News

Tech Tip – See Your Top Sites

If you need to be able to quickly see and access any of your top 25 most visited websites, there’s an easy way to display this list in Windows 10 on the taskbar or Start menu.

– Right-click the Microsoft Edge icon to display the Jump List of your top 25 websites.

– Click on any website on that list to load the website in a browser.

– Right-click on any entry to remove it from the list.

“Stalkerware” Partner-Spying Software Use Rises By 35% In One Year

Kaspersky researchers have reported a 35 per cent rise in the number of people who have encountered the use of so-called ‘stalkerware’ or ‘spouseware’ software in the first 8 months of this year.

What is Stalkerware?

Stalkerware (or ‘spouseware’) is surveillance software that can be purchased online and loaded onto a person’s mobile device. From there, the software can record all of a person’s activity on that device, thereby allowing another person to read their messages, see screen activity, track the person through GPS location, access their social media, and even spy on the mobile user through the cameras on their device.

Covert, Without Knowledge or Consent

The difference between parental control apps and stalkerware is that stalkerware programs are promoted as software for spying on partners and they run covertly in the background without a person’s knowledge or consent.

Unlike legitimate parental control apps, such programs run hidden in the background, without a victim’s knowledge or consent. They are often promoted as software for spying on people’s partners.

Most Stalkerware needs to be installed manually on a victim’s phone which means that the person who intends to carry out the surveillance e.g. a partner, needs physical access to the mobile device.

Figures from Kaspersky show that there are now 380 variants of stalkerware ‘in the wild’ this year, which is 31% more than last year.

Most In Russia

Kaspersky’s figures show that this kind of surveillance software is most popular in Russia, with the UK in eighth place in Kaspersky’s study.

What Does This Mean For Your Business?

Unlike parental control apps which serve a practical purpose to help parents to protect their children from the many risks associated with Internet and mobile phone use, stalkerware appears to be more linked to abuse because of how it has been added to a device without a user’s consent to covertly and completely invade their privacy.  This kind of software could also be used for industrial espionage by a determined person who has access to a colleague’s mobile phone.

If you’d like to avoid being tracked by stalkerware or similar software, Kaspersky advises that you block the installation of programs from unknown sources in your smartphone’s settings, never disclose the passwords/passcode for your mobile device, and never store unfamiliar files or apps on your device.  Also, those leaving a relationship may wish to change the security settings on their mobile device.

Kaspersky also suggests that you should check the list of applications on your device to find out if suspicious programs have been installed without your consent.

If, for example, you find out that someone e.g. a partner/ex-partner has installed surveillance software on your devices, and/or does appear to be stalking you, the advice is, of course, to contact the police and any other relevant organisation.

Google Leadership Accused Of Developing Internal Surveillance Tool

Some Google employees have accused the company’s leadership of developing a browser-based file extension for all of Google’s in-house computers that could flag-up signs of workers trying to organise meetings and protests.

Google Employees

The story came to light in a memo written by a Google employee that is reported to have been seen and verified by 3 other anonymous Google employees and Bloomberg News.  In the memo it was alleged that a team within the company had developed a surveillance tool, disguised as a calendar, that could be added to the custom Chrome browser used on Google’s computers.

How?

The employee’s memo alleged that the browser extension would be able to report any staff who booked a calendar event which involved the need for more than 10 rooms, or scheduled an event with more than 100 people, and the alleged reason for flagging up these details was to warn the company’s leadership about any attempt to organise workers for the purposes of industrial action e.g. meetings and protests related to labour rights.

Reviewed

Reported employee memos have suggested that work on the tool started in September and that Google’s privacy team approved the tool’s release but also expressed some concerns about the culture at Google.

According to Google, however, the tool was developed over several months and was subject to Google’s standard privacy, security and legal reviews.

Rollout In October

According to reports of a memo posted on an internal staff message board, the surveillance tool is due to be rolled out this month (October), and there is a report of two Google workers in California saying that the tool has already been added to their browsers.

‘Trouble at Mill’

There has been speculation by some commentators that the tool may have been developed in response to recent outbreaks of organised activity by workers concerned about the company’s attitude to their rights, the ethics of some of the company’s projects, and how Google may have handled some complaints.  For example, some workers in the company’s Zurich office held an event about workers’ rights and unionisation, and some Google employees have protested about products such as the ‘Project Dragonfly’ search engine that could allow Google to re-enter the Chinese market by censoring certain terms.  Human rights groups had also been vocal in criticising this idea saying that it appeared to support state censorship.

