Modern internet banking mobile apps cover a range of services. With your smartphone, you can open an account, secure a loan, buy securities and get many other services that previously required an in-person transaction.
There are still some hidden dangers behind these conveniences. It’s easier now to lose all the money in your bank account—and much more difficult to get it back. Banks need solid proof of noninvolvement.
Android vs. iOS
When banks offer mobile services, they typically recommend clients install antivirus software on their smartphones. Android users should be particularly attentive here. If you compare two popular mobile platforms Android and iOS, Android-based devices are much more susceptible to attacks of various viruses and malware.
Apple devices can also be infected with a key logger (that will secretly record your authorization data) or a tailor-made banking Trojan, but this is much more difficult and more expensive for malware operators due to iOS security features. Therefore, iOS users have actually no special need for third-party antivirus software. The main thing is to update your iOS in a timely manner.
Phones that have one or several banking apps installed must be protected by a strong password. If your mobile phone is lost and not password-protected, and the data that is on it is unencrypted (the encryption option is available to users of most popular mobile platforms), this is very bad.
With the introduction of contactless payments by Android Pay and Apple Pay, the password from the phone is, in fact, the password from the wallet. In such a situation, losing the phone may mean the losing all money on your bank card.
Here are some basic security measures:
• Don’t, under any circumstances, share your logins and passwords with others or allow third-party apps to use them.
• Don’t store sensitive information like passwords directly on the device.
• Don’t give your smartphone to other people.
• Do enter your login details in a way that cannot be seen by others.
Hacking a smartphone’s main password is easy for cyber criminals, according to experts. The good news? Widespread hacking of private devices is rare.
Typically, fraudulent online transactions, which are committed with the help of viruses, are carried out against big corporate bank customers. It's unlikely that anyone will be hacking a phone found on the street. It's an expensive operation, doing it randomly, without knowing how much money is at stake, makes no sense.
Face-scanning is bad
The latest trend in mobile user verification technologies is fingerprint scanning. From the point of view of protecting the phone, it’s a highly effective technology. In addition, it’s much easier and more convenient to apply a finger than to enter the pin code.
A number of gadget manufacturers, however, went even further, offering the scanning of the owner's face to gain access to the phone.
It turned out, this method is not perfect. Equipped with this advanced system, the flagship Samsung Galaxy S8 smartphone managed to be easily deceived. Bloggers managed to unlock the device, showing him selfie images from the screen of another gadget.
As for private users, their money, as a rule, is abducted from bank accounts by methods of social engineering. The basis for such schemes is to use all possible ways to get some sensitive information, such as login, permanent or one-time password, etc.
Fraudsters prefer to communicate through the phone or instant messages. The fraudster may impersonate himself as a bank employee and ask his victim to provide additional info need to confirm the payment. There are also many schemes employing popular platforms like Craigslist or eBay, when scammers, appearing as buyers, lure out personal data from sellers.
Root rights and jailbreaking
In order not to catch a virus, applications should be installed only from official websites like AppStore and Google Play.
Smartphone owners who install the so-called jailbreak for iOS devices and root-rights on Android, act at their own risk. Although these operations allow you the greater use of the device capabilities, and even if you have an antivirus software installed, your phone becomes vulnerable to malicious software. Not only you the owner but other apps may get extended rights on the device. In this case, all hidden viruses and Trojans once penetrated your device, will be able to more effectively monitor your activity, transmit stolen data to attackers, or even lock your device and demand ransom.
Banks state that internet banking can be freely used by connecting to a Wi-Fi network, as each bank builds protection against hackers directly at the level of its application. It’s proclaimed that you can make absolutely any online transactions, there are no risks here, you may transfer even tens of millions. To do this without risk, you need to observe the basic security measures outlined above.
But, as some infosec experts say, not everything is so simple. When connected to a public Wi-Fi network, for example, the MAS address of the phone becomes visible, and the attacker, who is sitting near the necessary equipment and scanning connections, can use this data.
In addition, a public Wi-Fi network, to which the phone will try to connect, may be just fake. It's not uncommon for the attackers to change one letter in the name of a Wi-Fi network, create their own fake network and make it completely open.
If the network is genuine you can use mobile banking applications in public places. Most often such applications know the IP-address of the server with which they need to connect and establish a secure connection. It turns out that something like a tunnel through which the data transfer occurs: the risks of penetration of hackers to these data are minimal.
Wi-Fi attacks are probably very common. We cannot know about most of them as people rarely report them. Therefore, it’s recommended that you obtain a VPN application for your device to additionally protect all mobile communications.
David Balaban is a computer security researcher with more than 15 years of experience in malware analysis and antivirus software evaluation. He runs the Privacy-PC.com project, which presents expert opinions on the contemporary information security matters.