Mobile banking security
A smartphone is a very personal piece of technology. It accompanies you wherever you go. It keeps you connected to countless personal email accounts and information streams.
It also records much of what you do; its global positioning system tracks your movements, and its browsers are geared to anticipate your interests and intentions by storing commonly-used search terms and sign-in details. All of this is simple enough for an individual to accept, but what about when it comes to sensitive financial data – and not just yours, but that of your business and its customers?
Using a smartphone to monitor email and social media is one thing, but can these devices really be secure enough for online business banking?
More or less secure?
Andrew Longhorn, chief technology officer at mobile development company iApps, asserts that banking on a smartphone is more secure, if anything, than doing so on a desktop PC. He suggests that, although mobile is susceptible to the same risks as a computer or server, its lack of a fixed connection means it’s less likely to be actively targeted.
“With a mobile phone, it’s not like it’s a server or a fixed object that people can get to as easily,” says Longhorn. “It sort of changes its footprint as you walk around because you’re connected to different networks, you’re connected to different devices, and you’re always changing IP addresses. It sort of hides you a bit in that respect. You’re not as easy a target as a server is.”
Regardless, if a smartphone is used to communicate sensitive data like bank account details, then that information can be intercepted by malicious third parties with little difficulty.
“At the moment, there’s a lot of focus in the hacking community around hacking mobile devices and tablet PCs,” says Ty Miller, CTO of penetration testing company Pure Hacking. “The hacking tools that are coming out lately are becoming more and more advanced at being able to target mobile devices.”
“Once your phone is compromised, the attacker has access to everything your phone has access to,” continues Miller. “Because you’re generally pre-authenticated with apps on your phone, [the hacker has] direct access to your Facebook or your email account, and the potential to do things like capture keystrokes to then break into things like your internet banking.”
Despite the growing focus on smartphone users, many business owners fail to realize the vulnerabilities of entering sensitive information into their Blackberry.
“We think about security when we talk about desktops and laptops, but we don’t think about security intuitively when it comes to devices,” says Tina Su, senior product marketing manager at security firm Trend Micro. “Just as we are susceptible to risk by banking online on the laptop, the same risk applies for our smartphone devices as well.”
The best way to address the security of mobile devices in a business is to apply the same degree of security management and maintenance as you would to regular PCs.
“The idea now is smartphones should be treated just like any other endpoint. You need to be able to manage that endpoint – to see what actually is going on and what information is being accessed on the phone,” says Su. ”We deal with some extremely large customers, and they’re still hesitating at bringing smartphones and tablets into the work environment because they’re fully aware, not just of the administration involved, but of the asset and risk management of those devices.”
As with PCs, risk management for smartphones and tablet devices has much to do with keeping operating systems and anti-virus software up-to-date.
“Make sure you’re keeping up to date with the latest security patches, and installing mobile anti-virus software on your phone,” says Pure Hacking’s Miller. “That’s important just because the vendors of these mobile devices or the operating systems are usually behind on the vulnerabilities that are actually present. That’s where the mobile anti-virus comes in. If you’ve got that as a second layer of defense, then if you do get a compromise, then hopefully your anti-virus will pick it up.”
Modes of use
While a smartphone’s mobility might make it less susceptible to active attacks, the main risks lie in the way the owners use it. If it’s used to access a web-based bank sign-in page via a browser, then it’s vulnerable to the same risks that apply to that process on a desktop computer.
“If they’re just using their traditional web-based internet banking, then it’s probably still a little bit more secure, but there’s an inherent problem in that whole approach: the software that you’re using exists on the website, which means if there’s any malware that’s inserted into the website, it’s going to affect all of the users,” says Longhorn.
“Whereas, if you rely on some hard-coded bit of software that’s been verified, that has been uploaded by the bank system itself, and you use that on your mobile device, then they can make it a lot more secure that way.”
He identifies the Commonwealth Bank as one such institution; the Commbank app requires users to fill out their sensitive details offline, an encrypted version of which is sent to the institution as a kind of security signature when they need to bank on their phone.
“That helps to alleviate any chance of a man in the middle attack because the key chain was entered ‘out of band’ – which is without using the network that you’re using to communicate,” says Longhorn. “There’s less opportunity for someone to sit on the network and listen to the traffic because they weren’t privy to the original key exchange.”
Despite the measures taken by organizations like banks to protect the personal information of those using their online services, the truth is that nothing can entirely rule out the possibility of it being compromised.
“What people don’t realize is that just saying it’s encrypted is not any guarantee of security,” continues Longhorn. “In fact, any level of security is not a guarantee of security. The more you obfuscate things the more you make it difficult for people, the more of a disincentive it is for people to try and do it. There’s a law of diminishing returns.”
Mobile phishing
As banking apps become more popular, so too do phishing apps designed to lure customers into a false sense of security and divulge their sign-in details.
“Whenever we download applications, we don’t really know whether they’re a true application, or if it’s actually a piece of malware designed by a hacker to get your confidential information,” warns Trend Micro’s Su.
She explains that one of the major threats posed to smartphone users lies in apps that appear to have been created by respected companies, but that has actually been developed by hackers endeavoring to phish for login details. Pure Hacking’s Miller notes the likelihood of this kind of attack depends heavily on the type of phone being used.
“With iPhones, usually the attack vector they’ll use is going to be basically put an exploit into a website, which then compromises your phone through vulnerabilities within things like Safari,” he says. “If you have an Android, you’re more likely to have your phone compromised through malicious apps that you install that are available through the marketplace. That’s because Apple has a much more stringent reviewing policy or QA policy that they go through before they release apps, whereas the Android marketplace is much more open to people just publishing malicious apps that don’t actually get picked up.”
The fact that phishing scams continue to thrive is a testament to the willingness of users to place trust in little more than the appearance of a familiar logo. When it comes to this type of security threat, human error is effectively the only thing standing in between a business owner’s smartphone and the security of their bank account. Given this, it pays for smartphone-equipped business owners to be particularly selective when choosing apps. Su recommends that business owners check with the provider that they do in fact have an authorized app, for example. Short of ruling out the use of smartphones altogether, a little bit of common sense can go a long way to using them securely.
