The mobile phone is fast becoming an extension of us. We’ve come to rely on our smartphones for so many things, whether we’re finding friends on social networks, looking up restaurant reviews or remotely turning off the lights in our house.
But as a growing number of Americans begin using their smartphones for mobile banking, experts warn that consumers should be cognizant of the dangers in using these devices to manage their finances.
“As more and more consumers move to mobile, (cybercriminals) follow where the money is,” says Mary Monahan, executive vice president of banking research firm Javelin Strategy & Research.
Shirley Inscoe, a senior analyst with Aite Group, says mobile banking is pretty safe in today’s environment. But that could change as more consumers move to mobile and as banks add more complex capabilities to their mobile banking apps to meet consumer demand.
“It’s going to attract the criminal element to attack (mobile phones) more,” Inscoe says.
Consumers shouldn’t stop from engaging in mobile banking, but they should be aware of the possible dangers to their phones and their money, and take steps to protect themselves and their accounts.
Here are seven potential weak spots of mobile banking and how to beat them.
Thanks in part to the growing numbers of banks offering apps to their customers, the number of people banking with a mobile app is for the first time surpassing the number of people banking with a mobile browser, Monahan says.
That’s a good thing because mobile banking apps tend to be more secure than mobile browsers, she says.
Aite’s Inscoe agrees, saying banks can build security features into apps that can’t be built into mobile browsers.
“If a bank has issued an app, they will ensure it’s secure,” she says. “By far, the preferred method is to use the method your bank provided for you to use (for mobile banking).”
The bottom line: If your bank has an app that you think is trustworthy, use it instead of a browser for your mobile banking.
The experts just said that mobile banking apps tend to be safer than banking on a mobile browser.
But some studies of these new banking apps have found weaknesses. For instance, the security firm Praetorian found that 8 of 10 mobile banking apps contained security weaknesses, a report released in December says.
“They’re failing to meet very basic security best practices,” says Praetorian Vice President Paul Jauregui. He expects security to improve over time just as security improved over the years with online banking.
Jack Walsh, mobility programs manager at ICSA Labs, an independent division of Verizon, says apps could be less safe than banks and consumers think they are. For instance, a link within the app — such as a link to current loan rates — may not be encrypted, he says.
“Banks may not think they need to protect it, but a bad guy who is looking for a way in can inject some code in here,” Walsh says. That code could prompt users to re-enter their passwords or other personal information, with users thinking they’re still securely sharing their information with their bank when instead they’re giving their data to hackers.
Walsh says banks should have their apps tested by independent third parties, but few institutions do.
Praetorian found that credit unions’ banking apps tended to have more weaknesses than those of megabanks, which have more resources.
Any conversations about the future of mobile must include a discussion about the growth in malware, which are software programs like spyware, Trojan horses and worms that are designed to damage or interfere with normal computer functions.
Until recently, most malware attacks have focused on computers. But in the past couple of years, new malware on smartphones, particularly Android phones, has exploded, says Robert Siciliano, an online security expert with McAfee. He says that because the Android operating system is open-sourced, it’s easier for people to create malware for it.
Aite’s Inscoe says users should remember that their phones are like computers, except even more personal because they carry their phones with them all the time. She says mobile phone owners should install antivirus software and use it on a regular basis.
There are some apps that masquerade as your bank’s mobile banking app. These fake apps can steal a user’s credentials or intercept security codes.
Walsh says these rogue apps are especially prevalent in third-party app stores, so users should download mobile banking apps only through the iTunes app store or Android’s Play Store, and check closely before downloading to see if the app developer is your bank or other reputable app developer.
Domingo Guerra, president of app risk-management service Appthority, says consumers need to re-educate themselves about online safety in a mobile world.
“We’ve learned over time on our laptops not to open certain files or click on links from people we don’t know,” Guerra says. “On smartphones, we forget these are computers, too. We download any app, open any link.
“There is a process of re-education where we have to learn the risks again,” he says.
Yes, coffee shops offer free Wi-Fi. And yes, that’s great because by using it, users can escape potential charges based on their data plan. But mobile banking on Wi-Fi, particularly if it’s free, unprotected Wi-Fi, creates more dangers.
McAfee’s Siciliano says it’s easier for criminals to access information on an open Wi-Fi network than on your 4G or 3G data network. He suggests that if a consumer wants to conduct mobile banking over a Wi-Fi connection, the user also should install a virtual private network, or VPN.
“On your computer at home, you’re on your home network, and there’s a lower chance someone is monitoring your traffic,” Guerra says. “If you’re on your smartphone, you could be using it from a local coffee shop or at work. It’s important to know that not all of these Wi-Fis are safe.”
Nearly 40 percent of people don’t use a password or a PIN to lock their phones or tablets, according to a recent McAfee survey.
But if you lose your phone or even just leave it unattended briefly, someone can easily access its mobile banking app.
Siciliano stresses using strong passwords, not only for the device itself but also for the mobile banking app. In addition, don’t auto-save your login information by letting your phone remember your login information and password.
The added security of typing in a password every time you use your phone or app is worth it.
And when you do pick that PIN or password, make sure it’s hard to guess. And make an effort to check your account on a frequent basis, says Josh Abraham, Praetorian director of services.
“An attacker may get into your account and you may not even notice,” Abraham says.
If you use multiple banking apps, use a different password for each one. And be sure to log off after each session.
Walsh says it’s smart to opt into “multifactor authentication” if your banking app offers it, meaning that in addition to your password, there’s an extra security step, such as being sent a text message with a code to enter.
Walsh even suggests cleaning your phone screen regularly, so thieves can’t see the smudge marks your fingers leave and guess your pass code.
When your mobile device alerts you to an update for your mobile banking app or your phone’s operating system, make sure you install it.
“When the developer issues an update to that app, often it is for security or functionality purposes,” Siciliano says. He explains that an update may come after the developer notices a flaw or weakness and moves to fix it. He suggests setting your mobile banking app and phone operating system to auto-update if possible.
Inscoe says not making the updates in a timely fashion could leave your phone more vulnerable to attack.
She says the updates are manufacturers’ and developers’ ways of trying to keep up.
“Security on these mobile devices is so poor, and it’s getting further and further behind the threats posed to it daily,” Inscoe says.