Mobile Banking Apps - Security & Risks

Uploaded on 2023-10-13 in Directors Reports, BUSINESS-Services-Financial

Mobile Banking Apps - Security & Risks

Directors Report: This article is exclusive to premium subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

Mobile banking registrations jumped 200% in March 2021 due to the coronavirus pandemic. And in today’s fast-paced world, mobile banking has become the preferred mode of banking for many people. With the convenience of being able to access your account from anywhere at any time, it’s no surprise that mobile banking has become so popular.

However, this convenience comes with a price, the risk of mobile app security threats. The more customers access their banks through their gadgets, the more mobile banking app security issues arise.

  • Banking apps are highly prone to breaches and data theft, as they serve as a place where users store and manage sensitive data.
  • Moreover, mobile operating systems themselves are vulnerable to bugs, viruses, and malware. All these open wide doors before cyber criminals.
  • Mobile banking apps have become a prime target for cybercriminals, who are constantly looking for ways to exploit vulnerabilities in these apps.

The consequences of a security breach in a mobile banking app can be devastating, not just for the individual user, but also for the bank itself. In this report, we will explore the most common security risks associated with mobile banking apps, and what steps can be taken to mitigate these risks.

But before we get to that, let’s try to understand what makes banking apps so vulnerable.

But there's no denying that online and mobile banking has made managing your money a lot easier than it used to be. No longer do you have to hop on the phone or run down to your local bank branch to deposit or transfer funds. All you have to do is sign into your account and click a few buttons, and your money goes where you want it to automatically.

Unfortunately, this easy access has also made things a lot more convenient for would-be bank robbers. It no longer takes weeks of planning a coordinated heist. All you need is a little hacking skill and an unsuspecting victim who's not careful enough with their passwords.

That's not to say that online and mobile banking is unsecure, but you need to be careful about how you use it to ensure you're not inadvertently giving others access to your financial accounts.

Banking apps make it easy to handle services like transferring money and checking your balance, all without visiting a physical branch. It makes banking simple and convenient. But are banking apps a safe way to manage your money?

If your information is compromised, cyber criminals could get hold of your personal and financial account details, which can be time-consuming and costly to mitigate. Professional hackers are creating new banking scams every day. More than 29,000 cases of remote banking fraud were reported to UK Finance in the first half of 2022, with scammers gaining access to bank accounts via Internet, telephone or mobile banking and making an unauthorised transfer of money from the account.

Reports suggest that many people still have security-related concerns when using digital banking channels. Among mobile banking users, that’s the case for 67 percent of younger millennials, 58 percent of older Millennials, 57 percent of Generation Xers and 63 percent of Boomers, according to a recent report.

“Our recent mobile banking study confirmed that security, especially the fear of fraud, is a top online and mobile banking concern amongst consumers of all generations,” said Jenifer Valdivia, global marketing program manager at Jumio. “When it comes to online or mobile banking, consumers will not understand the technology their bank is using but need to feel confident that behind the easy user experience their financial data is protected.”

Indeed, when it comes to security, not all mobile banking apps aren’t created equal. Any app, tool, or data that can be used to access your money is a target for scammers, and since nearly 200 million Americans safely use bank apps to review their balances, deposit checks, transfer money, and pay their bills, not everyone is safe. Today, you not only have to worry about someone stealing your phone or account password, you also need to be vigilant about the security threats of mobile malware, SIM swaps, fake banking apps, and more.

Mobile banking refers to the use of a bank’s app to access your account. This is different from online banking, which entails logging onto the bank’s website either on your phone or via your device’s browser. Its important to note that banks have more control over the security of your account when you use their App than they do when you use a website. For example, scammers can create phishing sites that look like your bank’s login page. But it’s much harder for criminals to pull off those same scams when you’re using an app. However, that doesn’t mean you’re completely safe if you use a mobile banking app.

Mobile bank apps transmit data between your device and the bank’s server. To do that without compromising your account security, your bank app needs to “verify” you by using your unique phone ID and account data.

This gives hackers three access points to potentially breach your data and account:

  • On your device.
  • While the data is in transit.
  • At your bank’s server

Here’s how these vulnerabilities can put your bank account at risk:

  • Someone could steal your phone and access your account and a lost or stolen phone can become a nightmare. But it’s especially harrowing if you’re a mobile banking user.
  • Most people save account passwords on their phones or even stay logged into services like their email accounts. If scammers steal your phone, they can bypass all of your banking app’s security features.
  • A scammer could request a new password for your bank app (and access it through your email) and then bypass the protection of your multi-factor authentication code (MFA) when it’s sent to your phone. This scam is even easier for criminals to execute if you save your passwords in your mobile browser (or notepad), don’t lock your phone, and don’t use biometric security like fingerprint ID.

