Finance Security

Could Your Mobile Banking App Be a Big Security Risk?

Dann Albright 12-07-2016

Mobile banking apps bring some of the most convenient online banking features The 7 Best Online Banking Features For Simplifying Your Life Does money management stress you out? What if you could effortlessly alleviate some of that stress for good? Online banking offers a lot of benefits that can help to simplify the headaches of money. Read More to your phone, but could they be a security risk? Banks tend to have pretty solid data security, but they have suffered some breaches in the past, how secure are their mobile apps? Unfortunately, the answer isn’t encouraging…


Two-Factor Authentication

The use of two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More (2FA) is increasing across the internet, which is a good thing; it adds a significant layer of security to your account without too much inconvenience. Quite a few apps Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More have started to use it, too, increasing your overall security.

Unfortunately, many mobile banking apps don’t support 2FA at this time. Which means that if someone manages to get a hold of your phone and can figure out your banking password, they’ll have access to your account. (If you don’t have two-factor enabled on your web-accessed account, they’ll have access to that too, but you do have 2FA enabled, right?) If your banking app does support 2FA, you should enable it as soon as possible.


On the other hand, if it doesn’t offer 2FA, you may want to consider removing the app from your phone. Also, make sure that it’s not possible for a phone thief to get the authentication from your phone without another password or form of identification (if the bank just texts you a code, that’s not going to do you any good if someone else has your phone).

Poor Password Protection

Another weakness that many mobile banking apps have is that they allow you to save your password. This is great for opening the app quickly, but it also means anyone who has your phone can access your accounts. Hopefully you don’t have your password saved, but if you do, you should disable this feature right away.



And, of course, choose a good password 6 Tips For Creating An Unbreakable Password That You Can Remember If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch. Read More for your app. If your password is “123456” or “password,” it’s not going to matter if the app doesn’t save it. Someone will guess it anyway. Many banks now require that you use a certain number of capital letters, numbers, symbols, or special characters, making it more likely that you’ll pick at least a decently strong password, but many of them don’t have these requirements, so you’ll have to rely on your own password choice.

SSL Certificate Validation

To understand this problem, you need to know about how websites prove that they’re legitimate. To put it very simply, a verified certificate proves that a website is what it claims it is. When a site is accessed over an encrypted connection, it sends a certificate to your browser, and your browser checks that certificate against a list. If it contains the right information, your browser knows to trust that website. (To better understand this process, see “What Is a Website Security Certificate and Why Should You Care? What Is a Website Security Certificate? What You Need to Know Website security certificates help make the web more secure and safer for online transactions. Here's how security certificates work. Read More “)

In 2014, researchers found that many mobile banking apps didn’t verify SSL certificates sent to them over encrypted connections (this vulnerability was found in a number of UK mobile banking instances again in 2016). This means that an attacker could impersonate your bank by sending a homemade SSL certificate, and the app wouldn’t check to see if that certificate was valid.


Of course, finding out whether or not your mobile banking app has this flaw is going to be very difficult. I looked at the FAQ for, my own bank, and its explanation of the security features doesn’t answer this question:

We use 128-bit Secure Socket Layer (SSL) technology to encrypt your personal information such as User IDs, Passwords and account information.

Getting more information than this is likely to be quite difficult. You could try to find research or tests done on your specific app to see if verifies SSL certificates or get in touch with your bank to find out. Or, if you’re worried about this particular vulnerability, you can just stop using the mobile app.

Jailbroken Installs

Another study found that many banking apps could be installed on jailbroken or rooted devices, which could potentially be a security risk, as jailbreaking or rooting your phone removes some of the security features that keep apps from passing information back and forth when they shouldn’t. This could lead, for example, to a keylogger or another app hijacking the connection.

There are benefits and drawbacks to jailbreaking 4 Compelling Security Reasons Not To Jailbreak Your iPhone or iPad Jailbreaking can get rid of Apple's many restrictions, but before you jailbreak your device it's a good idea to weigh up the benefits and potential drawbacks. Read More your phone, but if you plan on using a mobile banking app, you may want to think twice about it.


Potentially Unknown Risks

As with any other app, there could be vulnerabilities in mobile banking apps that we aren’t aware of yet. Banks haven’t exactly earned a great reputation for securing their mobile apps, and it’s quite possible that someone will find more vulnerabilities in them in the future (or already have).

All in all, unless you absolutely need to use a mobile banking app, it’s probably a better idea not to. They can be convenient, especially if you use the app to make transfers on a regular basis, and it’s unlikely that you’ll be the victim of an attack… but the stakes are awfully high. Having someone else get access to your bank accounts could be an absolute financial nightmare.

Is the added convenience worth the risk? It’s ultimately up to you, but it’s important to be aware of the potential problems you could face.

