“In app development you need to put security right up top and central,” he warned, adding that penetration testing was almost essential. “The cost (of testing) is dwarfed by the potential cost of reputational damage,” in the event of a security breach.
Mr Forsyth said that at NAB there were 750,000 users of the mobile banking platforms each month, generating 2 million transactions worth $1 billion.
He said that although mobile phone security challenges were previously the province of bored teenagers, they were now prompting more sophisticated attacks as the motivation “Shifted to profit motivated malware” where software was being designed to intercept SMS messages used for two factor authentication used by many of the banks for larger online transactions.
He said that although companies developing mobile apps were wise to distribute their apps via legitimate app-stores such as Apple’s iTunes or Google’s Play Store, they should not rely on those stores for the timely distribution of app updates, and that companies should consider building into their mobile apps the capacity to remotely switch off functions if a security issue was detected.
Mr Forsyth also shared statistics showing that the Android mobile platform was now the most vulnerable smartphone with regard to security breach. “Over the last year the Android platform has been a bit of a victim of its ideology around open-ness. There has been a massive spike in the amount of malware around that platform,” he said.
He also said that Google’s app store did not match the robustness of Apple’s in terms of vetting and deciding which apps would be made available on the store, and that companies needed to be aware of that.
While malware was a major problem Mr Forsyth also lamented the lack of sophistication among mobile phone users. “There is this insane willingness to download apps without any due diligence about what the system is doing,” he said.