OBIE’s Michael: Banks at fault for app security failures, not regulation

Faults in mobile banking applications are a result of technology problems on the banks’ side and not down to flaws in new regulations, says Chris Michael, interim head of technology at the Open Banking Implementation Entity (OBIE), while a shortage of knowledgeable security vendors is exacerbating the issue.

“There are a lot of very smart people who make a lot of very good points about Open Banking and technology in general, but often they add two and two and get five,” says Michael. “A lot of the flaws in mobile banking applications are nothing to do with Open Banking, they are inherent flaws that exist not just in banking but across multiple sectors.

“API security is a big issue, and it’s still relatively new, certainly for the banks. Many banks now have APIs underneath their mobile apps and keeping APIs secure is a hot issue. There are emerging technologies from vendors both big and small that can provide really good monitoring and protection against threats, but the fact that there are threats does not mean that open APIs are a bad thing.

Security firm Arxan conducted a study with Aite Group in April, investigating 30 mobile applications from major banks in the UK, Europe, and USA. The research found that nearly all of the apps in question could be easily reverse engineered.

90% allowed the sharing of services with other applications, which allowed data from the app to potentially be accessed by malicious third-parties installed on a device. 97% of the apps tested were missing binary code protection, something that would make it possible for the source code to be decompiled and potentially tampered with by cybercriminals.

“The fact that smart developers can reverse engineer a mobile app in itself isn’t the problem,” says Michael. “It’s where you’ve got two or three mistakes that have been made by, say, a bank in their banking app, where they might make it easy to get hold of private keys.

“It’s a bit like saying, ‘someone made a really bad car, so all cars are bad and dangerous.’,” adds Michael. “Open Banking has been, and continues to be, a really difficult journey for banks because many are not predominantly technology companies. They rely on partners and vendors to build their technology, in most cases. You could argue that, despite many vendors offering services in this space, there is a shortage of good vendors who really know their stuff.”

November 2018 research on API security by Ping Identity found that 35% of firms manage between 400 and 1,000 APIs across their technology ecosystem. 45% of respondents added that there were not confident in their security system’s ability to detect whether a bad actor was accessing their APIs. A third reported that they would be unable to tell if they had experienced any breaches.

“It’s very easy to get someone to build your mobile app, it’s very difficult to get someone to build a very good mobile app with great user experience and robust security,” says Micheal. “The same applies to APIs. What [OBIE has] focused on is creating standards and an ecosystem designed to protect against these threats. It doesn’t remove them, but they are there regardless of open APIs existing. These are inherent, endemic threats in any technology system.”

For Michael, the regulations are there, and they are unlikely to change in the short term, but that doesn’t mean they are infallible. “There are a number of issues in the regulations, which are proving very challenging for everyone. Yet I don’t see any evidence that the regulation is going to change or the frames going to move, although that doesn’t mean they won’t. It’s quite clear that these timings are challenging. So, it’s up to each individual bank to make their own decision. Do they take longer and miss a deadline, or do they try cut the corner to get something done?

“Almost all banks I’m aware of want APIs and they want to build good APIs. They want to build things that are a point of difference, not just something designed for regulatory box-ticking. The thing that they need to do is invest in the right core technology stack and have partners and vendors who can implement it. Yes, it’s going to be very challenging for banks, but the technology’s is out there.”

Related reading