Hackers Target Your Mobile Bank App; You Can Fight Back

By Margarette Burnette Personal Finance NerdWallet.com

BRAVE NEW BANK This NerdWallet series delves into what’s new in retail banking and what’s in it for you. We explore some of the surprising things in store for products, tech and security and look at how they’ll affect consumers.

Continue Reading Below

By 2021, millions more of us will be doing our banking on smartphones and tablets, researchers say. The number of mobile bank app users is expected to leap 53% in the next four years. So far, mobile banking has been a pretty secure experience.

Mobile app breaches represented less than 3% of all computer records hacked last year, according to the Identity Theft Research Center, a San Diego tracking firm. But don’t get cozy.

A veritable flood of consumers is heading for mobile, according to Juniper Research. It predicts over 3 billion people around the world will be banking on mobile by 2021 — quite a lure for hackers who target financial apps. That means more people are likely to fall prey, so bank customers will need to be ready to protect their devices and their bank accounts.

Criminals try to access mobile apps in a number of ways.

Man-in-the-middle attacks

When a mobile app communicates with a financial institution’s server over the internet, the app verifies the bank’s or credit union’s identity by checking its server certificate.

With a man-in-the-middle attack, fraudsters will try to “listen in” on this network traffic, perhaps by accessing the same public Wi-Fi network as the mobile user, and attempt to send a fake bank server certificate to the mobile app.

If the app accepts the fake certificate, it could let the hacker receive the user’s personal information.

Continue Reading Below

Key logger software

When installed on a mobile device, key logger programs secretly record a person’s actions as he or she uses the device. With a banking app, the malicious software could log your account names, numbers and passwords and send them to a hacker.

Phishing

It’s been around for years, but this tried and true hack is still popular with criminals, says Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association. It occurs when a fraudster pretends to be a legitimate financial institution that asks a mobile user to submit private bank information.

Many phishing attempts bypass mobile apps completely. A hacker could send emails telling people their account is locked and asking them to reply to the message with their account username and password. But the account isn’t locked, and the information a person sends would go to the criminal, not the bank.

MORE: New changes, new options in banking

5 ways to protect yourself

Hackers are malicious, but they don’t have to be successful. Here are five ways to stop them.

1. Don’t bank on ‘jailbroken’ devices

Some mobile users customize their devices in a way that lets them download apps that aren’t approved by the device’s app store. A “jailbroken” device might let the user remove some of the device’s mandatory apps, for example. Or it could allow a user to download apps that purport to offer free music or software. But if your device has been altered, it’s best not to use it for mobile banking.

“Jailbreaking obviously entices the user to get away from their mobile provider and use other companies,” Johnson says. “Be careful. You may think you’re downloading a new app for free, but you may also be downloading malicious software that will secretly try to breach your account.”

2. Use approved apps from approved app stores

Criminals will try to access bank accounts by getting customers to download apps from places other than the device’s approved app store. These applications might pretend to be electronic wallets, for instance, or they might offer to store IDs, Johnson says. But the apps may not have a legitimate purpose. To avoid exposing private information, make sure you know and trust the financial institution that provides the mobile app.

3. Keep your device up to date

Apple and Android operating system upgrades often include security updates to protect your smartphone or tablet from the latest malware attacks. This is especially important with Android systems, which tend to be more open to developers. Criminals routinely try to exploit this openness. A recent study from Pulse Secure, a cybersecurity company, found that 97% of attacks were targeted at Android systems.

4. Know your app’s security features

Make sure your financial institution uses common technology standards to protect your app, such as these:

  • Two-factor authentication: Before you can sign in to your bank’s app, two-factor authentication may require an extra piece of information in addition to a username and password, such as a code that’s sent by text to the phone. It adds another layer of security beyond the basic login credentials.
  • Certificate pinning: Trusted mobile banking apps typically use a type of technology called certificate pinning to stop man-in-the-middle attacks by making sure the app has a copy of the bank’s security certificate. The app can then make sure the message it’s receiving is truly from the bank’s server.
  • Innovative ways to log in: Many banks are looking at new ways to verify users before they sign in to mobile banking apps. These methods include retina scanning, fingerprint recognition and facial recognition, Johnson says. Other institutions are experimenting with authentication by finger movement across the mobile device, Johnson says. “Your phone over time will be able to detect that it’s you because of the way you interact with the phone. If a criminal accesses your phone, and movements across your screen don’t fit your normal pattern, the phone may refuse access to your personal banking information.”

5. Use smart mobile phone practices

Banks are developing methods to secure mobile devices and financial apps, but the best line of defense for online security is still with the consumer, Johnson says.

Mobile device users should create screen lock passwords that are hard to guess, he says. That way, if the device is lost or stolen, there’s less of a chance a criminal, or any curious person who comes across the device, can access banking apps. In addition, be wary of conducting transactions over public Wi-Fi. If you’re not on a home network, consider switching to your cellular network to conduct mobile banking transactions, such as depositing checks and making account transfers.

It’s also important to monitor your accounts regularly and immediately report any suspicious activity. It helps the cybersecurity department of your bank or credit union stay on top of the latest breaches, and you can protect yourself against liability for financial losses.

Protecting your device

As long as you have a bank account, there will probably be hackers who try to access it. By using a secure, trusted app, keeping your device up to date and using good consumer practices, you can help protect your money and keep criminals at bay.

Margarette Burnette is a staff writer at NerdWallet, a personal finance website. Email: mburnette@nerdwallet.com. Twitter: @margarette