Neobanking - a security minefield?

Neobanking - a security minefield?
(Image credit: Pixabay)

Neobanking refers to a growing wave of 100% digital banks, which are customer-driven by nature and with a special focus on delivering frictionless money management and payment experience. 

Of course, internet security remains a key concern, from everything to monitoring by the banks themselves, to ordinary consumers sensibly using the best antivirus.

Globally, it is estimated that 73% of all consumer interactions with banks are done via digital channels and, in the UK, 13% of consumers have already taken the plunge with Neobanking.

Neobanks challenge incumbents in the financial services industry by relying on technological breakthroughs and constant updates to provide features and services that rival, and often surpass, those offered by the bricks and mortar banks. 

And whilst Android apps and iPhone apps for banking are still not up to par compared with those offered by traditional banks when it comes to payments, they are quickly catching up. Beyond that, they beat their traditional counterparts in other areas such as money management, customer interaction and account management.

About the author

Pedro Fortuna is the CTO at Jscrambler.

Most don't have to rely on the same legacy systems therefore Neobanks can enjoy operating costs as much as 40 — 70% lower than those of traditional banking. And product development in Neobanking is significantly faster by relying on cross-platform-ready technology such as JavaScript. 

They can also rely on third-party integrations to save time and money, while also keeping the flexibility to iterate according to customer demand. With the bigger focus on user experience, it’s no surprise that generally neobanks’ satisfaction ratings exceed that of the top global banks. 

Importantly, however, customers state that ensuring that their transactions are secure remains a number one priority when they choose a bank. Even though Neobanks are usually less risk-averse than traditional banks, they must still address customer security as a priority.

The Javascript “Paradox”

And herein lies a paradox of sorts. As competition between Neobanks rises and in order to overcome the great market share and investment power of incumbents, they turn to rapid, iterative software and mobile app development to quickly release features and surpass customer expectations. 

And it’s JavaScript that presents this opportunity for low cost and quick website development, especially thanks to frameworks such as React Native, which enable reusing the same codebase to deploy to the Web and different mobile operating systems. However, despite its numerous advantages, JavaScript raises considerable security concerns which become increasingly relevant when used to create banking platforms. 

When we talk about JavaScript security, the first thing that springs to mind are security testing tools such as SAST and DAST. These are widely used to inspect the application’s source code, then check for any vulnerabilities and then attempt to fix them. Development teams need SAST and DAST to gain visibility over potentially insecure code. 

However, even if they find and fix every single vulnerability in their JavaScript code, that JavaScript is still plain and easy to understand code. In the same way that a development team can look at their code and understand how the application works — so can an attacker!

And so Neobanks must ask themselves: do we have any proprietary logic running on the client-side? What would the cost be to us if somebody was able to retrieve an important part of our code? Or even to tamper with our code to insert malware software to exfiltrate user data? Such questions ultimately highlight the real threats posed by having JavaScript code completely exposed. 

For Neobanks, the attack surface is considerably higher, with the main threats including automated abuse, intellectual property theft, and data exfiltration (namely via web supply chain attacks and banking trojans).

Minimise the attack surface area and build customer trust

The OWASP Mobile Top 10 (which details the 10 biggest application security risks for mobile apps) raises the concerns of code tampering and reverse engineering. For the former, OWASP points out that, “The mobile app must be able to detect at runtime that code has been added or changed (…) The app must be able to react appropriately at runtime to a code integrity violation”; for the latter, the takeaway is quite clear — in order to prevent effective reverse engineering, you must use an obfuscation tool. 

By preventing code reverse engineering and ensuring that the application is able to automatically react to attacks in runtime, Neobanks can ensure that they are prepared to meet any attackers head-on and prevent automated abuse and intellectual property theft. JavaScript protection becomes key to business success.

Data breaches are another massive concern. Current research shows that consumers tend to trust Neobanks less than traditional banks. For Neobanks, building trust is a complicated and long road, and so the chances of incurring a data breach must be mitigated to a maximum. Attacks such as web supply chain attacks are especially more prevalent for Neobanks as they rely much more on third-party code as compared to traditional banks. 

Whilst a first-party data breach most often requires attackers to infiltrate a database, third-party data breaches originate from attackers going after the enterprise's smaller, less secure providers which are the weakest link in the supply chain — hence the term Supply Chain Attack. Web-based Supply Chain Attacks thrive because it's easy for attackers to find a poorly secured third-party that is used by one or several enterprise businesses. 

Current security approaches, such as using a Web Application Firewall, CSP, and SRI, still fall short in providing a holistic solution to mitigate web supply chain attacks. A more robust approach is to monitor webpages in real-time to detect any malicious changes to the code and block them at their inception.

Neobanks will surely leverage the opportunity of technological advancements — lower operational costs and overall customer satisfaction; but they can’t escape the paradigm of banking: trust. With Neobanks inheriting such a vast attack surface — due both to the exposed nature of JavaScript and growing client-side threats such as web supply chain attacks — it is crucial that they adopt holistic security solutions for JavaScript protection and webpage monitoring.


Pedro Fortuna is the CTO at Jscrambler.

Pedro Fortuna

Pedro Fortuna, CTO and Co-Founder, Jscrambler.