What Does This Mean For Your Business?

For Google employees, many of whom are used to working in an environment of relative freedom where creativity and collaboration are encouraged, an apparent cultural shift (if indeed that is what is happening) towards a more authoritarian and less trusting approach where ethics could come lower down the list of priorities in the search for profits would be likely to be a shock, and could possibly damage the relationship and the trust between management and workers.  It is unlikely that workers anywhere would respond positively to being subjected to a kind of covert surveillance and internal censorship, particularly if they believed that it was being carried out to curtail certain aspects of their labour rights.  The resulting bad publicity could also damage a company’s brand and therefore, the company’s competitiveness and customer perceptions of the company.

It should be said, however, that the reports of the development of the browser tool in Google rest upon the alleged details of memos, and it is unclear to date how accurate the reports are.

Microsoft Beats Amazon to $10 Billion AI Defence Contract for ‘Jedi’

After a long and difficult bidding process, Amazon has lost out to Microsoft in the battle to win a $10bn (£8bn) US Defence Department AI and Cloud computing contract.

For ‘Jedi’

The contract was for the Joint Enterprise Defence Infrastructure (Jedi).  This infrastructure will be designed to enable US forces to get fast access to important Cloud-held data from whichever battlefield they are on. The project will also see AI being used to enhance and speed up the delivery of data to US forces, thereby potentially giving them an advantage.

Amazon Was Thought To Be In Front…Before Trump Comments

Amazon, led by Jeff Bezos, was believed by many tech commentators to have been the front-runner of the two tech giants in the battle for the contract as it is the biggest provider of cloud-computing services.  Also, Amazon had already won an important computing services contract with the CIA in 2013 and is already a supplier of cloud services and technologies to thousands of U.S. agencies.

Unfortunately for Amazon, in August the Pentagon appeared to put the brakes on the final decision-making process following concerns expressed by President Trump.

The President is reported to have said back in July that he was concerned about the contact not being “competitively bid” and that he had heard “complaints” about the contract with Amazon and the Pentagon.

The President, however, was not the only one with concerns as tech giant Oracle (which was also in the running for the contract at one point) had gone to the federal court earlier in the year with allegations (which were dismissed) that the bidding process had been rigged in Amazon’s favour.

Difficult Relationship

Many media reports have suggested that a difficult relationship between President Trump and Jeff Bezos in the past has possibly had some influence on the outcome of the Pentagon’s decision about the project.  For example, Mr Bezos has been criticised before by President Trump, and Mr Bezos also owns the Washington Post.  President Trump has been critical of several news outlets, such as CNN, the New York Times, and The Washington Post.  For example, it has been reported by the Wall Street Journal that President Trump has now instructed his agencies not to renew their subscriptions to those newspapers.

Great News For Microsoft

Winning the contract is, of course, good news for Microsoft which will receive a large amount of U.S. Defence funds for the Jedi contact, and possibly for another defence -related multi-billion-dollar contract (‘Deos’) to supply cloud-based Office 365.

What Does This Mean For Your Business?

With a contract of this value up for grabs and the possibility of further lucrative contracts too, this was never going to be a clean and uncomplicated fight between the tech giants.  In this case, however, it being a defence contract, one of the key influencers was the U.S. President and it appears that his relationship with Amazon’s Jeff Bezos along with other factors may have played a part in Microsoft coming out on top.  The size and complexity of the contract meant that it was only ever going to be something for the big, established tech names, and Microsoft winning the contract was undoubtedly an important victory against its competitor Amazon, will add value to its brand, will bring in a sizeable source of revenue at a time when it’s already seen a 21 per cent rise in its profits on last year, and puts Microsoft in a much closer 2nd position behind Amazon’s AWS in the cloud computing services market.

Tough Questions About Libra Cryptocurrency

Facebook’s CEO, Mark Zuckerberg faced a grilling from the US Congress last week over his company’s ‘Libra’ cryptocurrency plans.

Libra

‘Libra’ is Facebook’s new cryptocurrency and global payment system that’s due to be launched in 2020.  Unlike other cryptocurrencies, Libra is backed by a reserve of cash and other liquid assets.  The idea of Libra is that spending the new currency could be as easy and fast as texting as payments can be made by a special phone app and by messaging services such as WhatsApp.  Also, Libra is intended to be of particular value to the one billion+ people around the world (including 14 million in the US) with no access to a bank account, but who could use a mobile phone-based payment system.

