Why Online Banking Is Safer on a Mobile Phone
A few years ago, security experts thought you'd be crazy to access an online bank account from a mobile phone.
Mobile Web browsers hid URLs, making it easy for cybercriminals to impersonate banking sites. The Wireless Application Protocol mobile-Web standard offered limited security. Even after the introduction of smartphones, banks' stand-alone apps were often poorly designed.
"We've seen a few examples where it became clear the mobile finance apps didn't quite receive the same level of security scrutiny as their traditional counterparts," Roel Schouwenberg, a senior researcher at Kaspersky Lab, stated in a TechNewsDaily article as recently as May 2012.
The tide has turned. Experts now say mobile devices may actually be safer to use than computers for online banking, in part because malicious software can be downloaded to a computer without a user knowing it.
Drive-by downloads, which attack Web browsers, and emailed attachments are perfect vectors for banking Trojans to infect Windows PCs.
The Trojan hides in the browser until the user logs into his or her online bank account. The the malware steals the login credentials and moves money out of the account.
On a mobile device, secretly installing software is much harder to do, as long as the device hasn't been "rooted" or "jailbroken" to let the user run privileged commands and install unauthorized software.
Why mobile applications are safer
As long as they're using encrypted Wi-Fi or a cellular data connection, mobile customers usually don't need to worry about malware hijacking their online-banking sessions. (Mobile banking Trojans do exist, but so far they only assist their desktop variants by stealing two-factor login authentication codes.)
"No online banking is completely safe, period," said Clay Calvert, director of cybersecurity for MetroStar Systems, an IT consulting firm in Reston, Va. "However, unrooted tablets and cellphones are much safer than using PCs for banking."
"The primary reason for this," Calvert said, "is that applications are vetted [by Apple and Google] before they're sent to the app store and made available for download.
"Apple and Google specifically look for malicious behavior built into apps that are submitted by developers," he said, "and will reject anything that presents potential security risks."
Greg Hughes, an information-security officer with Brookfield, Wis.-based financial-technology provider Fiserv, agreed with Calvert.
"Within the last year," Hughes said, "Google has made changes to improve the way it scans and reviews apps that are submitted and distributed through its Google Play app store, and has enhanced the criteria under which they will release apps from a security configuration perspective."
"Recent changes in the Jelly Bean release [in 2012] included clearer app permissions, a new app-verification service to enhance security, encryption improvements and other enhancements," Hughes added.
However, non-rooted Android devices can still be put in danger. Users who seek free or discounted apps from sources other than the official Google Play store run the risk of being infected by corrupted apps, which are easy to create.
To avoid this, go into the Settings menu, select Security and make sure "Unknown sources" is left unchecked.
Mobile apps aren't entirely risk free
There has also been an evolution in the breadth and depth of mobile application security solutions, such as mobile application integrity protection, said Kevin Morgan, chief technology officer of application-security provider Arxan Technologies in Bethesda, Md.
"Mobile app integrity products are now more sophisticated and provide greater facilities for hiding critical information," Morgan said.
Still, there are many opportunities for a cybercriminal to interrupt online-banking communications.
"The general threat to all mobile financial services is that critical business and security information for the transaction can be analyzed, tampered with, circumvented and even stolen," Morgan said.
"This can occur when you are running a tampered version of the original vendor application," he added. "You may have picked up a tampered version that was posing in an app store as a legitimate version.
"When you plugged into a public charger at the airport, your legitimate application may have been replaced," Morgan explained. "Or your legitimate application on your device may have been replaced or tampered with internally on your mobile device by another rogue application that you previously loaded and ran."
Best practices for mobile online banking
If you think your mobile device is secure enough for financial transactions, your best bet is to follow these tips to make sure your finances remain safe:
— Install apps only from trusted sources, and don't modify security settings on your devices.
— Disable the ability to set up new automatic bank payments online, if possible. Instead, set it up so that you have to go to the bank in person to create these types of transfers.
"If you sign up for a new credit card or get a new mortgage, you should have to go to your bank to add that creditor to your account," said Calvert.
"By having the ability to set up new creditors from your online account," he said, "you create the risk of a hacker using malware to access your account, then adding payments to another financial institution and emptying your account."
— Don't send personal information via SMS text message, and don't respond to texts that seem to come from your financial institution, Hughes said.
Text messages are not encrypted, so banks won't ask for personal information via SMS. If you transmit sensitive financial information on your mobile phone, be sure you are using a secure browser or app.
— If you are considering a mobile finance app, look for one that lets you remotely wipe the data from your cellphone if you lose it.
— Change your mobile-banking password frequently.