BankThink

CBDCs are the future of money, but bank apps are stuck in the past

National digital currencies are gaining momentum. In November, the nine largest banks in Japan announced that they will issue a digital yen this year. Nine countries have already issued central bank digital currencies and 14, including China, have pilots underway. Mexico plans to introduce a CBDC in the next two years, and India plans to pilot its own CBDC early this year.

Given this, CBDCs are clearly the way of the future. But if cryptocurrencies like Bitcoin and Ethereum are any guide, it’s also clear that hardening security — and particularly mobile app security — will be critical if they are to gain widespread acceptance. Because right now, mobile apps are far too insecure.

Smartphones will be central to the use of digital currencies. Certainly, some people will store their CBDC on dedicated hardware devices, but most people prefer not to carry around multiple devices, and smartphones are already commonly used to store cryptocurrency. Nonbanking, financial apps will be used to manage CBDCs in addition to traditional banking apps.

Last year, for instance, an iPhone user downloaded an app containing a Trojan virus from the Apple App Store that, once installed on his iPhone, stole $600,000 worth of Bitcoin. And new threats are emerging all the time. One of the most recent is an Android Trojan called Sharkbot. This malware initiates money transfers from crypto and banking apps on compromised devices, completely bypassing verification systems such as multifactor authentication and preventing users from deleting it.

Recent hacks of Bitmart, BXH exchange and Celsius have resulted in the theft of more than $320 million. Celsius lost over $50 million when hackers exploited the interface that connects the website of BadgerDAO, a decentralized finance platform, to users’ wallets. The interface directed users to send their tokens to wallets controlled by the hackers. In Bitmart's case, the exchange hackers stole a private key that compromised two of the exchange's hot wallets on the Ethereum blockchain and the Binance smart chain.

Financial apps, in particular, are extremely vulnerable as was recently demonstrated by Alissa Knight, a “white hat” hacker who investigated the security of 30 apps from a variety of global financial institutions. She found that 29 of the 30 mobile apps contained hardcoded API keys and tokens, such as usernames and passwords to third-party services.

In particular, the application programming interfaces she tested were so weak that Knight was able to change PIN codes and transfer funds in and out of accounts. That’s important, because modern mobile apps depend heavily on APIs to connect to the back-end services that provide a lot of their functionality. By 2022, Gartner predicts APIs will become the largest attack vector for cybercriminals, because API keys can provide hackers with the secrets they need to access and attack back-end servers, where they can compromise customer accounts and production servers.

So, if the financial apps that control end-users’ money are already this insecure, obviously the industry has a lot of work to do before their apps will be safe enough to contain and manage CBDCs. But addressing this issue isn’t a matter of simple willpower. Developers haven’t neglected API security because they are lazy or unconcerned. API security is complex and time-consuming, requiring highly specialized skills that are difficult to obtain and retain. What’s more, mobile app security methods (including those for API security) are still largely manual in most mobile app development organizations, which makes it a poor fit for the highly automated processes that they have in place to create features and functionality.

Developers often have to choose between implementing strong security and delaying release and/or going over-budget.

The Financial Action Task Force sees the threat, and in October it issued guidance encouraging countries to assess risks associated with decentralized exchanges, stablecoins, nonfungible tokens and peer-to-peer platforms. The Financial Action Task Force’s recommendations often become national policy, and because crypto e-wallets are often held on mobile phones, they will extend to CBDC mobile apps.

So, how will mobile developers make their apps secure enough to manage CBDCs? The options are few. For starters, protecting the mobile endpoint with general purpose application security solutions alone is ineffective. Many general-purpose application security solutions do not account for the ways mobile apps are uniquely compromised.

Some organizations have increased the amount of API testing in development, which is an excellent practice, but identifying vulnerabilities doesn’t resolve them. And while specific API threat protection technologies are in development, they are still in early stages, and almost all require manual coding efforts.

To ensure that APIs and mobile endpoints are secure, mobile development teams need to automate security development to a much greater degree than they have so far.

The first step is for all stakeholders — developers, security professionals and business leadership — to agree to a common set of expectations for mobile security. Once everyone is on the same page about mobile app security, developers need to “shift left” on security. “Shift left” is a coding phrase that means a task needs to occur much earlier in the development process, as opposed to being “bolted on” after the rest of the app is largely complete.

As much as possible, security should be automated using AI-based technologies to eliminate cumbersome manual work and to ensure consistency. And verification and validation of the security implemented needs to be automatically conducted to ensure that the app is, indeed, secure.

APIs are vital to the functionality of mobile apps, and mobile apps will play an enormous role in the rollout of CBDCs. But unless these apps are secure, CBDCs will not gain public trust, delaying their roll-out and undermining efforts to introduce them. Banks and financial institutions will need to automate mobile app security in order to be ready.

For reprint and licensing requests for this article, click here.
Digital currencies Cyber security Mobile banking
MORE FROM AMERICAN BANKER