Management of the currency, units of which can be purchased via Libra’s platforms and stored it in a digital wallet called “Calibra” will be the responsibility of an independent group of 21 companies and non-profit organisations called the Libra Association, of which Facebook’s subsidiary ‘Calibra’ is a member.

Problems and Criticism

Facebook has, however, found itself coming in for some tough criticism over its involvement with Libra. This includes:

  • Worries about whether Facebook can be trusted with peoples’ financial details in the light of its part in the personal data-sharing scandal with Cambridge Analytica.
  • Concerns from ‘Group of Seven’ democracies finance chiefs about whether Libra could address “serious regulatory and systemic concerns”.
  • President Trump Tweeting that he’s not a fan of Libra, and bank chiefs like Mark Carney also expressing concerns about Libra.
  • Worries that Libra could be used as a means to bypass rules relating to money laundering and tax evasion (which is believed to have led to PayPal leaving the Libra Association recently).
  • Warnings that Libra could be blocked in Europe (especially in France) unless concerns over risks to consumers and to the monetary systems of countries can be addressed.

Congress Grilling

The grilling of Mark Zuckerberg at the US Congress last week at the top of the House Financial Service Committee’s hearing focused on many of the key concerns.  For example:

  • Republican Nydia Velázquez asked Mark Zuckerberg why Facebook should be trusted after the recent privacy scandals and data breaches/data sharing relating to the Cambridge Analytica affair.
  • Republican Joyce Beatty criticised Mark Zuckerberg over an apparent lack of knowledge of diversity and housing advertisement issues and alleged that Zuckerberg hadn’t read her reports.
  • Republican Patrick McHenry criticised the technology industry and highlighted the current anger towards it.

Prepared Statement Covered Many Concerns

Mark Zuckerberg’s prepared statement for the hearing appears have anticipated and answered the main concerns.  For example, as well as stressing how Facebook is committed to strong consumer protections for the financial information they receive, Mark Zuckerberg addressed three main concerns, saying that:

  1. Where people are concerned that Facebook is moving too fast on the Libra project, Facebook is committed to taking the time to get this right.
  2. Where it has been suggested that Facebook could circumvent regulators and regulations with Libra, Facebook won’t actually be a part of launching the Libra payments system anywhere in the world unless all US regulators approve it.
  3. Libra is not an attempt to create a sovereign currency but, like existing online payment systems, it’s simply intended to be a way for people to transfer money.

So What?

Despite the grilling, many commentators have pointed out that the House Financial Service Committee and Congress don’t actually have the power to do much about the introduction of Libra.  Some commentators have also suggested that the hearing was as much about political grandstanding as it was about Libra and that politicians are finding it hard to stay up to speed with information about cryptocurrencies.

No Regulatory Approval = Facebook Leaves the Association

Mr Zuckerberg stressed just how much he intends to play by the rules with Libra by saying that if the Libra Association moved forward without regulatory approval, Facebook “would be forced to leave the Association.”

What Does This Mean For Your Business?

Banks and governments are unlikely to adopt a favourable attitude to a new type of currency that could potentially unbalance monetary systems, and could potentially get around regulations, scrutiny and control, and could even be used for money laundering and tax evasion. That said, the blockchain-anchored Libra is unlikely to suffer many of the huge fluctuations and problems that other cryptocurrencies like bitcoin have because Libra is backed by real assets.  Also, many of the big financial players are part of the Libra Association e.g. Mastercard and Visa, although it’s clear that Facebook needs to make sure that Libra can meet all regulatory requirements and is squeaky clean if the Association wants to keep these important members.

If, as Mr Zuckerberg says, Libra is simply and innocently another way of paying for things that could lead to a more inclusive society e.g. by helping those without bank accounts, this could benefit not just society but whole economies too.  It looks as though Facebook still has some way to go, however, to convince governments, finance chiefs and other critics that it is the right company to be trusted with a new currency and the financial data of those who use it.

Facebook ‘News’ Tab on Mobile App

Facebook has launched the ‘News’ tab on its mobile app which directs users to unbiased, curated articles from credible sources in a bid to publicly combat fake news and help restore trust in its own brand.

Large US Cities For Now

The ‘News’ tab on the Facebook mobile app, which will initially only be available to an estimated 200,000 people in select, large US cities, is expected by Facebook to become so popular that it could attract millions of users.

