Market Conditions & Rising Mobile Threats Test Mobile App-Based Challenger Banks

Samuel Bakken,

At the end of July 2020, Mark Cuban-backed fintech startup Dave reported a security incident resulting in the exposure of personally identifiable information of millions of their users, including birth dates, phone numbers, email addresses, and physical addresses, as well as encrypted social security numbers and hashed customer passwords. Dave offers payday-advance loans and overdraft protection for bank accounts and checking accounts and is a member of the “challenger bank” cohort along with companies like Chime, Current, Space, Cleo, N26, Empower Finance, Level, Step, Moven, and more.

The Dave mobile app itself was not attacked, and Dave claimed there was no evidence the personal information had been used to gain unauthorized access user accounts. Dave places the blame for the data breach squarely on a third-party services provider, Waydev, claiming one of their databases was breached. But how will their users react? Do consumers care about the intricacies of who’s to blame for the data breach? How might this incident effect the market’s perception of Dave’s security practices?

In some cases, a data breach could be a deathblow, and these challenger banks need to take the security of their mobile apps, their institutions and their customers seriously if they haven’t already. Their businesses could live or die based on their ability to implement mobile security that consumers trust. Investing properly in multi-layered security with a special emphasis on protecting mobile channels could make the difference between making it through the pandemic or calling it quits.

Mobile Threats Surging for Traditional Banks, Challenger Banks and Fintechs

Just recently, the FBI warned consumers that an increase in mobile app-based banking Trojan activity was expected as a result of pandemic-driven increases in mobile banking activity. Lending credence to that prediction is data showing that fraudulent mobile transactions originating from mobile apps doubled in Q1 2020. Along the same lines, cybersecurity vendor Kaspersky Labs reported a nearly 3X increase in mobile banking trojan detections in Q1 2020 compared to the previous quarter.

One might think a malicious party would concentrate on larger, more well-known banks to maximize their schemes’ profit potential, but recently revealed mobile banking Trojan campaigns show that mobile apps from lesser known fintech and challenger banks are also under fire. For example, the EventBot mobile banking trojan targeted not only traditional banks such as Barclays, CapitalOne, HSBC, and Santander but also apps such as Revolut, Monese, Monzo, N26 and those of other fintechs and challenger banks.

Security Incidents Are Costs Challenger Banks May Not Be Able to Absorb

Challenger banks’ mobile channels are under as much threat as their more established peers. Unfortunately, challenger banks are probably less able to absorb the costs of a major security incident. A recent study published by IBM and Ponemon Institute puts the average cost of a breach that exposes 1 million to 10 million records at $50 million. 

That’s not an insignificant sum. For up-and-coming challenger banks and fintech companies, acquiring new users is the top priority. Knowing that a security incident could increase the difficulty of acquiring new users due to a damaged reputation and negative perception of their security practices, the wise challenger bank invests in proactive security such as automated security testing, penetration testing, and in-app protection. Those costs are a pittance compared to the $50 million expense of a security incident. And, with the risk of a mobile security incident mitigated, additional funds can be invested in customer acquisition.

Reputational damage is a crucial consideration when it comes to investing properly in security technology—just ask Twitter. They made the following comments related to a recent breach of several high-profile users’ accounts in their recent Form 10-Q filing with the SEC:

“This security breach may have harmed the people and accounts affected by it. It may also impact the market perception of the effectiveness of our security measures, and people may lose trust and confidence in us, decrease the use of our products and services or stop using our products and services in their entirety…Any of these effects could have a material and adverse impact on our business, reputation and operating results.”

The Pandemic is a Headwind But Some Challenger Banks Will End Up Wildly Successful 

Despite some challenger banks encountering headwinds, the benefits associated with their offerings remain compelling to consumers (e.g., low/no fees, higher interest rates and better user experiences). So while growth rates may ebb in general for some period of time, as in any industry, challenger banks in general will not cease to exist – but there will likely be winners and losers.

App-based challenger bank Monzo reports that despite having 4.4 million users, they’ve lost £113.8 million over the past year. Moven, one of the first U.S. challenger banks, shut down in April. But, challenger banks that can continue to innovate and improve the remote banking experience will maintain their advantage in the market. In addition, those that make the right investments to ensure the security of remote, and especially mobile, user experiences will buoy their position. In other words, in terms of hedging bets, now is not the time to skimp on security.

In Closing: What’s A Smart Strategy When It Comes to Mobile App Security?

To secure mobile banking apps, whether they are Android or iOS, challenger banks and fintechs need to invest in the following:

  • Bolstering the app against mobile threats in untrusted environments (i.e., users’ devices) with in-app protection including app shielding and runtime application self-protection (RASP) technology
  • Periodic deeper penetration testing of the mobile app
  • Regular, automated security testing during development
  • Making security part of product requirements
  • Secure code training/education for developers

With a singular focus on speed-to-market and customer acquisition, security can be a weakness for some startups. In the financial services industry, where consumers prioritize trust and data security in their buying criteria, there’s no room for skimping on security. Traditional banks, challenger banks and fintechs alike need to pay special attention to their mobile channels to protect customer data. Not only to create a good user experience worth talking about, but to also ensure the security of the mobile app. Because the best customer experience is a secure one.

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Discover how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

Sam is Director of Product Marketing responsible for the OneSpan mobile app security and identity verification portfolio and has nearly 10 years of experience in information security.