Online banking is one of the great conveniences of modern life. Logging on from a PC, smartphone or tablet, most of us can get instant access to our bank accounts in order to see at a glance how our finances are looking and to arrange transactions at the click of a button.
No more waiting in queues, sitting on hold to the call centre or other time-consuming methods of monitoring your own money – online banking saves us valuable time in busy days, so it’s no surprise to learn that mobile banking apps are now the third most used app type behind social media and weather forecasts.
There’s a lot of debate about whether it’s more secure to bank from a smartphone or a desktop device, and in many ways, modern phones are better equipped to defend your data against attack. Often coming with built-in antivirus software or fewer open services than a PC or laptop, smartphones are hard to imitate and are constantly changing. But that doesn’t make them infallible. Here are a few security threats to watch out for, which can sidestep the clever in-built defences your mobile might have.
A Man-In-The-Middle attack is the given name for types of cyber attack where a hacker or other third party gets between you and the activity you’re trying to carry out online. This includes things like email interception, spying on the entry of payment details into a supposedly secure page, viewing your online banking and other similar security threats.
As well as being able to see the data that you’re sending and receiving online, a MITM will have the ability to edit that data as well. SSL stripping is one example of this kind of attack and is one to be particularly wary of when banking online.
SSL certificates are a type of added security layer offered by most websites and are considered essential on things like bank websites and e-commerce checkout pages. When your browser displays HTTPS instead of HTTP, it’s a sign that SSL certificates are in place. Though you’d assume that a page displaying HTTPS is inherently a secure page, SSL stripping is the act of redirecting a user from this secure page to an unsecured server without their knowledge.
To the user, everything looks as normal. But without the protection of SSL certificates, the redirection of your traffic leaves it unencrypted and easy to view. The easiest way to mitigate this risk is to use a mobile VPN app to connect to the internet – this provides you with end-to-end encryption while you’re browsing so that even if the websites you’re on becomes insecure, your traffic activity stays encrypted. If a hacker were to intercept, all they’d see are indecipherable encryption keys instead of things like personal ID and bank account information.
Fake and Corrupt Apps
Many mobile users prefer to use banking apps, rather than log in to their accounts from a browsing window. People must weigh up the pros and cons of browser banking – where there’s a higher risk of having information collected by a MITM as you enter it – and banking via an app, where there can be security flaws or outright fraudulent installations.
Mobile banking Trojans – a type of malware that comes disguised as a legitimate banking app – have been on the rise in recent years, now identified in cyber attacks in 164 different countries. Most common in the USA, Russia and Poland, banking Trojans are designed for the specific purpose of stealing money from users’ bank accounts.
It can be hard to tell which is the legitimate app and which is a fake, so it’s important to ensure that you only install apps – banking or otherwise – that come from trusted sources like the Google Play Store or Apple’s App Store. When downloading any new app, check that the permissions it asks for correspond with what it’s supposed to do; fraudulent apps may demand access to files and data that aren’t necessary, or require permission to make unusual changes.
Lastly, run regular virus scans on your smartphone to help you flag and remove any suspicious downloads. Some devices come with antivirus pre-installed, but many don’t. And even phones that claim to be super-secure have been known to fall foul of malware attacks – so it’s better to be safe than sorry.
Public Wi-Fi Networks
A major risk in online banking security and one that is often brushed off is the use of unsecured Wi-Fi networks in public spaces such as stations, airports and coffee shops.
Public Wi-Fi networks are often unencrypted or use only the most basic, easy-to-crack encryption protocols. As well as the risk of spoof networks set up by hackers – such as things labelled ‘Free Hotel Wifi’ set up near a hotel with its own private network – even legitimate networks can expose your data or leave it vulnerable.
Though free Wi-Fi hotspots can be just what you need when you’ve run out of mobile data or find yourself in a signal black hole, it’s important to secure them yourself before completing any online banking tasks. Just as they can protect you against MITM attacks, mobile VPNs can add a layer of end-to-end encryption to an otherwise unsecured Wi-Fi connection, turning it from a privacy nightmare into a secure ‘tunnel’ of web access.
With your own additional security, if a hacker were to connect to your activity over public Wi-Fi they’d see only complex encryption keys and not your sensitive information.
Banking from your smartphone is not necessarily a greater risk than banking from a desktop PC, but there are different security risks to be aware of. By using antivirus and a VPN, and staying up to date with any new security threats, you can help to keep your banking information safe and private no matter where you’re logging on from.
Tabby Farrar is a professional researcher and copywriter who works with a number of well-known cybersecurity organisations. Outside of spreading the news about staying safe online, Tabby also runs her own travel and lifestyle website.