Level: Advance Subject Matter
Abstract:
Today’s mobile banking landscape is a paradox: customers expect instant, frictionless access to their finances, yet the systems behind that convenience must withstand increasingly sophisticated threats. In this presentation, we explore how secure mobile banking development has evolved under the pressure of regulatory requirements, adversarial creativity, and rapid technological change.
To ground the discussion, we begin with a deceptively simple example: a mobile banking application protected by a four digit PIN. On the surface, this seems like a standard, even familiar, security measure. But as we will see, the PIN – encrypted but ultimately cracked – reveals how legacy authentication mechanisms can become liabilities when attackers exploit predictable patterns, weak cryptographic implementations, or insufficient threat modelling. This case study is not just a cautionary tale; it is a lens through which we can examine the broader ecosystem of mobile banking security.
Regulators worldwide have raised the bar for financial institutions, demanding stronger authentication, robust encryption, continuous monitoring, and demonstrable risk based security design. At the same time, new technologies, such as hardware backed key storage, behavioural biometrics, secure enclaves, and AI driven anomaly detection, offer powerful tools to mitigate the weaknesses exposed by our cracked PIN example.
Our goal today is to connect these threads:
- How regulatory frameworks shape secure development practices;
- What threat modelling teaches us about real world attack paths;
- How emerging technologies can transform a vulnerable four digit PIN into a multi layered, resilient defence strategy.
By the end of the session, you’ll see how modern mobile banking security is not about replacing one mechanism with another, but about building a holistic, adaptive architecture, capable of protecting users even when a single layer, like a simple PIN, fails.
Bio:
Grega Prešeren has been the CTO and lead ethical hacker at the co-founded company Carbonsec d.o.o. since 2017. He is one of the pioneers of security testing in Slovenia and has been involved in this field since the very beginning of his career. He kicked off his pentester’s career in 2010 and has been leading and performing security audits of networks, IT services, web, mobile, and other applications, as well as industrial or SCADA systems, for various organizations in Slovenia and abroad ever since. He holds several professional certificates in information and application security, as well as in information networks. He is also an active lecturer and trainer in the field of application security. His technical knowledge is underpinned by a strong understanding of regulations and standards, making him a sought-after advisor for developing cybersecurity strategies.