-the-south-korean-fake-banking-app- malware in the wild. Computer, (9), 65-71. scam.pdf Chau, M., & Xu, J. (2012). Business intelligence in blogs: Under- Jeong, B. K., & Yoon, T. E. (2013). An Empirical Investigation standing consumer interactions and communities. MIS quarterly, on Consumer Acceptance of Mobile Banking Services. Business 36(4), 1189-1216. and Management Research, 2(1), 31-40. La Polla, M., Martinelli, F., & Sgandurra, D. (2013). A survey on Singh, S., Srivastava, V., & Srivastava, R. K. (2010). Customer security for mobile devices. Communications Surveys & Tutori- acceptance of mobile banking: A conceptual framework. Sies als, IEEE, 15(1), 446-471. journal of management, 7(1), 55-64. Lee, H., Zhang, Y., & Chen, K. L. (2013). An Investigation of To, W. M., & Lai, L. S. (2014). Mobile Banking and Payment in Features and Security in Mobile Banking Strategy. Journal of China. IT Professional, 16(3), 22-27. International Technology and Information Management, 22(4), Article 2. Webroot(2014). The risks & rewards of mobile banking apps. Retrieved on Feb 22, 2015 at Khosla, V. (2015). Behavioral Analysis Could Have Prevented http://www.brightcloud.com/pdf/RisksRewardsofMobileBanking The Anthem Breach. Retrieved on Feb. 22, 2015 at AppsWhitepaper_20140619115948_311111.pdf http://www.forbes.com/sites/frontline/2015/02/24/behavioral- analysis-could-have-prevented-the-anthem-breach/ whiteCryption (2014).whiteCryption Introduces New Level of Security for Mobile Payment Applications. Retrieved on Feb 22, Legnitto, J. (2013). Mobile Banking On Unsecure Wireless Net- 2015 at works Is Risky Business. Retrieved on Feb 22, 2015 at http://www.prweb.com/releases/2014/01/prweb11531529.htm http://www.privatewifi.com/title-mobile-banking-on-unsecure- wireless-networks-is-risky-business/ White, A. (2013). Six Main Rules Of Safe Mobile Banking. Where, When And How? Retrieved on Feb 22, 2015 at Lin, H. (2011). An empirical investigation of mobile banking http://blog.jammer-store.com/2013/05/six-main-rules-of-safe- adoption: The effect of innovation attributes and knowledge- mobile-banking-where-when-and-how/ based trust. International journal of information management, 31(3): 252-260. Mallat, N., Rossi, M., & Tuunainen, V. K. (2004). Mobile bank- ing services. Communications of the ACM, 47(5), 42-46. Nie, J., & Hu, X. (2008). Mobile banking information security and protection methods. In Computer Science and Software Engi- neering, 2008 International Conference on (Vol. 3, pp. 587-590). IEEE. Panja, B., Fattaleh, D., Mercado, M., Robinson, A., & Meharia, P. (2013). Cybersecurity in banking and financial sector: Security analysis of a mobile banking application. In Collaboration Tech- nologies and Systems (CTS), 2013 International Conference on (pp. 397-403). IEEE. Pousttchi, K., & Schurig, M. (2004). Assessment of today's mo- bile banking applications from the view of customer require- ments. In System Sciences, 2004. Proceedings of the 37th Annual Hawaii International Conference on (pp. 10-pp). IEEE. Rubin, V. L., Burkell, J., & Quan-Haase, A. (2011). Facets of serendipity in everyday chance encounters: a grounded theory approach to blog analysis. Information Research, 16(3). Ryan W. J.(2014). A Resource Guide for Bank Executives: Exec- utive Leadership of Cybersecurity.” Conference of State Bank Supervisors. Retrieved on Feb 22, 2015 at http://www.csbs.org/CyberSecurity/Documents/CSBS%20Cybers ecurity%20101%20Resource%20Guide%20FINAL.pdf Seo, S. H., Gupta, A., Sallam, A. M., Bertino, E., & Yim, K. (2014). Detecting mobile malware threats to homeland security through static analysis. Journal of Network and Computer Appli- cations, 38, 43-53. Shih, D. H., Lin, B., Chiang, H. S., & Shih, M. H. (2008). Securi- ty aspects of mobile phone virus: a critical survey. Industrial Management & Data Systems, 108(4), 478-494.