Mobile banking apps bring some of the most convenient online banking features to your phone, but could they be a security risk? Banks tend to have pretty solid data security, but they have suffered some breaches in the past, how secure are their mobile apps? Unfortunately, the answer isn’t encouraging…
The use of two-factor authentication (2FA) is increasing across the internet, which is a good thing; it adds a significant layer of security to your account without too much inconvenience. Quite a few apps have started to use it, too, increasing your overall security.
Unfortunately, many mobile banking apps don’t support 2FA at this time. Which means that if someone manages to get a hold of your phone and can figure out your banking password, they’ll have access to your account. (If you don’t have two-factor enabled on your web-accessed account, they’ll have access to that too, but you do have 2FA enabled, right?) If your banking app does support 2FA, you should enable it as soon as possible.
On the other hand, if it doesn’t offer 2FA, you may want to consider removing the app from your phone. Also, make sure that it’s not possible for a phone thief to get the authentication from your phone without another password or form of identification (if the bank just texts you a code, that’s not going to do you any good if someone else has your phone).
Poor Password Protection
Another weakness that many mobile banking apps have is that they allow you to save your password. This is great for opening the app quickly, but it also means anyone who has your phone can access your accounts. Hopefully you don’t have your password saved, but if you do, you should disable this feature right away.
And, of course, choose a good password for your app. If your password is “123456” or “password,” it’s not going to matter if the app doesn’t save it. Someone will guess it anyway. Many banks now require that you use a certain number of capital letters, numbers, symbols, or special characters, making it more likely that you’ll pick at least a decently strong password, but many of them don’t have these requirements, so you’ll have to rely on your own password choice.
SSL Certificate Validation
To understand this problem, you need to know about how websites prove that they’re legitimate. To put it very simply, a verified certificate proves that a website is what it claims it is. When a site is accessed over an encrypted connection, it sends a certificate to your browser, and your browser checks that certificate against a list. If it contains the right information, your browser knows to trust that website. (To better understand this process, see “What Is a Website Security Certificate and Why Should You Care?“)
In 2014, researchers found that many mobile banking apps didn’t verify SSL certificates sent to them over encrypted connections (this vulnerability was found in a number of UK mobile banking instances again in 2016). This means that an attacker could impersonate your bank by sending a homemade SSL certificate, and the app wouldn’t check to see if that certificate was valid.
Of course, finding out whether or not your mobile banking app has this flaw is going to be very difficult. I looked at the FAQ for, my own bank, and its explanation of the security features doesn’t answer this question:
We use 128-bit Secure Socket Layer (SSL) technology to encrypt your personal information such as User IDs, Passwords and account information.
Getting more information than this is likely to be quite difficult. You could try to find research or tests done on your specific app to see if verifies SSL certificates or get in touch with your bank to find out. Or, if you’re worried about this particular vulnerability, you can just stop using the mobile app.
Another study found that many banking apps could be installed on jailbroken or rooted devices, which could potentially be a security risk, as jailbreaking or rooting your phone removes some of the security features that keep apps from passing information back and forth when they shouldn’t. This could lead, for example, to a keylogger or another app hijacking the connection.
There are benefits and drawbacks to jailbreaking your phone, but if you plan on using a mobile banking app, you may want to think twice about it.
Potentially Unknown Risks
As with any other app, there could be vulnerabilities in mobile banking apps that we aren’t aware of yet. Banks haven’t exactly earned a great reputation for securing their mobile apps, and it’s quite possible that someone will find more vulnerabilities in them in the future (or already have).
All in all, unless you absolutely need to use a mobile banking app, it’s probably a better idea not to. They can be convenient, especially if you use the app to make transfers on a regular basis, and it’s unlikely that you’ll be the victim of an attack… but the stakes are awfully high. Having someone else get access to your bank accounts could be an absolute financial nightmare.
Is the added convenience worth the risk? It’s ultimately up to you, but it’s important to be aware of the potential problems you could face.
Do you use mobile banking apps? Will you continue using them after finding out that there might be some security risks? Or do you find the convenience worth the potential problems? Share your thoughts in the comments below!