Ultimately, application security doesn’t mean much if you get scammed or your phone gets stolen. As even without having access to your physical phone, hackers can put the security of your mobile banking app at risk.

Hackers have created malicious software, known as malware or Trojans, that attack bank apps. If you’re tricked into downloading malware onto your phone, a scammer can spy on you and steal your mobile banking username and password. This is why it's paramount for companies to test mobile apps for security issues. Mobile app testing helps identify areas that don’t work well, so the functionality of the app as well as the user experience can be improved

According to Intertrust's 2021 State of Mobile Finance App Security report, 77% of mobile banking apps have at least one security vulnerability that could lead to your personal data being leaked. If hackers gain access to your banking information, this puts you at risk of not only financial fraud, but also identity theft.   

The Top 10 Mobile Banking Risks and Vulnerabilities:

Banks spend millions to keep their customers safe. But criminals are always looking for new ways to break through cybersecurity defences. These exploits include, but are not limited to:-

Manipulated texts and calls claiming to be from your bank:    The easiest way for scammers to get access to your mobile bank account is by scamming you. Social engineering attacks use psychology and urgency to trick victims into giving up  credentials that offer scammers access to financial accounts. A common tactic is fooling you into thinking your account has been hacked.

  • You receive a call or text, a scam called smishing, about a suspicious transaction from someone claiming to be from your bank.
  • Scammers can even spoof, or manipulate, the phone number to make it look like it’s coming from your bank’s official number.
  • If you respond, they’ll tell you they need to close your compromised account and transfer your money into a new “safe” one.
  • But in reality, you’re sending your entire account balance to the scammer through a wire transfer, Zelle, or other payment system that can’t be reversed.

Phishing links in emails:     Scammers will also send you phishing emails that try to trick you into giving up sensitive data such as usernames and passwords. These emails may look just like mail you’re used to receiving from your bank, and the sender could even spoof the “from” name to look like it’s legitimate. But if you click on the link in the email, it will take you to a site designed to steal your information.

In one example, scammers pretending to be from the Bank of America claimed that bank customers’ accounts would be locked if they didn’t confirm their information. Even worse, the links in phishing emails could download malware to your device that gives hackers access to your mobile banking app.

Phishing emails don’t necessarily have to come from your bank either. You could get a malicious email from scammers posing as Netflix, a courier service, and more. Spam emails only become a serious cyber threat if you’ve committed any of the following actions:

  • Downloaded any malicious files or email attachments.
  • Responded with sensitive information (like your credit card or bank account numbers).
  • Clicked on any phishing links.

Physical phone theft and hacking:   An unsecured or stolen phone can be a payday for scammers. If you don’t keep your mobile device locked, a scammer can steal it and gain access to your most sensitive accounts and information. Even if you do lock your phone, a skilled hacker could use special software to access your accounts or even use your Apple Pay or Google Pay account without unlocking your phone.

Always keep your phone in a secure place when in public, such as a purse or front pocket. For added protection, set up an automatic remote eraser that will be initiated if you lose your phone. If you erase but then find your device, you can restore the information later with an existing backup. This way you can shut down scammers before they access your accounts.

Fake mobile banking apps:   If scammers can’t access your mobile banking app, they’ll try to trick you into using a fraudulent app. In 2020, the FBI reported that there were almost 65,000 fake bank apps listed in major app stores. These fake apps look like the legitimate ones they’re impersonating. But after you enter your credentials, you receive an error message. At the same time, the scammer will take your information and log into your account on the real app.

Make sure to only download apps from legitimate app stores and check the developer’s name to ensure that it matches your bank.

“Keylogging” malware that’s hidden in other apps:   Even if you don’t download a fraudulent banking app, scammers can still gain access to your accounts through other malware-infected apps. Hackers use a type of malware called “keyloggers” that record all the information you type into your phone, including bank accounts and passwords. If you download an app that’s infected with a keylogger, hackers will be able to break into your banking app.

Millions of new types of malware are discovered every month. Even worse, you can accidentally download malware onto your device simply by scanning a Quick Response (QR) code in public.

Trojan overlays that misdirect your transactions:    While some malware records what you type, others fool you into giving up sensitive information or doing something you don’t want to do. “Trojan” malware looks like legitimate software but includes malicious code hidden inside, like the famous “Trojan horse”.

Cyber security experts have discovered trojans that can overlay information on your legitimate mobile banking app, making it look like you’re performing normal banking transactions. However, in reality, you could be giving up your login credentials or authorising a transfer to a completely different account.

Mobile check deposit scams:    Fake checks are among the oldest bank scams out there. And they’ve become much easier to cash, thanks to mobile check deposits. In this scam, a fraudster pays for an item you’re selling or poses as an employer and sends you a check to deposit. Once you deposit the check and it clears, you are asked to refund the money or send back some of it.

