What is “Bank-Grade Security” and is it Enough?

"Bank-grade security" is a term often used to describe a high level of security measures implemented in mobile applications to protect sensitive data, transactions, and user privacy. It implies that the app's security measures are at par with or comparable to the security standards employed by financial institutions, such as banks, which are known for their rigorous security practices. In this post, we will examine what is meant by this term and whether or not you should be comforted by it.

The question of data security looms large in the minds of internet users, driven by the many high-profile data breaches and fraud attacks which have taken place over the past several years. Capital One, for example, settled a data breach claim for $190 million dollars last year. For consumers, who are obviously not security experts, how can they compare and contrast the security arrangements of the digital services they are considering using? 

Why do we see so many instances of ‘bank-grade security’ cited on websites? The implication here is that if something is good enough for financial organizations, it should also be good enough for other companies working in other sectors where privacy matters - for example healthcare, mobility, gaming and retail.  However, the term "bank-level security" can be subjective and may vary across different financial institutions and mobile apps. 

Therefore, it's essential to research and understand the specific security measures implemented by each app or service to ensure the appropriate level of security for your needs. Below, we examine the concept of bank-grade security and interrogate if it is good enough in a world where cyber criminals always seem to be a step ahead of law enforcement.

Deconstructing Bank-Grade Security

So, what exactly does the term ‘bank-grade security’ refer to? The uncomfortable truth is that your guess is as good as ours! It really isn’t an industry-standard term which has been rigorously defined by anyone and is simply designed to indicate that there is nothing to worry about, as illustrated in this article. 

We can, and we will, guess at what ‘bank-grade security’ might mean, but it’s important to recognise up front that it is entirely open to interpretation by the organizations offering it. That’s not to say that there aren’t security requirements and guidelines in financial and other regulated markets. Bank-grade security practices can sometimes align with industry standards and regulations specific to the banking and financial sector, such as Payment Card Industry Data Security Standard (PCI DSS). 

Companies operating in the financial sector are obligated to adhere to regulations to be compliant and interoperable, particularly relating to the use of APIs. These include:

• The Directive on Payment Services (PSD2)
• The Open Banking Implementation Entity (OBIE) in the UK

Ironically, given the number of US companies who soothe their customers through advertising the use of ‘bank-grade security’, there is limited if any open banking regulation in the US.

Another essential and related legal requirement is protecting user data, which comes in various forms across the world and has more geographical coverage. Some examples of privacy laws relevant to the context of this article include:

• Europe's General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• The Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
• Australian Privacy Principles (APPs)
• Brazilian General Data Protection Law (LGPD)
• South Korean Personal Information Protection Act  (PIPA)
• China's Personal Information Protection Law (PIPL)

Of course, good security hygiene is a lot more than just meeting the requirements of the relevant standards and regulations; it should imply the application of best practice security solutions in a coherent configuration to protect against the threats of today and of tomorrow.

What Might ‘Bank-Grade Security’ Criteria Be?

A reasonable interpretation of what it means to have bank-grade security is to imply that communication traffic is encrypted (TLS/SSL) and that user authentication has been implemented (strong customer authentication, or SCA, in the context of OpenBanking/PSD2).

End-to-end protection of sensitive information via Transport Level Security (TLS), means encrypting all traffic between servers, web pages, mobile apps and IoT devices to prevent interception by cyber criminals or other third parties who may try to intercept and/or modify data and instructions in transit. This attack vector is also known as a Man-in-the-Middle (MitM) and the important thing to recognize is that just encrypting your traffic is not enough to prevent a MitM occurring; effective certificate pinning must also be implemented, as covered in the Making MitM Attacks A Thing Of The Past webinar.

User authentication also provides companies with a myriad of options as discussed in this article on Building Your Gold Standard For Account Access. The important thing to understand with respect to user authentication is verifying ‘who’ is making a transaction request is equally as important as verifying ‘what’ is making the request, i.e is it a genuine mobile app instance, an unmodified IoT device, or is it a script/bot mimicking a genuine client device or app?

What is the Financial Grade API (FAPI) Standard?

The Financial Grade API (FAPI) standard is a set of specifications and guidelines designed to enhance the security and interoperability of APIs used in the financial industry. FAPI is an open standard developed by the FAPI Working Group within the OpenID Foundation. It aims to establish a common framework for secure and standardized APIs in the financial sector, ensuring the protection of sensitive data and enabling seamless integration between different financial systems.

