App breaches on the rise as people experience security fatigue, experts say


As long as app users and designers keep dodging the ever-expanding demands of cybersecurity, we’ll keep seeing more breaches, experts warn.

The Covid-19 pandemic pushed technology forward roughly seven years, according to a global survey of C-Suite executives released by McKinsey in 2020. The massive shift to remote working, coupled with government lockdowns and the avoidance of public settings, left most of the population no choice but to rely on the internet for every aspect of their lives.

ADVERTISEMENT

Looking to cash in, entire business sectors scrambled to move operations, products, and services online within months instead of years, creating a demand for innovative fintech, economy sharing, and other e-commerce-related consumer applications. Unfortunately, privacy and security often took a backseat, and bad actors took notice.

With the year-over-year rise in security breaches and the treasure trove of personal data contained in these apps, consumers may want to pay attention.

App vulnerabilities are here to stay

"Companies are constantly patching. For example, Apple will identify a vulnerability that they introduced in some new software update and then issue a release. There will always be holes and there will always be people out there trying to identify those holes,"

Mitchell Ross.

To keep up with digital demand, roughly two million new apps were launched in 2021, according to the recent Mobile App Trends 2022 report from Adjust analytics. Fintech apps alone accounted for more than 35% of consumer downloads, the report stated.

“Companies are very much focusing on security. But they are also focused on coming up with a product or service they can sell quickly so they can become profitable. They are willing to take on a little bit of technical debt in order to make that happen,” said Peter Fagans, Director of Information Technology at blockchain startup Ava Labs.

The use of payment apps like Apple Pay and PayPal has become the norm, while the number of personal asset management apps, such as mobile banking, wealth investment, and cryptocurrency, has grown in several countries by almost 200% per quarter, according to the report.

“The technology continues to evolve, and with that process, vulnerabilities get exposed,” explained Mitchell Ross, Technology Director of Product Engineering at one of the Big Four financial accounting firms. “Companies are constantly patching. For example, Apple will identify a vulnerability that they introduced in some new software update and then issue a release. There will always be holes and there will always be people out there trying to identify those holes,” Ross said.

ADVERTISEMENT

The breakdown in breaches

Uber, Revolut, LastPass, Starbucks, Cisco, and Twilio are some of the more well-known breaches Cybernews has covered in 2022. But these security breaches only represent a handful of the roughly 2,000 that took place in the first half of this year, according to the Flashpoint midyear report, The State of Data Breach Intelligence 2022.

Uber logo
By Shutterstock

With over 1.4. billion records already exposed this year so far, the intelligence report showed 60% of those breaches were caused by hacking or unauthorized access.

The fintech sector happened to be the second most targeted industry, according to the 2022 H1 report. Software as a service (SaaS) came in third, with healthcare at number one.

Ross explained how it’s not just the applications but the processes themselves that can be insecure.

“You can take Uber, or financial companies like HSBC bank, who use SaaS services for a number of different things. So, while it may seem like direct customer to business (applications), they really aren’t,” Ross said. “Customers should be pressing companies to explain how and what their processes are, for example, admin rights, encryption, password practices and so on, the same way we, as SaaS providers, are getting the pressure from large financial conglomerates to release what we’re doing to safeguard information.”

Ross said this could be achieved by establishing a gold standard of best practices for each specific type of technology, such as the database or server used. Then it would be up to the company to implement those standards.

“I don’t think there needs to be more regulations on companies. Technology updates too quickly for government to keep up with. There should be independent organizations that are specifying what these protocols are. My hope is that AI can also be used to quickly identify network intrusions and really reduce breaches,” said Ross.

Consumer awareness is key

How can consumers make sure their personally identifiable information (PII), including credit card and bank account numbers, is safe from theft and fraud?

ADVERTISEMENT

Companies may be responsible for implementing robust cybersecurity strategy and data protections, but according to Ross, it is the consumer who ultimately has the power to keep their own data safe.

It is the consumer who ultimately has the power to keep their own data safe.