Do you use mobile banking apps? Will you continue using them after finding out that there might be some security risks? Or do you find the convenience worth the potential problems? Share your thoughts in the comments below!


Related topics: Encryption, Online Banking, Two-Factor Authentication.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. will scranton
    December 31, 2016 at 7:49 pm

    Mr King:

    Your column pimping Linux is so full of 1/2-truths and misdirection that even an Obama-voter would barf at the lies. Let's take a std. everyday Linux type-task --- find, download, install and enable the eawpatch.cfg midi replacement sounds for Timidity.

    That's the kind of repulsive crap-task every Linux usr is called to perform every day. Good luck palsy ... any noob takers ?

    • Dann Albright
      January 5, 2017 at 4:29 pm

      This comment is so phenomenally off-topic I feel like I have to respond to it.

  2. mike
    July 13, 2016 at 11:44 am

    Can someone explain what can be done if access to a bank account is gained? They can see how much money is in my account, they can see my deposits and withdrawals and if I use a bill pay service at my bank they can see who I pay and how much. Other than they now have some information about me what else can they do?

    • Anonymous
      July 13, 2016 at 2:12 pm

      "Can someone explain what can be done if access to a bank account is gained? "
      By gaining access to your bank account, the miscreant becomes you. Anything you can do with the account, the miscreant can do.

      • mike
        July 13, 2016 at 2:24 pm

        I understand that but what is the miscreant going to actually do, pay one of my bills? Even if that were done I have my account set to email me for any activity exceeding $1.00 so I'll know and can easily cancel the transaction.

        I get the fact that nobody should have access to your information but I'd like to know what they can actually do with it. Even if they set up and paid one of their own bills that's pretty easily tracked by the bank. I'll happily concede my stupidity if an example can be provided that will impact my bank balance.

      • mike
        July 13, 2016 at 2:30 pm

        My question is what exactly is the person going to do with my one of my bills? Even if that happened I have my account set up to send an email for any activity that exceeds $1.00 so even if that happened I can easily cancel it. If the person pays one of their bills that's easily tracked by the bank.

        I will admit my stupidity if someone can please explain what someone can actually do to my online bank account balance other than look at it.

    • Dann Albright
      July 13, 2016 at 8:16 pm

      They could, for example, set up new payments, use your bank account information to verify "your" identity elsewhere, change passwords or contact information, or initiate new transfers. Pretty bad stuff.

      • mike
        July 13, 2016 at 10:01 pm

        I agree that new payments can be set up but since the bank is making them to "someone" they're easily tracked to that "someone". Since I have my account set up to send me an email anytime a transaction exceeds $1.00 I'm going to be aware of activity and be able to cancel payments or transfers and report the activity to my bank for their followup. My bank displays the last 4 digits of my account number and nothing else...if they change the password I change it back the same way they changed it.

        I agree completely that security is necessary but I also think that it's the account holders responsibility to be diligent over their accounts.

        • Dann Albright
          July 25, 2016 at 7:31 pm

          You get an email every time there's a transaction that exceeds $1.00? Doesn't that just flood your inbox with notifications?

          And of course, account holders have a lot of responsibility in keeping their accounts safe. But if the bank is providing the customer with an app that doesn't have standard safeguards, that's putting them at an immediate disadvantage.

  3. Anonymous
    July 12, 2016 at 6:16 pm

    I travel (for leisure) to all parts of the world about twice a year, 2-3 months at a time. I bring along my WiFi-only Nexus 7 tablet; my phone stays home. I do NOT use 2FA ever -- but I do use a password manager to "house" all my unique/complicated 15-character passwords. And yes, I do use airport/hotel/coffee shop WiFi all the time.

    Being on the road for months at a time, I do have to access my bank online from time to time -- either with my browser or with my Android bank/email apps. I feel "safe enough" because (1) browser access is though HTTPS and (2) bank apps access is supposed to be similarly encrypted. I assume my "only" susceptibility is Man-in-the-Middle-Attack, but my tablet is 'locked down' pretty well (unrooted) and my installed apps are pretty minimal and all are very well known and only installed through Google Play.

    Two questions: Am I "safe enough" (I know there isn't ever 100% safety)? Is browser (HTTPS) safer than bank apps -- or same, same??

    • Dann Albright
      July 13, 2016 at 8:10 pm

      It seems to be like you're pretty safe, though connecting to public wifi is always a risk, even with HTTPS. As far as HTTPS vs. a bank app, I'd say it depends on the app, but they SHOULD be equivalent. If a bank's app is accepting unverified certificates, it'll be a higher risk, but hopefully those that do accept those won't for long. I'd also recommend using 2FA . . . it's a bit of a hassle, but it can make a big difference in your overall security.

      • Anonymous
        July 13, 2016 at 9:25 pm

        Thanks, Dann.