Many digital companies describe their platforms as being protected by ‘bank-grade security’. In this article, we will examine what is meant by this term and whether or not you should be comforted by it.
The question of data security looms large in the minds of internet users, driven by the many high-profile data breaches and fraud attacks which have taken place over the past several years - and continue to take place today. For consumers, who are obviously not security experts, how can they compare and contrast the security arrangements of the digital services they are considering using?
One way they might assess a digital service is to look at the service’s website and see what they say about security. What they will often find is that the company is relying on ‘bank-grade’ or ‘financial-grade’ security to protect their users’ data and transactions. These two terms are equivalent so for simplicity we will refer in this article only to ‘bank-safe security’.
Why do we see so many instances of ‘bank-grade security’ cited on websites? Well, the implication here is that if something is good enough for financial organizations, it should also be good enough for other companies working in any sectors where privacy matters - in other words all sectors!
But is this true, or is it just hot air? Below, we examine the concept of bank-grade security and interrogate if it is good enough in a world where cyber criminals always seem to be a step ahead of law enforcement.
So, what exactly does the term ‘bank-grade security’ refer to? The uncomfortable truth is that your guess is as good as ours! It really isn’t a term which has been defined by anyone and is simply designed to indicate that there is nothing to worry about, as illustrated in this article.
We can, and we will, guess at what ‘bank-grade security’ might mean but it’s important to recognise up front that it is entirely open to interpretation by the organizations offering it. That’s not to say that there aren’t security requirements and guidelines in financial and other regulated markets, because there are.
Companies operating in the financial sector are obligated to adhere to regulations to be compliant and interoperable, particularly relating to the use of APIs. These include:
Ironically, given the number of US companies who soothe their customers through advertising the use of ‘bank-grade security’, there is limited if any open banking regulation in the US.
Another essential and related legal requirement is protecting user data, which comes in various forms across the world and has more geographical coverage. Some examples of privacy laws relevant to the context of this article include:
Of course, good security hygiene is a lot more than just meeting the requirements of the relevant standards and regulations; it should imply the application of best practice security solutions in a coherent configuration to protect against the threats of today and of tomorrow.
A reasonable interpretation of what it means to have bank-grade security is to imply that communication traffic is encrypted (TLS/SSL) and that user authentication has been implemented (strong customer authentication, or SCA, in the context of OpenBanking/PSD2).
End-to-end protection of sensitive information via Transport Level Security (TLS), means encrypting all traffic between servers, web pages, mobile apps and IoT devices to prevent interception by cyber criminals or other third parties who may try to intercept and/or modify data and instructions in transit. This attack vector is also known and Man-in-the-Middle (MitM) and the important thing to recognise is that just encrypting your traffic is not to prevent MitM occurring; effective certificate pinning must also be implemented, as covered in the Making MitM Attacks A Thing Of The Past webinar.
User authentication also provides companies with a myriad of options as discussed in this article on Building Your Gold Standard For Account Access. The important thing to understand with respect to user authentication is verifying ‘who’ is making a transaction request is equally as important as verifying ‘what’ is making the request, i.e is it a genuine mobile app instance, an unmodified IoT device, or is it a script/bot mimicking a genuine client device or app?
There are emerging standards in the financial sector such as the Financial Grade API (FAPI) standard which seems to be gaining some ground but is still based on user authentication principles. FAPI is a bank-to-bank interface aimed at helping financial institutions communicate securely with their trading partners.
The simple answer to that question is that it’s hard to say because we can’t nail down exactly what ‘bank-grade security’ is. Even though we can’t define it, based on the continued number of successful attacks on financial institutions, we are certainly entitled to conclude that, whatever it is, it isn’t sufficient. As long as there is money involved, criminals will continue coming up with new ways to exploit digital platforms.
As an example of another relevant attack vector, we recently put together a simple demo, based on a mythical bank called BankSafe, to show how easy it is to modify a mobile app to do something that the user didn’t expect or authorize. Since anyone can download a mobile app from the app store, criminals may be able to modify and re-package the app and if they can trick genuine users into installing it onto their devices, trouble will ensue as you can see in the BankSafe demo video.
In fact, banks and financial institutions experience cyberattacks regularly. According to the Carnegie Endowment for International Peace Timeline of Cyber Incidents Involving Financial Institutions, more than 70 hacking and data privacy incidents involving banks, financial services companies, and fintechs in 2020. The companies were spread out across five continents, and all the affected firms used bank-grade security. The hacking techniques used ranged from MitM, encryption bypassing, token skimming (using malware installed on users' devices), credential stuffing, phishing, and social engineering.
(Image source: Carnegie Endowment)
Clearly, as stated above, bank-grade security is not enough. Users should not get comfortable with the companies handling their sensitive data just because they claim to use bank-grade security. Companies must do more to explain in detail what they mean by bank-grade security in order to build trust with their users.
In today's world, where most people access online services via mobile phones, fintech companies - and other mobile-first companies working in sectors where data protection is a must - need to go a step further. One clear and obvious step they could take is to implement mobile app authentication and ensure that their APIs make use of certificate pinning.
Mobile App Authentication is a security measure that requires the mobile app to regularly attest its authenticity via a user invisible process when they interact with their bank or financial services company through their phone. This ensures that only genuine mobile app instances, running in safe devices, can execute transactions; and scripts, bots and modified apps are blocked at the edge.
Certificate Pinning ensures that only devices with the correct digital certificates are allowed to use the financial institutions’ APIs, giving users greater peace of mind without putting undue stress on the companies’ DevOps processes.
It's important not just from a security perspective but also from a consumer trust perspective that fintech companies - and other companies working in sectors where data privacy is an issue - can articulate how they are protecting the data of users who use these apps every day.
Approov's mobile app authentication and certification pinning solutions are helping many leading companies gain greater security, peace of mind, and consumer trust. Download the latest Approov white paper to learn more about mobile security, or fill in this form to have a free demo and discussion of how Approov's API Threat Protection can help with your use cases.