The US Federal Trade Commission (FTC) says that these scams work because fake checks look just like real ones. Even bank employees can’t always tell them apart.

SIM (Subscribe Identity Module) swaps that take control of your phone:   Fraudsters can also target your mobile carrier with a SIM swap scam to try and gain access to your mobile banking app. SIM swaps occur when fraudsters impersonate you (or pay a mobile carrier employee) and then transfer your account to their device. Once they have your phone number, they can receive your texts, calls, and other data. This is usually all it takes for scammers to reset your banking app password and bypass 2FA.

According to the FBI, SIM swaps cost victims more than $68 million in 2021. In one recent example, a Florida man lost more than $700,000 in a matter of hours after being the victim of a SIM swap.

Wi–Fi Hacking:   The data you submit in your mobile banking app can also be vulnerable once it leaves your phone. Wi-Fi hacking, also known as a man-in-the-middle attack, happens when a scammer hacks your network and intercepts your data while it’s in transit. Think of this as the digital version of someone eavesdropping as you read out your credit card number in public.

Millions of homes are using outdated Wi-Fi routers, putting banking information at risk even when consumers don’t leave their houses.

Personal banking details available for sale on the Dark Web:   If an app, bank, or financial institution that you use gets breached, there’s a good chance that your information, including banking details and your Social Security number, will be available to hackers on the Dark Web.  Hackers can also exploit the data aggregators that third-party apps, like Mint, use to interface with bank apps.

Data aggregators collect your personal data and sell it to other companies. Yet, only 24% of people who use fintech know about this arrangement. Fintech refers to new technology that automates and improves the delivery of financial services.

How To Protect Yourself Against Mobile Banking Security Risks.

The risks of mobile banking apps may sound scary. But if you maintain a high level of mobile security, using apps can be just as safe as banking at a branch in person and is often more convenient. To stay safe while banking on your phone, follow these tips:

Only download apps from official app stores:   Don’t download apps from third-party app stores, as these could be fake or loaded with malware. App stores have strong security practices in place, which reduce the chance that you will download a fake or malicious app. The same goes for all of your apps, not just banking apps. Don’t skip operating system or app updates.

Bank hackers can install malware by taking advantage of bugs and vulnerabilities in outdated apps and devices. That’s why you should always keep your devices and banking apps up to date. When an update is available, install it right away, but just make sure you’re getting it from the official app store.

Secure your bank accounts and devices with strong passwords:   Make sure your devices and mobile banking apps are secured.

  • For your phone: Set a secure passcode, or use biometric ID (like fingerprints or facial recognition), and set it to lock automatically when not in use. You should also stay logged out of your banking app at all times.
  • For your bank account: Choose a secure password that is at least eight characters long and includes a combination of uppercase and lowercase letters, symbols, and numbers.

Make sure your password is unique and that you haven’t reused it elsewhere and that is hard to guess. And so not a pet’s name or something that a hacker could find on your social media pages. You should also securely store this password in a password manager.

Additional security measures to your bank accounts, such as two-factor authentication (2FA). When you enable 2FA, choose to use an authenticator app like Google Authenticator instead of text, as hackers can bypass text 2FA if they steal, or SIM swap, your phone.

Avoid using “rooted” or “jailbroken” devices:   Many people “jailbreak” their phones to customise them, or use features that the manufacturer doesn’t allow. This makes your device more vulnerable to malware and hacking.If you bought your phone from an official store and haven’t tampered with it, it’s probably safe to use.

On iOS, look for signs that your phone is jailbroken, such as with apps like Cydia or Sileo (which are alternative app stores). Another indication that your phone might be jailbroken is if you can’t update your software.

Stick to mobile data when accessing your banking app:   Avoid using your app on public Wi-Fi. Instead, use your phone’s data or a mobile hotspot. For added security, consider using a Virtual Private Network (VPN). This is a tool that encrypts your data so that even if hackers intercept your signal, they won’t get anything usable.

Don’t respond to unsolicited calls, emails, or texts from your bank:   Phishing attacks are getting more sophisticated and harder to identify. If anyone reaches out to you claiming to be from your bank, don’t engage with them. Instead, call the official number on the bank’s website, or on the back of your card, and ask to speak to someone about the issue.

Never send account details or financial information to anyone via email, text messages, or phone. And beware of any link or attachment in an unsolicited email.

Use antivirus software with malware and phishing protection:    Antivirus software can detect and block malware to help you stay safe. Consider signing up for a service that can protect all your devices, phones, tablets, and computers. If you think your phone has already been hacked, check for these signs of a malware infection:

  • Lower battery life
  • Strange messages or texts in your “sent” folders
  • Unusual data or cell phone bills
  • Performance issues, reduced functionality, and call disruptions
  • Applications that you didn’t install

Sign up for credit monitoring to alert you about suspicious activity:    Even with the best risk management plan in place, scammers can slip through the cracks. Credit monitoring tools actively monitor your bank and other financial accounts for signs of fraud. If someone is trying to steal your money or access your financial data, you’ll receive an alert in near real-time.

