Firm Dons 'Black Hats' to Appraise Apps' Security

IDentity Theft 911 looks for weaknesses and vulnerabilities in financial services products.

February 16, 2014

Because one bad app can spoil the whole mobile banking barrel, credit unions need a way to determine mobile apps’ trustworthiness.

That’s a task Deena Coffman, chief information security officer for IDentity Theft 911 and CEO of IDentity Theft 911 Consulting, gladly takes on. Her firm looks for weaknesses and vulnerabilities in apps designed for financial institutions.

“We put on our bad guy hats and ask, ‘what would we do, where would we look, how would we build an insecure app if we were one of them?’ We try to poke holes in the app from their point of view,” Coffman says.

When the company finds bad code, it tells clients what vulnerabilities were found and how to go back to their original coders and fix the problem. “Then we check the corrected version to see if the recoding is secure,” she says.

Coffman says most mobile banking fraud occurs in two areas:

1. Text, which is inherently insecure because it can’t be encrypted. “This is why credit unions, when they set up mobile banking systems, have to consider text-related opportunities for fraud, such as initial validation.”

2. Apps that are not encrypted—typically a result of cutting corners while developing code, Coffman says.

She also warns about free legitimate apps that can be mined by malware.

“Credit unions should offer apps that remind mobile users in clear terms to be careful about how they conduct mobile transactions.”