Even before the COVID-19 lockdowns, mobile banking was taking off. Thirty-three percent of bank customers were using a mobile app before the pandemic, according to a survey conducted for the American Bankers Association. Today, 44 percent of bank customers use a mobile app.
But is mobile banking truly safe? Bank fraud is popular with identity thieves, who steal personal credentials, usually for financial gain.
Is mobile banking safe?
Cybersecurity experts say mobile banking is safe, but urge consumers to take certain precautions.
“If you download the mobile app from a secure store, that is just as safe as visiting a bank branch,” says Paul Benda, senior vice president for operational risk and cybersecurity at American Bankers Association.
Benda says the safest place to download a mobile banking app is from your bank’s website.
“Banks use extremely secure, high-end encryption technologies,” Benda says. “We like saying that mobile apps are like having a bank branch in your pocket.”
Watch out for these types of cyberattacks
There are myriad ways that fraudsters target consumers. but the the FBI cites two forms of cyberattacks in particular:
1. App-based banking Trojans
These are hidden in unrelated apps such as games or tools that are downloaded by unsuspecting bank customers. These “sideload” apps, which are downloaded from unofficial sources, might conceal malware that is dormant until a user launches a legitimate banking app. Then the Trojan creates a pop-up overlay that mimics the bank’s login page. When customers enter their username and password, they are seamlessly directed to the legitimate banking app login page, with no idea that they have been scammed.
“The malware can be downloaded in a variety of ways, such as SMS (short message service, or text) with a malicious hyperlink,” says Teresa Walsh, global head of intelligence at Financial Services Information Sharing and Analysis Center (FS-ISAC), which mitigates cyber threats in financial services. “This type of malware is actually on sale on the criminal underground marketplace.”
2. Fake banking apps
These apps impersonate the real mobile apps of banks and are designed to trick users into entering their login credentials. The FBI say it is “one of the fastest growing sectors of smartphone-based fraud.”
Should you use a mobile banking app?
If you’re worried about using a mobile banking app, be aware that security threats exist everywhere, including inside the bank lobby.
“There is the risk that the bank employee will do something that is illegal, like stealing your banking information; this is known as an insider threat,” says Donald Korinchak of CyberExperts.com.
With a mobile app, “there are potential vulnerabilities related to the security posture of the app itself – vulnerabilities in code, encryption methods, et cetera – and also potential vulnerabilities related to the transmission of information,” he says.
“In both scenarios, the bank invests heavily to ‘bake in’ security,” Korinchak says. Financial institutions monitor their employees’ behavior and also look for vulnerabilities in their app that can be patched before they are exploited by criminals.
There are also precautions you can take to reduce the risk.
How to protect yourself against mobile banking fraud
1. Download a verified banking app from your bank’s website.
Many banks feature links to the app stores from their websites to help you download the right app. “Your bank should have available information on what type of mobile app they use, what features are on it and what you need for access to it,” FS-ISAC’s Walsh says. “Then, use a reliable app store, paying attention to the owner/developer of the app and whether there are other apps with the same name.”
Talk to your bank to make sure, but never download an app found on an open forum.
2. Make sure your bank uses two-factor or multi-factor authentication.
Two-factor or multi-factor authentication requires bank customers to prove their identity when logging in to accounts by providing at least two pieces of authenticating information. This is usually a password or PIN as well as a confirmation code sent via text message to their cellphone.
Two-factor authentication vastly increases security, Korinchak says, but isn’t 100 percent secure. “Someone could gain access to your phone or someone could intercept the SMS traffic to gain access to the code,” he says
3. Use a strong password.
One of the best ways to protect yourself is to use a password that contains random upper and lower case letters, numbers and symbols. Don’t ask your browser to remember it for you either; use a reputable password manager instead.
“Reputable password managers are coded in a way that reduces risk to the user and are highly hardened against potential attackers,” Korinchak says. “Most cyber security experts recommend password manager software.”
4. Avoid using public Wi-fi.
When you log on to a public Wi-fi hotspot, you often get a warning that you’re not on a secure network, and that others may be able to watch your online actions. That’s a strong reason not to conduct any financial business using a public network. Instead, use your cellular network or your home wi-fi to better protect your personal information.
5. Get smart about phishing and smishing.
Phishing emails often look legitimate, like they really are from your bank or credit card issuer. But ID thieves use them to trick people into divulging personal information, and they may contain malware.
Smishing is the same tactic, but conducted through text messages.
“Users should be familiar with their banking application in the first place to detect abnormal questions or pop-ups that look slightly different than the usual features,” Walsh says.
6. Set up alerts via email, text or the bank’s app.
A quick notification from your bank about transactions on your account can help you detect potential fraudulent activity. You can then address the matter with your bank in a timely manner.
How banks protect customers from cyber threats
Banks, credit unions and investment firms invest heavily to shield themselves against cyber attacks.
“I think it’s safe to say banks spend billions to protect customer accounts,” says ABA’s Benda. “Due to Regulation E, they’re on the hook if there’s an attack.”
Regulation E limits consumer liability to $50 if an unauthorized electronic funds transfer is caught by a customer within two business days, and up to $500 if caught outside the two-day window. Financial institutions are responsible for everything above that amount.
“Banks have very robust controls in place to control fraudulent activity,” says Benda. “A lot depends on consumer behavior, making sure consumers follow safe practices.”
Banks spend a lot of time and money to protect their digital operations (including mobile apps) and their customers from theft and fraud. Customers have to do their part too to best guard against attacks by practicing safe mobile banking habits.