Did a Scammer Access Your Mobile Banking App?:   

  • Alert your bank immediately and freeze your account.
  • Update your phone’s security software and run an antivirus scan.
  • Delete any malicious or unfamiliar apps that you find.
  • Check your bank, credit card, and other financial service accounts for charges or changes that you didn’t make.
  • Alert the three major credit bureaus, Experian, Equifax, and TransUnion, about the hack and ask for a credit freeze.
  • Get a free copy of your credit report in the US at AnnualCreditReport.com.
  • Report any errors or fraudulent charges to your bank and any other impacted companies.
  • Sign up for Identity theft protection. If scammers have access to your bank, they could also have more of your sensitive information.

Keep Your Mobile Bank App Secure:   Even the best mobile banking apps are vulnerable to breaches, data exposure, and scammers. But that doesn’t mean you need to give up on the convenience of banking from your mobile phone.

Instead, watch out for common mobile banking scams and vulnerabilities, and follow our best practices for keeping your accounts safe. And for added protection, consider signing up for Identity Guard’s identity theft protection and credit monitoring services. 

Should the worst happen, you’re Even if your financial institution is doing as much as it can to make mobile banking safe, you must do your part to protect yourself. Never log into your mobile banking app over public WiFi. And keep your phone’s operating system and apps updated to avoid being exposed to security problems.

Conclusion

Mobile banking apps have revolutionised the way we manage our finances, but they come with a high cost of convenience. Mobile banking security is of utmost importance, given the increasing dependence of customers on mobile apps for banking transactions.

  • The risks associated with mobile banking apps can lead to financial losses, reputational damage, and loss of trust in the banking industry.
  • It is crucial for both individuals and organisations to understand the risks and take necessary steps to protect themselves against these threats.
  • It is necessary for banks and financial institutions to implement robust security measures to protect their customers’ data and finances.

Regular security testing, employee training, and customer education are also essential to maintaining a strong mobile banking security posture. 

By implementing these measures, banks can significantly reduce the risks of cyberattacks and protect their customers’ assets and data, ensuring that the convenience of mobile banking does not come at the cost of security.

References: 

Identity Guard:     Security Boulevard:    

Design Rush:    Cnet:     Surf:    

Money Week:     Aura:     Bankrate:    

Motley Fool:     Money      Intertrust

Finezza:     Identity Guard:    

Annual Credit Report    Image: Suwaree Tangbovornpichet

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Ten Reasons Your Enterprise Could Benefit From XDR Security
Out-Sourcing Can Compromise Cyber Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

VMRay

VMRay

VMRay delivers advanced threat analysis and detection that combines a unique agentless hypervisor-based network sandbox with a real-time reputation engine.

LEPL Cyber ​​Security Bureau - Georgia

LEPL Cyber ​​Security Bureau - Georgia

The aim of the LEPL Cyber Security Bureau is to create and strengthen stable, efficient and secure systems of information and communications technologies.

CIRISK

CIRISK

CIRISK offers a wide range of services from consulting to audit or project management to help you develop your cyber security or information security strategy.

NeuShield

NeuShield

NeuShield is the only anti-ransomware technology that can recover your damaged data from malicious software attacks without a backup.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

Qrypt

Qrypt

Qrypt has developed the only cryptographic solution capable of securing information indefinitely with mathematical proof as evidence.

HORNE

HORNE

HORNE is a professional services firm supporting clients in public, private & government sectors nationwide.

Harvey Nash

Harvey Nash

Harvey Nash is a leading global provider of talent and technology solutions.

Liminal

Liminal

Liminal is a boutique strategy advisory firm serving digital identity, fintech, and cybersecurity clients, and the private equity / venture capital community.

KATIM

KATIM

KATIM is a leader in the development of innovative secure communication products and solutions for governments and businesses.

Buchanan Technologies

Buchanan Technologies

Buchanan Technologies is a leading IT consulting and outsourcing services firm. Our methodology transforms everyday technology investments into streamlined, secure and scalable solutions.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

Airlock Digital

Airlock Digital

Airlock Digital was created after many years of experience in implementing whitelisting/ allowlisting solutions in Federal Government and various enterprises in Australia.

Hartman Executive Advisors

Hartman Executive Advisors

Hartman Executive Advisors is an unbiased IT and cyber advisory firm uniquely designed to help mid-market executives maximize their IT investments.

Secure Blink

Secure Blink

Secure Blink provides automated application and API security solutions that empower developers and security engineers to protect critical assets from exploitation.