Published February 19, 2014
Banking transactions that used to require interacting with a professional at a brick-and-mortar bank branch can now be done via a smartphone without leaving home. And while that is convenient, it’s not without risk.
“Mobile banking is generally very safe and secure,” says Douglas Brown, senior vice president with FIS Mobile. “It’s people who are the weakest link in the security model.”
As the banking experience becomes more digitized, hackers and scammers have increased their efforts to get their hands on this treasure trove of personal information and access to funds. But consumers can fight back by taking a handful of steps that can minimize their risks.
Security researcher Ariel Sanchez of IOActive recently made headlines claiming that the many apps offered by major financial institutions are vulnerable to attack and could potentially expose customer information.
He used iOS devices to test 40 home banking apps from 60 top banks, and found that 90% of them contained insecure links that an attacker could exploit for malicious purposes.
He found that many banking apps don’t include what’s known as two-factor verification, a security tool offered by sites like Google and Facebook that, when activated, will send a text message containing a code if someone tries to access those accounts on unknown devices.
The code would only be sent if access to a particulate site or social media account was attempted with an unauthorized computer or mobile device, providing the user with an extra layer of defense against a hacker.
Sanchez says most of the problems he found are a result of faults with the apps themselves. “iOS and other mobile platforms offer several ways to mitigate these problems. But as with other tech platforms, they all depend on how the protection is used. There are no magic solutions that banks can use to be sure that their app is 100% secure.”
This means users have to take precautions all the time.
Sanchez advises against mobile banking on a so-called jail-broken phone. When consumers “jail-break” a phone, they have deliberately chosen to “degrade” the security of that phone’s operating system, he says, exposing the user to additional risk.
He warns against downloading bank apps from third-party stores. That means sticking to outlets with a strong protective layer of security like Apple’s App Store and the Google Play store.
While being able to bank from anywhere is convenient, Sanchez cautions against using public Wi-Fi connections. Hackers can do things like intercept secure communications and redirect consumers to fake sites when they use open, public internet access to bank.
“Today, short of government interference, it's practically impossible for cybercriminals to use those attack vectors against your mobile banking application while you're using your 3G or 4G data connection,” he says. “Oh, and 3G and 4G communications are already encrypted.”
Brown, meanwhile, stresses the importance of “good password hygiene.” That includes using at least eight characters when choosing a password, and making sure the password contains a mix of letters and numbers, some upper and lowercase, plus special characters like asterisks.
Also, he recommends users set a passcode for their smartphone. If someone stole a passcode-locked device, the presence of that code is one more obstacle in the way of a potential hacker causing mischief.
“If people are a lot more suspicious and take steps like these, a lot of vulnerabilities could be eliminated,” Brown says.