CEO and co-creator helps financial institutions bolster their mobile banking security stance.
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
Tom Tovar knows how to secure businesses. As CEO and co-creator of Appdome, Tovar wants to make it easier to secure mobile apps, including at financial institutions. “It’s an urgent need, because most mobile apps today suffer from serious vulnerabilities that leave consumers and businesses exposed to fraud and theft, among other dangers.”
Tovar described how the Redwood City, Calif.-based Appdome provides no-code mobile app security and fraud prevention to address the vulnerability problem. He explained it is not that developers do not care about mobile app security, but due to the complexity of mobile installations, which requires specialized skills that are in short supply. Plus, because it is a manual operation, implementation that takes time.
Rocketing Towards Security
Tovar grew up in Texas where he attended the University of Houston, and then went on to law school at Stanford University, where he earned a Juris Doctor degree (JD). Tovar practiced as a corporate and securities attorney for six years at Cooley Godward in Palo Alto, Calif. where he worked extensively with initial public offerings (IPOs), and venture capital and merger and acquisition (M&A) deals.
In 2000, Tovar joined NetScreen Technologies as vice president of corporate development for legal affairs and chief compliance officer. “This was the start of my information security journey, as NetScreen developed high-performance firewalls, virtual private networks (VPNs) and other Internet security systems. Professionally, it was like a career rocket ship.”
Tovar went on to lead IPOs and large M&A transactions. “I worked across sales, marketing, operational and finance functions. And as chief compliance officer, I was a key member of the executive team. It gave me a fantastic opportunity to work across all aspects of a fast-growing technology business, and it culminated in Juniper Network’s $4 billion acquisition of the company.”
A Startup Journey
Tovar began his journeys with startups in 2005, rising from vice president of business development to become the CEO of Nominum, an intelligent domain name system (DNS) company. “I was CEO for five years and led the company through tremendous growth and profitability. I left in 2011, but Akamai acquired Nominum in 2017.”
He took some time off in 2011 to learn how to code, climb all 11 of the major North American summits higher than 5,000 meters, and advise and invest in new companies such as Ask Your Target Market, Rockets, Localwise, ParkPlease and SDN. He also spent a year and a half as the executive chair of Badgeville, an enterprise engagement platform, that he led to an acquisition by CallidusCloud.
In 2016 Tovar founded Appdome. “It is simple to use. Developers simply choose which security features they want to incorporate; they upload the binary and the platform takes care of the rest. But they do not even have to upload it.” He added, it can include automatic access to the platform as built-in security when compiling the app.
Tovar pointed out, “The end-result is that app publishers like credit unions can develop secure apps without delaying releases, and they can confidently market them as secure to consumers, who very much want to be protected, especially with an app that manages their money.”
Why is Appdome needed? “Most organizations wait until the app is ‘complete’ before adding security and then conducting penetration tests to identify vulnerabilities that need fixing,” Tovar answered. This leaves app publishers in a terrible position. “Deliver their apps late to market, which means they are much less likely to succeed, or publish an app with vulnerabilities.”
Consumers, pointed out Tovar, do not like this situation at all. “We conducted a global survey of more than 10,000 consumers about their attitudes toward mobile security, and two-thirds said they care about security as much or more than they do features.” They expect protection. Following a breach or hack, 74% of all consumers would stop using the app and 46% of all consumers would tell their friends to stop doing so.
Unfortunately, consumers have no way to know which apps are secure. “Publishers can’t market their apps as more secure than others because they can’t build security into the apps in an efficient, consistent way.”
Top Cybersecurity Dangers to Financial Institutions Today
Asked “What threats keep you up at night?” Tovar’s response was “There are so many. My primary concern is how vulnerable most mobile apps are across the board.” For example, Tovar described how white hat security researcher Alissa Knight recently reverse-engineered 30 apps from a wide array of financial institutions, some of them very large. “She found secrets like passwords and security tokens embedded in the code, which she could easily identify. Had she wanted to, she could have easily used them to compromise back-end systems and wreak all kinds of havoc.”
At the 2021 Money20/20 event, Noname Security, and Knight, announced new research, “Scorched Earth: Hacking Bank APIs,” which exposed financial institution vulnerability when she was able to access 55 financial institutions through their APIs, giving her the ability to change customers' PIN codes and transfer funds in and out of customer accounts.
Of particular concern for financial institutions are emerging variants of mobile malware that specifically target financial apps, maintained Tovar. “Sharkbot is a relatively new Android Trojan that bypasses multi-factor authentication and can even mimic ‘gestures.’ And once on the device it auto-fills fields in banking apps to initiate money transfers from end-user accounts to hackers’ accounts.” In addition, SharkBot evades Google Safety Net, misuses accessibility services to change permissions, utilizes overlay attacks to steal data, and auto-populates fields to log into and execute commands in other apps.
“For example, if you wanted to transfer money to a relative via your banking app, SharkBot would auto-populate a different account instead of your relative’s, sending the money to a criminal gang,” explained Tovar. “Even worse, not only does it hide itself from the user, but it uses (Android’s) accessibility services to prevent users from deleting it.”
Tovar noted, “These cybercriminal gangs operate like startups. They iterate quickly, continuously improving the effectiveness of their malware. And many fintech, banking and credit union apps are simply not ready for them.”