App Or Browser: Which Is Safer For Online Banking?

Uploaded on 2017-07-03 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial

Browsers are risky because there are Trojans designed to collect banking information. Apps are risky because most banking apps probably have security flaws, and because fake/malware apps sometimes appear in app stores.

If you are a careful user with a secure PC, and if you only use it on your secure home network, you should not have any problems. However, if you want to perform banking transactions from wherever you happen to be, without taking too many precautions, then it should be safest to use an app over 3G/LTE (turn off Wi-Fi and Bluetooth).

Systems that use two-factor authentication, preferably with a separate device that generates new passwords on demand, are really the way to go.

What is an app?
When personal computers first went on general sale in the 1970s, the VisiCalc spreadsheet was hailed as a “killer app”, which was short for “application program”. However, the past decade has seen a huge growth in app stores for smartphones and tablets. These apps are different from traditional PC programs in that they are vetted by and downloaded from secure online stores. Further, these apps run in sandboxes to prevent them from doing bad things.
PCs, by contrast, can run un-vetted software from any source, including malware-infected websites, unless your anti-virus software blocks them.

When Microsoft redesigned Windows 8 to run on tablets and smartphones, it introduced a similar subsystem for apps. This enabled Windows to run sandboxed apps installed by the Windows Store. These apps are much safer than the old programs, because there are limits to what they are allowed to do. 
Today there are quite a few Windows banking apps – Alliance, Citibank, FNB, RMB, HDFC, BNP Paribas, UBI, Westpac etc – but none that I can see from UK banks. They are rather slow to catch on ...
The Edge browser in Windows 10 is a new sandboxed app, so it’s much better for banking than Internet Explorer. Otherwise, Chrome is the most secure alternative, because it runs in Google’s own strong sandbox. Some security companies also provide add-ons, such as Kaspersky Safe Money and Bitdefender Safepay.
The browsers on smartphones and tablets are also sandboxed, but like their desktop counterparts, they may be at risk from phishing and “man-in-the-middle” attacks.

Compromised Devices
The biggest threat to banking security comes from using a compromised device: one with malware that captures logons etc and sends them to someone else without your knowledge. On Windows, the main banking malware comprises Trojans such as “Zeus and its variants Neverquest and Gozi”. Zeus has been around since 2007.
Zeus is usually delivered as an email attachment with a text that persuades some users to click on it. It may say your bank or email account has been hacked and that you need to log on to confirm or change your password, etc. Zeus collects your logon details, or puts up a fake screen that mimics a legitimate website, or redirects you to a fake website. The malware captures your keystrokes as you try to log into your bank. Variants such as Gozi can even imitate your typing style and mouse movements, to defeat banks that use this kind of information to identify real users.
Banking Trojans can also be hidden in Microsoft Word documents, pdfs or fake invoices. Some are distributed as “drive by” installations from websites that host exploit kits.
Smartphones and tablets are more likely to be compromised by fake or lookalike apps that have evaded the vetting process. Sometimes, devices are compromised by apparently simple apps that demand loads of “permissions” to run. (How can a flashlight app be allowed to monitor your network connections or modify the contents of your USB storage?)

Insecure Banking Apps
Banking apps ought to be more secure than browsers, but it isn’t necessarily so. In 2014, Ariel Sanchez tested 40 home banking apps and found that 90% included insecure links (ones that didn’t use SSL), 40% didn’t check the validity of SSL certificates, 50% were vulnerable to cross-site scripting, and 40% were vulnerable to man in the middle attacks.
In a typical hack, the user might get a message to say that their session or password had expired and they needed to retype their user name and password. (Don’t.) Today’s banking apps should be much more secure, but I wouldn’t bet on it.

Compromised Networks
If you use public hotspots, your communications could be monitored, or you could mistakenly log on to a copycat hotspot run from a nearby PC. It’s not always easy to identify the correct network for a coffee bar, hotel or airport. These networks make you potentially vulnerable to monitoring and “man in the middle” attacks,
In fact, someone may be able to hijack an account without knowing your name or your password. This was demonstrated by a “network sniffer” called Firesheep, which could identify and steal the unencrypted “session cookies” some websites used to store information after you had logged on. This only works if you are on the same network as the attacker, but when you use a public network, you have no idea who else is logged on.
Whatever device you are using, the best solution is end-to-end encryption, shown by “https” addresses and a padlock in the browser. The whole of ecommerce – and e-government – is totally dependent on encryption, which is why it’s insane to think about banning it.

