Worried about mobile banking security? Follow these best practices
More bank customers discovered they like the convenience of mobile banking as branches temporarily closed during the pandemic, and evidence suggests the behavior stands to stick. A survey released in mid-May by bank technology provider found that 31 percent of banked respondents intend to do more online and mobile banking in the future.
But is this a safe way to conduct bank business? payment security experts recently warned that hackers could exploit new mobile banking customers by using several techniques, including app-based banking Trojans and fake banking apps. Here are some of the risks and the steps you can take to reduce them.
Mobile banking is both convenient and safe, say cybersecurity experts, but consumers need to take certain precautions.
“If you download the mobile app from a secure store, that is just as safe as visiting a bank branch,” says Paul Benda, senior vice president of risk and cybersecurity policy at American Bankers Association.
As he sees it, the best place to download an app is from your bank’s website, which provides the right link to the institution’s app.
“Banks use extremely secure, high-end encryption technologies,” Benda says. “We like saying that mobile apps are like having a bank branch in your pocket.”
There are myriad ways that fraudsters directly target consumers but the FBI’s public service announcement describes two forms of cyberattacks in particular:
1. App-based banking Trojans are hidden in unrelated apps such as games or tools that are downloaded by unsuspecting consumers. These “sideload” apps, which are downloaded from unofficial sources, could conceal malicious programs that lie dormant until a user launches a legitimate banking app. Then the Trojan springs to life, creating a pop-up overlay that mimics the bank’s login page. Once consumers enter their username and password, they are seamlessly passed on to the legitimate banking app login page and don’t even know they’ve been scammed.
“The malware can be downloaded in a variety of ways, such as SMS (short message service, or text) with a malicious hyperlink,” says Teresa Walsh, global intelligence officer at Financial Services Information Sharing and Analysis Center, or FS-ISAC, an industry consortium focused on reducing cyber-risk in the global financial system. “This type of malware is actually on sale on the criminal underground marketplace.”
2. Fake banking apps are another major threat. They look like the real apps of major banks, and they’re designed to trick users into entering their login credentials. According to the FBI, this hacking technique represents “one of the fastest growing sectors of smartphone-based fraud.”
If you’re worried about using a mobile banking app, be aware that security threats exist everywhere, including inside the bank lobby.
“There is the risk that the bank employee will do something that is illegal, like stealing your banking information – this is known as an insider threat,” says Donald Korinchak of CyberExperts.com.
With a mobile app, Korinchak says “there are potential vulnerabilities related to the security posture of the app itself – vulnerabilities in code, encryption methods, etcetera – and also potential vulnerabilities related to the transmission of information.”
Here’s the good news: “In both scenarios, the bank invests heavily to ‘bake in’ security,” Korinchak says. Financial institutions monitor their employees’ behavior and also look for vulnerabilities in their app that can be patched before they are exploited by criminals.
There are also precautions you can take to reduce the risk.
Many banks feature links to the app stores from their websites to help you download the right app. “Your bank should have available information on what type of mobile app they use, what features are on it and what you need for access to it,” FS-ISAC’s Walsh says. “Then, use a reliable app store, paying attention to the owner/developer of the app and whether there are other apps with the same name.”
Confused? Talk to your bank to make sure but never download an app found on an open forum.
Two-factor authentication requires customers to use not only a password or PIN to login to their account, but also a second way to confirm their identity, such as duplicating a code that had been sent via text message to their cell phone.
As Korinchak sees it, two-factor authentication vastly increases security, but isn’t 100 percent secure.
“Someone could gain access to your phone or someone could intercept the SMS traffic to gain access to the code,” Korinchak says
One of the best ways to protect yourself is to use a password that contains random upper and lower case letters, numbers and symbols. Don’t ask your browser to remember it for you either; use a reputable password manager instead.
“Reputable password managers are coded in a way that reduces risk to the user and are highly hardened against potential attackers,” Korinchak says. “Most cyber security experts recommend password manager software.”
When you log onto a public wi-fi hotspot, you often get a warning that you’re not on a secure network, and that others may be able to watch your online actions. That’s a strong reason not to conduct any financial business using a public network. Instead, use your cellular network or your home wi-fi to better protect your personal information.
Phishing emails are where scammers attempt to manipulate recipients into divulging personal information, while smishing scammers use such bait in text messages.
“Users should be familiar with their banking application in the first place to detect abnormal questions or pop-ups that look slightly different than the usual features,” Walsh says.
This quick notification helps the consumer to detect potential fraudulent activity, which can then be addressed with your bank in a timely manner.
Banks, credit unions and investment firms are investing heavily to thwart these cybercriminals.
Last year, JPMorgan Chase CEO Jamie Dimon announced that his firm alone spent nearly $600 million on cyber defenses, calling the threat of cybersecurity quite possibly “the biggest threat to the U.S. financial system.”
“I think it’s safe to say banks spend billions to protect customer accounts,” says ABA’s Benda. “Due to Regulation E, they’re on the hook if there’s an attack.”
Regulation E limits consumer liability to $50 if an unauthorized electronic funds transfer is caught by a customer within two business days, and up to $500 if caught outside the two-day window. While $500 is a considerable sum, financial institutions are responsible for everything above that amount.
“Banks have very robust controls in place to control fraudulent activity,” says Benda, but the weak link is the consumer. “A lot depends on consumer behavior, making sure consumers follow safe practices.”
Banks are doing what they can to mitigate mobile banking app security, but consumers also need to take precautions to protect themselves.