What?

The News tab will attempt to show users stories from local publishers as well as the big national news sources.  The full list of publishers who will contribute to the News tab stories has not yet been confirmed, although online speculation points to the likes of (U.S. publishers initially) Time, The Washington Post, CBS News, Bloomberg, Fox News and Politico.  It has not yet been announced when the service will be available to UK Facebook users. It has been reported that Facebook is also prepared to pay many millions for some of the content included in the tab.

Why?

Facebook has been working hard to restore some of the trust lost in the company when it was found to be the medium by which influential fake news stories were distributed during the UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election.  There is also the not-so-small matter of 50 million Facebook profiles being shared/harvested (in conjunction with Cambridge Analytica) back 2014 in order to build a software program that was used to predict and generate personalised political adverts to influence choices at the ballot box in the last U.S. election.

Facebook CEO, Mark Zuckerberg, was made to appear before the U.S. Congress in April to talk about how Facebook is tackling false reports, and even recently a video that was shared via Facebook (which had 4 million views before being taken down) falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Helping Smaller Publishers Too

Also, Facebook acknowledges that smaller news outlets have struggled to gain exposure with its algorithms, and that there is an opportunity to deliver more local news, personalised news experiences, and more modern digital-age, independent news.  It is also likely that, knowing that young people get most of their news from online sources but have been moving away to other platforms, this could be a good way for Facebook to retain younger users.

Working With Fact-Checkers

Back in January, for example, Facebook tried to help restore trust in its brand and publicly show that it was trying to combat fake news by announcing that it was working with London-based, registered charity ‘Full Fact’ who would be reviewing stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Personalisation

The News tab will also allow users to see a personalised selection of articles, the choice of which is based upon the news they read. This personalisation will also include the ability to hide articles, topics and publishers that users choose not to see.

The Human Element

One of the key aspects of the News tab service that Facebook sees as adding value, keeping quality standards high, and providing a further safeguard against fake news is that many stories will be reviewed and chosen by experienced journalists acting as impartial and independent curators.  For example, Facebook says that “Unlike Google News, which is controlled by algorithms, Facebook News works more like Apple News, with human editors making decisions.”

Not The First Time

This is not the first time that Facebook has tried offering a news section, and it will hopefully be more successful and well-received than the ‘Trending News’ section that was criticised for bias in the 2016 presidential election and has since been phased out.

What Does This Mean For Your Business?

Only last week, Mark Zuckerberg found himself in front of the U.S. Congress answering questions about whether Facebook can be trusted to run a new cryptocurrency, and it is clear that the erosion of trust caused by how Facebook shared user data with Cambridge Analytica and how the platform was used to spread fake news in the U.S. election have cast a long shadow over the company.  Facebook has since tried many ways to regain trust e.g. working with fact-checkers, adding the ‘Why am I seeing this post?’ tool, and launching new rules for political ad transparency.

Users of social networks clearly don’t want to see fake news, the influences of which can have a damaging knock-on effect on the economic and trade environment which, in turn, affects businesses.

The launch of this News service with its human curation and fact-checking could, therefore, help Facebook kill several birds with one stone. For example, as well as going some way to helping to restore trust, it could increase the credibility of Facebook as a go-to trusted source of quality content, enable Facebook to compete with its rivals e.g. Google News, show Facebook to be a company that also cares about smaller news publishers, and act as a means to help retain younger users on its platform.

Tech Tip – Minimise Distractions With ‘Focus Assist’

If you’re using Windows 10 and you’d like to maintain productivity and minimise distractions from your operating system e.g. notifications, sounds and alerts, ‘Focus Assist’ can help you to achieve this and can now be turned on automatically for full-screen apps.

With Focus Assist you can choose which notifications you’d like to see and hear when working, and you can choose the automatic rules for these (using on/off toggles) so that you can minimise distractions at certain times and during certain activities.  You can also ask Focus Assist (with a simple tick box) to give you a summary of what you missed while it was on.

To use Focus Assist:

Type ‘Focus Assist’ in your Windows 10 search box (bottom left)

Select ‘Focus Assist Settings’ or ‘Focus Assist Rules’

Make your notifications choices: ‘Off’, ‘Priority Only’, or ‘Alarms Only’

Use the On/Off toggles to set your ‘Automatic Rules’.