Secure booting and SSL
Online banking depends on secure booting and secure communications. The secure booting system tries to ensure that the device starts in an uncompromised state. To do this, it uses secure hardware on the device that uses cryptography to verify the bootloader code, which uses cryptography to verify the secure loading of the operating system. This is built into smartphones and tablets. If buying a Windows PC, choose one with a UEFI system that securely boots Windows 10.
The secure chain is broken when people use exploits to “jailbreak” devices. Banking systems should detect and block them, but 90% of Sanchez’s 40 home banking apps didn’t.
Once the device is running, it must connect to your bank via an SSL/https connection, though it may not be easy to tell if does. (I assume that 3G and LTE mobile connections are secure enough.)
The simplest solution is to install the EFF’s HTTPS Everywhere extension in Chrome, Firefox or Opera. Not every website supports https, but if not, the extension should redirect you to the unencrypted site.

Dedication Works
You can increase your banking security in Windows 10 by keeping one browser for financial transactions and never using it for anything else. Also, either use a private browsing/incognito mode or delete all caches and cookies after use. Indeed, you could use a separate standard user account (not an administrator account) for financial transactions. Switching between accounts isn’t arduous nowadays, and you can leave your original account open while you do it.

Going even further, you could keep a password protected Apple iPad at home for banking. Do not download any other apps and, out of the box, that’s one of the most secure home systems you can get. Government security services could hack you, but it’s unlikely that they would.

Guardian

You Might Aslo Read:

Report Predicts Banks To Get €4.7bn Fines In First 3 years Under GDPR:

Six Seconds To Hack A Credit Card:

Bank Data Breaches Are Up And It's An Inside Job:

 

 

« Urgent: Investment In NHS Cybersecurity
Ten Years Since The Outbreak Web War One »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

International Conference on Information Systems Security & Privacy (ICISSP)

International Conference on Information Systems Security & Privacy (ICISSP)

The ICISSP event is a meeting point for researchers and practitioners to address security and privacy challenges concerning information systems.

Israel Aerospace Industries (IAI)

Israel Aerospace Industries (IAI)

IAI offers a holistic approach that provides defense forces, governments, critical infrastructures and large enterprises with end-to-end cyber security & monitoring tools.

CYBERSEC Forum

CYBERSEC Forum

CYBERSEC Forum is an annual European Public Policy Conference dedicated to strategic aspects of cybersecurity.

SentryBay

SentryBay

SentryBay is a real-time data security company developing technology for PC, mobile, the cloud and IoT.

Serverless Computing

Serverless Computing

Serverless Computing London will help architects, developers and CIOs decide on the best path to a more efficient, scalable and secure computing future.

Rwanda Information Society Authority (RISA)

Rwanda Information Society Authority (RISA)

RISA is at the forefront of all ICT project implementation, research, infrastructure and innovation within the ICT sector in Rwanda.

Cycura

Cycura

Cycura provide advanced, customized, and confidential cyber security services, cyber investigation services, and digital forensic services to governments, companies, and organizations.

Prolimax

Prolimax

Prolimax deliver innovative solutions to IT Manufacturers, Distributors, Resellers and End-users including Data Erasure and secure IT Asset Disposition (ITAD)

HMS Networks

HMS Networks

HMS stands for Hardware meets Software. Our technology enables industrial hardware to communicate and share information with software and systems.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

North East Business Resilience Centre (NEBRC)

North East Business Resilience Centre (NEBRC)

The North East Business Resilience Centre is a non-profit organisation here to support businesses in the North East of England in protecting themselves from cyber crimes and fraud.

Bytes Technology Group

Bytes Technology Group

Bytes is a leading provider of world-class IT solutions. Our growing portfolio of services includes cloud, security, licensing, SAM, storage, virtualisation and managed services.

Detego Global

Detego Global

Detego Global are the creators of the Detego® Unified Digital Forensics Platform, a suite of modular tools used globally by military, law enforcement and intelligence agencies, and enterprises.

Securonix

Securonix

Securonix delivers a next generation security analytics and operations management platform for the modern era of big data and advanced cyber threats.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

Options Technology

Options Technology

Options is a global leader in financial technology, specialising in Capital Markets technology and enterprise-grade solutions.