New pressure is rising around mobile payments apps and their vulnerability to intruders.
San Francisco-based Arxan Technologies, which got its start in 2001 providing security tools to protect gaming and medical-device applications, says financial services companies are one of the fastest-growing sectors seeking help in barricading their mobile apps from hackers.
As payments become more invisible and seamless within mobile commerce apps, hackers are working to sneak in and plant malware to intercept user information, including credit card numbers and other payment credentials, said Rusty Carter, Arxan’s vice president of product management.
“As mobile payments app development and usage rises, so does the opportunity for fraud originating within apps, which is a huge concern for banks with so much invested in consumers trusting their apps," Carter said.
Much of the technology Arxan uses to protect mobile payment apps was initially developed for other industries, including medical devices, Carter said.
“Payments may seem like an area where security is most important, but so are apps for medical devices that control a person’s life by managing their heart function and blood pressure, where every possible security precaution is needed,” he said.
Solutions developed for the payments industry, in turn, are helping to enrich Arxan’s work in other areas including the emerging Internet of Things, according to Carter.
“We're seeing a surge in demand from financial services companies adding our technology to protect mobile apps, and so far it's more as a prevention measure to maintain the trust and reputation they have with customers,” he said. “The tools we’re developing at the app level to make mobile payments more secure and invisible will be leveraged in technology across many other platforms enabling people to securely access everything from food and entertainment to medications and transportation."
Threats to mobile apps aren't new—bankers have been concerned about their apps' vulnerability for years and many use a combination of vendor-based and in-house solutions to protect them, said Julie Conroy, research director at Aite Group.
But as mobile apps absorb more transaction volume, they're also likely to draw more attention from cybercriminals, Conroy said.
"As the apps themselves, as well as the attacks, become more sophisticated and complex, more banks are realizing that homegrown app-shielding methods may not be sufficient, and we're likely to see spending ramp up in this area," she said.
Many large consumer banks are among Arxan’s customers, but Carter declined to name them.
“A lot our work is centered on the core application code, where we establish ways to block crooks, and track attempted incidents at the deepest level of an app,” Carter said.
Arxan's latest thrust is defending mobile apps against new types of attacks that include tampering and reverse-engineering of code—including interfering with APIs, he said.
Banks also recognize that where payment apps intersect with connected commerce, risks could rise exponentially, according to Carter.
“We’re starting to hear more news and concern about potential nation-state attacks that could compromise or paralyze connected systems and pose a huge threat to populations, and we’ve also seen rapid growth in the technical sophistication of cybercrime, which is driving a groundswell of interest in building in protections further and further upstream where apps begin,” he said.
For this reason, Arxan increasingly is working with financial services providers at the earliest stages of app development.