App Or Browser: Which Is Safer For Online Banking?

Browsers are risky because there are Trojans designed to collect banking information. Apps are risky because most banking apps probably have security flaws, and because fake/malware apps sometimes appear in app stores.

If you are a careful user with a secure PC, and if you only use it on your secure home network, you should not have any problems. However, if you want to perform banking transactions from wherever you happen to be, without taking too many precautions, then it should be safest to use an app over 3G/LTE (turn off Wi-Fi and Bluetooth).

Systems that use two-factor authentication, preferably with a separate device that generates new passwords on demand, are really the way to go.

What is an app?
When personal computers first went on general sale in the 1970s, the VisiCalc spreadsheet was hailed as a “killer app”, which was short for “application program”. However, the past decade has seen a huge growth in app stores for smartphones and tablets. These apps are different from traditional PC programs in that they are vetted by and downloaded from secure online stores. Further, these apps run in sandboxes to prevent them from doing bad things.
PCs, by contrast, can run un-vetted software from any source, including malware-infected websites, unless your anti-virus software blocks them.

When Microsoft redesigned Windows 8 to run on tablets and smartphones, it introduced a similar subsystem for apps. This enabled Windows to run sandboxed apps installed by the Windows Store. These apps are much safer than the old programs, because there are limits to what they are allowed to do. 
Today there are quite a few Windows banking apps – Alliance, Citibank, FNB, RMB, HDFC, BNP Paribas, UBI, Westpac etc – but none that I can see from UK banks. They are rather slow to catch on ...
The Edge browser in Windows 10 is a new sandboxed app, so it’s much better for banking than Internet Explorer. Otherwise, Chrome is the most secure alternative, because it runs in Google’s own strong sandbox. Some security companies also provide add-ons, such as Kaspersky Safe Money and Bitdefender Safepay.
The browsers on smartphones and tablets are also sandboxed, but like their desktop counterparts, they may be at risk from phishing and “man-in-the-middle” attacks.

Compromised Devices
The biggest threat to banking security comes from using a compromised device: one with malware that captures logons etc and sends them to someone else without your knowledge. On Windows, the main banking malware comprises Trojans such as “Zeus and its variants Neverquest and Gozi”. Zeus has been around since 2007.
Zeus is usually delivered as an email attachment with a text that persuades some users to click on it. It may say your bank or email account has been hacked and that you need to log on to confirm or change your password, etc. Zeus collects your logon details, or puts up a fake screen that mimics a legitimate website, or redirects you to a fake website. The malware captures your keystrokes as you try to log into your bank. Variants such as Gozi can even imitate your typing style and mouse movements, to defeat banks that use this kind of information to identify real users.
Banking Trojans can also be hidden in Microsoft Word documents, pdfs or fake invoices. Some are distributed as “drive by” installations from websites that host exploit kits.
Smartphones and tablets are more likely to be compromised by fake or lookalike apps that have evaded the vetting process. Sometimes, devices are compromised by apparently simple apps that demand loads of “permissions” to run. (How can a flashlight app be allowed to monitor your network connections or modify the contents of your USB storage?)

Insecure Banking Apps
Banking apps ought to be more secure than browsers, but it isn’t necessarily so. In 2014, Ariel Sanchez tested 40 home banking apps and found that 90% included insecure links (ones that didn’t use SSL), 40% didn’t check the validity of SSL certificates, 50% were vulnerable to cross-site scripting, and 40% were vulnerable to man in the middle attacks.
In a typical hack, the user might get a message to say that their session or password had expired and they needed to retype their user name and password. (Don’t.) Today’s banking apps should be much more secure, but I wouldn’t bet on it.

Compromised Networks
If you use public hotspots, your communications could be monitored, or you could mistakenly log on to a copycat hotspot run from a nearby PC. It’s not always easy to identify the correct network for a coffee bar, hotel or airport. These networks make you potentially vulnerable to monitoring and “man in the middle” attacks,
In fact, someone may be able to hijack an account without knowing your name or your password. This was demonstrated by a “network sniffer” called Firesheep, which could identify and steal the unencrypted “session cookies” some websites used to store information after you had logged on. This only works if you are on the same network as the attacker, but when you use a public network, you have no idea who else is logged on.
Whatever device you are using, the best solution is end-to-end encryption, shown by “https” addresses and a padlock in the browser. The whole of ecommerce – and e-government – is totally dependent on encryption, which is why it’s insane to think about banning it.

Secure booting and SSL
Online banking depends on secure booting and secure communications. The secure booting system tries to ensure that the device starts in an uncompromised state. To do this, it uses secure hardware on the device that uses cryptography to verify the bootloader code, which uses cryptography to verify the secure loading of the operating system. This is built into smartphones and tablets. If buying a Windows PC, choose one with a UEFI system that securely boots Windows 10.
The secure chain is broken when people use exploits to “jailbreak” devices. Banking systems should detect and block them, but 90% of Sanchez’s 40 home banking apps didn’t.
Once the device is running, it must connect to your bank via an SSL/https connection, though it may not be easy to tell if does. (I assume that 3G and LTE mobile connections are secure enough.)
The simplest solution is to install the EFF’s HTTPS Everywhere extension in Chrome, Firefox or Opera. Not every website supports https, but if not, the extension should redirect you to the unencrypted site.

Dedication Works
You can increase your banking security in Windows 10 by keeping one browser for financial transactions and never using it for anything else. Also, either use a private browsing/incognito mode or delete all caches and cookies after use. Indeed, you could use a separate standard user account (not an administrator account) for financial transactions. Switching between accounts isn’t arduous nowadays, and you can leave your original account open while you do it.

Going even further, you could keep a password protected Apple iPad at home for banking. Do not download any other apps and, out of the box, that’s one of the most secure home systems you can get. Government security services could hack you, but it’s unlikely that they would.

Guardian

You Might Aslo Read:

Report Predicts Banks To Get €4.7bn Fines In First 3 years Under GDPR:

Six Seconds To Hack A Credit Card:

Bank Data Breaches Are Up And It's An Inside Job:

 

 

« Urgent: Investment In NHS Cybersecurity
Ten Years Since The Outbreak Web War One »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Blueliv

Blueliv

Blueliv is a leading provider of targeted cyber threat information and intelligence. We deliver automated and actionable threat intelligence to protect the enterprise and manage your digital risk.

Dark Reading

Dark Reading

Dark Reading is the most trusted online community for security professionals.

Security Brigade

Security Brigade

Security Brigade is an information security firm specializing in Penetration Testing, Vulnerability Assessment, Web-application Security and Source Code Security Audit.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

RiskIQ

RiskIQ

RiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

DivvyCloud

DivvyCloud

DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

Celcom

Celcom

Celcom is the oldest mobile telecommunications provider in Malaysia, providing solutions and services to consumers and businesses.

Think|Stack

Think|Stack

Think|Stack is a managed IT services company specializing in cloud and cybersecurity with human-centered design.

Stacklok

Stacklok

Stacklok are an Open Source first security company enabling safe Open Source Software consumption.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Black Belt Secure

Black Belt Secure

We provide critical cybersecurity services such as managed security, ransomware mitigation, penetration testing, system auditing and compliance services to your organization.

SITS Group

SITS Group

SITS Group excel in delivering a comprehensive range of Cyber Security consulting and managed services, from cloud transformation to risk management.