Amazon Echo and Google Home ‘Smart Spies’

Berlin-based Security Research Labs (SRL) discovered possible hacking flaws in Amazon Echo (Alexa) and Google Home speakers and installed their own voice applications to demonstrate hacks on both device platforms that turned the assistants into ‘Smart Spies’.

What Happened?

Research by SRL led to the discovery of two possible hacking scenarios that apply to both Amazon Alexa and Google Home which can enable a hacker to phish for sensitive information in voice content (vishing) and eavesdrop on users.

Knowing that some of the apps offered for use with Amazon Echo and Google Home devices are made by third parties with the intention of extending the capability of the speakers, SRL was then able to create its voice apps designed to demonstrate both hacks on both device platforms. Once approved by both device platforms, the apps were shown to successfully compromise the data privacy of users by using certain ‘Skills and actions’ to both request and collect personal data including user passwords by eavesdropping on users after they believed the smart speaker has stopped listening.

Amazon and Google Told

SRL’s results and the details of the vulnerabilities were then shared with Amazon and Google through a responsible disclosure process. Google has since announced that it has removed SRL’s actions and is putting in place mechanisms to stop something similar happening in future.  Amazon has also said that it has blocked the Skill inserted by SRL and has also put in preventative mechanisms of the future.

What Did SRL’s Apps Do?

The apps that enabled the ‘Smart Spy’ hacks took advantage of the “fallback intent”, in a voice app (the bit that says I’m sorry, I did not understand that. Can you please repeat it?”), the built-in stop intent which reacts to the user saying “stop” (by changing the functionality of that command after the apps were accepted), and leveraged a quirk in  Alexa’s and Google’s Text-to-Speech engine that allows inserting long pauses in the speech output.

Examples of how this was put to work included:

  • Requesting the user’s password through a simple back-end change by creating a password phishing Skill/Action. For example, a seemingly innocent application was created such as a horoscope.  When the user asked for it, they were given a false error message e.g. “it’s not available in your country”.  This triggered a minute’s silence which led to the user being told “An important security update is available for your device. Please say start update followed by your password.” Anything the user said after “start” was sent to the hacker, in this case, thankfully, SRL.
  • Faking the Stop Intent to allow eavesdropping on users. For example, when a user gave a ‘stop’ command and heard the ‘Goodbye’ message, the app was able to continue to secretly run and to pick up on certain trigger words like “I” or words indicating that personal information was about to follow, i.e. “email”, “password” or “address”. The subsequent recording was then transcribed and sent back to SRL.

Not The First Time

This is not the first time that concerns have been raised about the spying potential of home smart speakers.  For example, back in May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee. Also, as far back as 2016, US researchers found that they could hide commands in white noise played over loudspeakers and through YouTube videos in order to get smart devices to turn on flight mode or open a website. The researchers also found that they could embed commands directly into recordings of music or spoken text.

Manual Review Opt-Out

After the controversy over the manual, human reviewing of recordings and transcripts taken via the voice assistants of Google, Apple and Amazon, Google and Apple had to stop the practice and Amazon has now added an opt-out option for manual review of voice recordings and their associated transcripts taken through Alexa.

What Does This Mean For Your Business?

Digital Voice Assistants have become a popular feature in many home and home-business settings because they provide many value-adding functions in personal organisation, as an information point and for entertainment and leisure.  It is good news that SRL has discovered these possible hacking flaws before real hackers did (earning SRL some good PR in the process), but it also highlights a real risk to privacy and security that could be posed by these devices by determined hackers using relatively basic programming skills.

Users need to be aware of the listening potential of these devices, and of the possibility of malicious apps being operated through them.  Amazon and Google may also need to pay more attention to the reviewing of third party apps and of the Skills and Actions made available in their voice app stores in order to prevent this kind of thing from happening and to close all loopholes as soon as they are discovered.

Why You May Be Cautious About Installing The Latest Windows 10 Update

Some of Microsoft’s enterprise-based customers may be feeling cautious about installing the latest Windows 10 update because Microsoft warns that it could stop the Microsoft Defender Advanced Threat Protection (ATP) service from running.

The Update and Warning

The update in question is the October 15, 2019 KB4520062 (OS Build 17763.832).  The update contains a long list of improvements and fixes (see here for full details: https://support.microsoft.com/en-us/help/4520062/windows-10-update-kb4520062), but also three known issues, one of which concerns the Microsoft Defender Advanced Threat Protection (ATP) service.

What Is The ATP?

