DigiCert Blog

Online and Mobile Banking—Secure or Compromised?

Of the 22 UK-owned retail banks examined in the research report, 50% were found to have unsecure SSL instances.

For the first time ever, there are more people using mobile banking apps than people who actually go into their bank branch, according to a new survey by Javelin Strategy & Research.

This comes as hardly a surprise; even tiny banks are now able to offer day-to-day services, like check depositing or account management, on a mobile device via third-party software providers. However, banks aren’t entirely abandoning their branches yet because with all the convenience and expected safety of mobile banking apps and even online banking, security remains a concern.

Common Risks of Mobile and Online Banking

Banking fraud expert Julie Conroy of The Aite Group warns that “as additional people flock to the mobile channel and transactions multiply, the bad guys are paying attention and deploying more attacks against it.” The best way to protect private information and data is to know the risks of baking via mobile devices and Internet connections, including the following:

Malware attacks. Banking apps, like most apps, can be targets of malware attacks, which are designed to raid apps and commandeer sensitive data. Unprotected binary code in mobile apps can be directly accessed, examined, modified, and exploited by attackers.

Rogue apps. Hackers create fake apps designed to look similar to the originals; any confidential information entered into one of these apps is fair game for theft.

SIM swaps. According to Mint Money, mobile phone numbers have become an important tool to access financial details, and fraudsters can get ahold of this by duplicating SIM from an individual’s telecom services provider by using a fake ID.

Auto-saved passwords. This applies to both home computers and mobile devices: don’t tell the login to “remember you” on each visit. Doing so gives anyone with physical access to the device admission to personal funds.

Misconfigured Certificates. It is critical that a bank uses a SSL Certificate to encrypt information in transit, which is one of the most important factors when it comes to sensitive financial information. If a bank does not keep SSL Certificates updated on their website, or if the certificates are misconfigured or incorrectly installed, the connection is then vulnerable for eavesdropping.

For example, Global security firm Xiphos Research looked into UK high street banks and their implementations of SSL Certificates, and more than half of the UK’s retail banks have unsecure cases of SSL. In fact, of the 22 retail banks examined in the research report, 50% were found to have unsecure SSL instances. This makes it much easier for cyber criminals to access private financial data during the user’s log in process.

How to Ensure Personal Security and Safe Internet Banking

The following are precautions for both businesses and individuals to adhere to when it comes to trusting online banking websites and mobile banking apps:

  • Ensure that all transfers are performed using secure connections. This means not logging in to a banking app using public Wi-Fi or open networks, which are often underprotected. Use private Wi-Fi or reputable Virtual Private Networks (VPN) only.
  • Set limits on auto bill payments. Because bills fluctuate, set a limit on monthly transactions; it will limit any loss in the event of a fraud.
  • Enable two-factor authentication. This adds an additional layer of security to the account login process by requiring that a user provide two forms of authentication. Adding a second factor, e.g., the SMS or email code, or even a USB stick, is more effective than standard password protection (which are often weak and easily hackable).
  • Confirm you are not using a fake website (or fake app) before entering information. The URL of a fake site can be misspelled or include an additional symbol, for example, bankoffamerica.com rather than bankofamerica.com.
  • Check to see if the website is using a SSL Certificate by looking for the “HTTPS” and/or padlock icon before the URL. A secure website uses encryption and authentication standards to protect the confidentiality of information sent during web transactions.
  • Update operating systems regularly. Keep track of the latest security patches, updates, and drivers to make sure all devices from laptops to smartphones are free from viruses and other security threats. Also, update browser settings to block cookies and other files that automatically store user data.

Understanding the risks of banking via Internet connection on a home computer or a mobile device is critical to keeping access to confidential information and individual accounts private. It is important to remember that while many banks and financial institutions do use various tools to prevent fraud, some, as discussed above, are not as careful.

Share on Facebook0Share on Google+1Tweet about this on TwitterShare on LinkedIn0

About Katie Macdonald

Katie is a content writer at DigiCert with interests in varying fields including marketing, strategy, and editing.