“Consumers need to make sure they are educating themselves on which companies and apps are secure enough to be involved with. Consumers need to demand this, so the companies are motivated to achieve it,” Ross said.

When consumers sign up for an app, people should be aware of where and how their data is being used and what for. “People need to ask themselves, I’m getting this service for free, why? It costs money to have servers, it costs money to provide support. How am I actually paying?” said Fagans.

People should also stop worrying so much about certain types of PII disclosure.

“Your birthday, phone number, address, relatives, etc. are traded on the web like commodities every single day. It’s all out there. If I tried really hard, with $5,000, I could get your social security number tomorrow. You want to be more worried about where your money goes and your financial transactions,” said Fagans.

The challenge: ignorance is bliss

In the fast-paced online world we live in, people are starting to experience security fatigue – a reluctance to deal with internet security.

As more peer-to-peer and wealth investment apps are expected to flood the market in 2023, “it’s inevitable that apps will be hacked, but that won’t necessarily change consumer behavior,” said Fagans, “In reality, most people can’t be bothered.”

From the barrage of news stories about breaches and stolen personal information to multifactor authentication, password parameters, phishing emails, and constant software updates, consumers are often forced to weigh convenience against cyber safety.

ADVERTISEMENT

“Consumers are not necessarily going to harden their own mobile devices and app use to protect themselves. I think people look at it (cybersecurity) as a conundrum. While on the one hand, people are aware of issues with their data being manipulated and stolen, and the fact that it happens all the time, unless it happens to them, it doesn’t hit home,” said Fagans.

Opening an authenticator app to log into an account or change a password every 90 days can be frustrating and time-consuming for most people.

“When people install and open a new app, does anyone read the privacy disclaimer? Most usually just click OK without reading it,” Ross said. And yet consumers know those disclaimers include information about the sale and use of their data.

“I think people are very reactive, they’re going to do something once their information is stolen, which unfortunately is always too late,” Ross said.

How do you wake people up, show them how vulnerable they really are? Besides education, “it’s going to come down to breaches,” said Ross.

“If you go to a bank that’s hacked continuously, you are going to change banks. It might be two hacks, it might be three, but there has to be some threshold where consumers will eventually stop using a service. Companies will have to respond and tighten up ship. If only because their customers will demand it.”

The post-pandemic world and beyond

The lack of consistent security and privacy regulations allows companies interested in making quick cash to skimp on security for their apps by finding loopholes based on their geographic home base.

“Especially in the cryptocurrency space over the last two years, there’s been billions of dollars that have been siphoned off because stuff’s not secure. If someone chooses an insecure platform, they could lose all their money with no recourse,” said Fagans.

ADVERTISEMENT

Fagans believes partnerships with major institutions will help to harden fintech apps moving forward. Consumers should choose applications that are partnered with standard banking institutions, as many are starting to do. For example, mobile banking apps owned by FCC-regulated financial giants like Bank of America, or wealth management apps, such as Stash, owned by investment firms like Goldman Sachs.

By association, these partnered apps will have to be regulated when it comes to the collection and use of PII and undergo systematic hardening.

Meanwhile, consumer spending on mobile apps has risen by nearly 20% in the past year alone and shows no sign of slowing down. The mobile app trends report also revealed cash use among consumers declined by over 40%, while digital wallet use went up by more than 50%.

Most tech experts agree, cash will eventually become obsolete. “Everything is going to be ones and zeros. Blockchain and crypto are going to be the currency of the future. Eventually, biometrics, like iris scans, could be used to identify you and allow you to manipulate credits for just about any commodity or services,” said Fagans.

One note for consumers, there is no PII associated with blockchain. But security is still not guaranteed. “The purpose of the blockchain is to record every single transaction that occurs, your funds will be easier to trace, not necessarily more secure,” said Fagans.

Between a shortage of security professionals, a plethora of inexpensive hacking tools available on the dark web, or just plain human error, breaches are here to stay. Cybercriminals will continuously be one step ahead of technology. It’s now up to the consumer to be aware and monitor their online activity wisely.