The ATP is a paid-for service, for Microsoft Enterprise customers (not Home or Pro customers) that’s designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It offers features like endpoint behavioural sensors embedded in Windows 10, Cloud security analytics and access to threat intelligence generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by Microsoft’s partners.

What’s The Issue With the Update?

In the update’s release notes Microsoft says, “We suggest that devices in an affected environment do not install this optional non-security update”.

The reason given for the warning is that installing the update could mean that the ATP service could stop running and may fail to send reporting data.  This could mean that certain enterprise customers are more exposed to security threats until a solution has been found.

Microsoft also warns that an error (0xc0000409) may be received in MsSense.exe.

Not Fixed Until November

Microsoft says that although it’s working on a resolution it estimates that it won’t have a solution to the problem until November.

One of Several Update Problems Recently

This is one of several updates from Microsoft recently that have come with problems.  For example, an update on the 16th of September was reported to have caused issues with Windows Defender.  Later in September, Microsoft had to issue two emergency Windows updates to protect against some serious vulnerabilities relating to Internet Explorer and Windows Defender (anti-virus software).

Also, the October 3 update is reported to have adversely affected the Start Menu and print spooler, and the Start Menu issues were reported to be still present following the 8 October update.

What Does This Mean For Your Business?

Although Home and Pro customers need not worry about this particular issue, Microsoft’s valued Enterprise customers, who have paid for the ATP service to help stay ahead of the game in security may be a little worried and frustrated at having to either wait until November to enjoy the improvements of the new (optional) update in safety, or install it now and risk the loss of their ATP service and face the associated potential security risks.

Microsoft customers seem to have suffered several problems related to updates in recent months, and Enterprise customers are likely to be those that Microsoft particularly does not want to upset.  It is likely, therefore, that Microsoft will be focusing of getting an appropriate solution to the new update issues before November if possible.

Banking App Fraud On The Rise

A recent report from cyber-security company RSA has highlighted a significant rise in fraud via fake banking apps.

Number of Attacks Has Trebled

The Fraud and Risk Intelligence (FRI) team at RSA have noted a tripling of the number of fraud attacks via fake mobile banking apps in the first six months of this year with rogue mobile app fraud generally up by a staggering 191 per cent.

Fake Mobile Apps Exploit Digital Finance Trust

Not only did the 40,344 fraud attacks represent a 63 per cent rise, but 29 per cent of those attacks were recorded as coming from fake mobile apps.

In fact, the report identified an 80 per cent rise in the use of financial malware in the first half of this year, highlighting how cyber-criminals are using the transformation of finance to the digital world and the increasing trust of users in financial apps and digital financial transactions as a way in.

Changing

Tech and finance commentators have noted that as companies offer more convenient digitised financial initiatives to customers e.g. open banking, and as this has necessitated customers engaging in more digital touchpoints, it has led to a widening of the potential ‘attack surface’ that criminals can take advantage of.

Could Banks Do More?

An Immuniweb report from August this year noted that a massive 98 per cent of the world’s100 leading financial technology (fintech) startup companies are vulnerable to web and mobile app attacks, and that 97 of the 100 largest banks are also vulnerable to web and mobile attacks which could facilitate a breach of sensitive data.

The Immuniweb report also highlighted mobile financial apps as being a problem area with all mobile apps tested showing at least one ‘medium risk’ security vulnerability, and 97 per cent having at least two medium/high-risk vulnerabilities. The tests also showed that over 50 per cent of mobile app backends have serious SSL/TLS misconfigurations or privacy issues which could be traced to not having robust-enough web server security.

This has led to some speculation that banks and other financial organisations could be doing more to help close potential security loopholes in their apps, thereby offering better protection to customers.

What Does This Mean For Your Business?

Mobile apps offer banks and other financial organisations a way to offer convenience and added value to their customers who want to be able to manage their finances on the go. However, legitimate app security problems, a proliferation of fake/rogue financial apps and a widening of the potential attack plane that this brings to consumers who increasingly trust their finances to mobile digital transactions have increased the attack plane and the risks that businesses and consumers face.

As users of banking and other financial apps, we can help protect ourselves by sticking to some basic security procedures such as not clicking on links in unfamiliar messages or texts (to avoid loading malware), keeping a close eye on our bank transactions, and by being very cautious when downloading apps of any kind. For example, to minimise the risk of falling victim rogue/fake apps, you should check the publisher of an app, check which permissions the app requests when you install it, delete any apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.