Key features and principles of the FAPI standard include:

1. Security and Privacy: FAPI places a strong emphasis on security and privacy. It provides guidelines for implementing robust authentication, authorization, and data protection mechanisms to safeguard sensitive financial data and prevent unauthorized access or data breaches.
2. Open Standards: FAPI is based on open standards and leverages existing technologies such as OAuth 2.0, OpenID Connect, and other relevant standards. By building on established protocols, FAPI promotes interoperability and facilitates integration with various financial systems.
3. Consent and User Control: FAPI addresses the importance of user consent and control over their data. It provides guidelines for implementing consent mechanisms that allow users to authorize access to their financial information and manage permissions granted to third-party applications.
4. Risk Assessment and Mitigation: FAPI emphasizes the need for comprehensive risk assessment and mitigation strategies. It encourages the implementation of security controls and risk management practices to identify and address potential vulnerabilities and threats in API-based financial systems.
5. Certification Program: FAPI includes a certification program that allows organizations to demonstrate compliance with the standard. Certified implementations undergo rigorous testing and evaluation to ensure they meet the specified security and interoperability requirements.

By adhering to the FAPI standard, financial institutions, payment service providers, and fintech companies can improve the security and trustworthiness of their APIs. FAPI helps establish a common foundation for secure API integration, enabling easier and safer sharing of financial data and services between different entities within the financial ecosystem.

Is Bank-grade Security Good Enough?

The simple answer to that question is that it’s hard to say because we can’t nail down exactly what ‘bank-grade security’ is. Even though we can’t define it, based on the continued number of successful attacks on financial institutions, we are certainly entitled to conclude that, whatever it is, it isn’t sufficient. As long as there is money involved, criminals will continue coming up with new ways to exploit digital platforms.

As an example of another relevant attack vector, we recently put together a simple demo, based on a mythical bank called BankSafe, to show how easy it is to modify a mobile app to do something that the user didn’t expect or authorize. Since anyone can download a mobile app from the app store, criminals may be able to modify and re-package the app and if they can trick genuine users into installing it onto their devices, trouble will ensue as you can see in the BankSafe demo video.

In fact, banks and financial institutions experience cyberattacks regularly. According to the Carnegie Endowment for International Peace Timeline of Cyber Incidents Involving Financial Institutions, more than 200 hacking and data privacy incidents involving banks, financial services companies, and fintechs in 2022. The companies were spread out across five continents, and all the affected firms used bank-grade security. The hacking techniques used ranged from MitM, encryption bypassing, token skimming (using malware installed on users' devices), credential stuffing, phishing, and social engineering.

Carnegie graphic showing countries affected by financial services cyberattack in 2022

(Image source: Carnegie Endowment)

Clearly, as stated above, bank-grade security is not enough. Users should not get comfortable with the companies handling their sensitive data just because they claim to use bank-grade security. Companies must do more to explain in detail what they mean by bank-grade security in order to build trust with their users.

In today's world, where most people access online services via mobile phones, fintech companies - and other mobile-first companies working in sectors where data protection is a must - need to go a step further. One clear and obvious step they could take is to implement mobile app authentication and ensure that their APIs make use of certificate pinning.

Implementing Mobile App Authentication and Certificate Pinning

Mobile App Authentication is a security measure that requires the mobile app to regularly attest its authenticity via a user invisible process when they interact with their bank or financial services company through their phone. This ensures that only genuine mobile app instances, running in safe devices, can execute transactions; and scripts, bots and modified apps are blocked at the edge.

Certificate Pinning ensures that only devices with the correct digital certificates are allowed to use the financial institutions’ APIs, giving users greater peace of mind without putting undue stress on the companies’ DevOps processes.

It's important not just from a security perspective but also from a consumer trust perspective that fintech - and other companies working in sectors where data privacy is an issue - can articulate how they are protecting the data of users who use these apps every day.

Approov's mobile app authentication and certification pinning solutions are helping many leading fintech companies gain greater security, peace of mind, and consumer trust. Read the Secrets Report from the Approov Mobile Threat Lab to learn more about mobile security in financial services, or fill in this form to have a free demo and discussion of how Approov's Mobile Security team can help with your use cases.

Subscribe to Approov Newsletter