Hackers Target Your Mobile Bank App; You Can Fight Back
This article is part of a NerdWallet series that delves into what’s new in retail banking and what’s in it for you. We explore some of the surprising things in store for products, tech and security and look at how they’ll affect consumers.
By 2021, millions more of us will be doing our banking on smartphones and tablets, researchers say. The number of mobile bank app users is expected to leap 53% in the next four years. So far, mobile banking has been a pretty secure experience.
Mobile app breaches represented less than 3% of all computer records hacked last year, according to the Identity Theft Research Center, a San Diego tracking firm. But don’t get cozy.
A veritable flood of consumers is heading for mobile, according to Juniper Research. It predicts over 3 billion people around the world will be banking on mobile by 2021 — quite a lure for hackers who target financial apps. That means more people are likely to fall prey, so bank customers will need to be ready to protect their devices and their bank accounts.
Criminals try to access mobile apps in a number of ways.
When a mobile app communicates with a financial institution’s server over the internet, the app verifies the bank’s or credit union’s identity by checking its server certificate.
With a man-in-the-middle attack, fraudsters will try to “listen in” on this network traffic, perhaps by accessing the same public Wi-Fi network as the mobile user, and attempt to send a fake bank server certificate to the mobile app.
If the app accepts the fake certificate, it could let the hacker receive the user’s personal information.
Key logger software
When installed on a mobile device, key logger programs secretly record a person’s actions as he or she uses the device. With a banking app, the malicious software could log your account names, numbers and passwords and send them to a hacker.
It’s been around for years, but this tried and true hack is still popular with criminals, says Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association. It occurs when a fraudster pretends to be a legitimate financial institution that asks a mobile user to submit private bank information.
Many phishing attempts bypass mobile apps completely. A hacker could send emails telling people their account is locked and asking them to reply to the message with their account username and password. But the account isn’t locked, and the information a person sends would go to the criminal, not the bank.
5 ways to protect yourself
Hackers are malicious, but they don’t have to be successful. Here are five ways to stop them.
1. Don’t bank on ‘jailbroken’ devices
Some mobile users customize their devices in a way that lets them download apps that aren’t approved by the device’s app store. A “jailbroken” device might let the user remove some of the device’s mandatory apps, for example. Or it could allow a user to download apps that purport to offer free music or software. But if your device has been altered, it’s best not to use it for mobile banking.
“Jailbreaking obviously entices the user to get away from their mobile provider and use other companies,” Johnson says. “Be careful. You may think you’re downloading a new app for free, but you may also be downloading malicious software that will secretly try to breach your account.”
2. Use approved apps from approved app stores
Criminals will try to access bank accounts by getting customers to download apps from places other than the device’s approved app store. These applications might pretend to be electronic wallets, for instance, or they might offer to store IDs, Johnson says. But the apps may not have a legitimate purpose. To avoid exposing private information, make sure you know and trust the financial institution that provides the mobile app.
3. Keep your device up to date
Apple and Android operating system upgrades often include security updates to protect your smartphone or tablet from the latest malware attacks. This is especially important with Android systems, which tend to be more open to developers. Criminals routinely try to exploit this openness. A recent study from Pulse Secure, a cybersecurity company, found that 97% of attacks were targeted at Android systems.
4. Know your app’s security features
Make sure your financial institution uses common technology standards to protect your app, such as these:
- Two-factor authentication: Before you can sign in to your bank’s app, two-factor authentication may require an extra piece of information in addition to a username and password, such as a code that’s sent by text to the phone. It adds another layer of security beyond the basic login credentials.
- Certificate pinning: Trusted mobile banking apps typically use a type of technology called certificate pinning to stop man-in-the-middle attacks by making sure the app has a copy of the bank’s security certificate. The app can then make sure the message it’s receiving is truly from the bank’s server.
- Innovative ways to log in: Many banks are looking at new ways to verify users before they sign in to mobile banking apps. These methods include retina scanning, fingerprint recognition and facial recognition, Johnson says. Other institutions are experimenting with authentication by finger movement across the mobile device, Johnson says. “Your phone over time will be able to detect that it’s you because of the way you interact with the phone. If a criminal accesses your phone, and movements across your screen don’t fit your normal pattern, the phone may refuse access to your personal banking information.”
5. Use smart mobile phone practices
Banks are developing methods to secure mobile devices and financial apps, but the best line of defense for online security is still with the consumer, Johnson says.
Mobile device users should create screen lock passwords that are hard to guess, he says. That way, if the device is lost or stolen, there’s less of a chance a criminal, or any curious person who comes across the device, can access banking apps. In addition, be wary of conducting transactions over public Wi-Fi. If you’re not on a home network, consider switching to your cellular network to conduct mobile banking transactions, such as depositing checks and making account transfers.
It’s also important to monitor your accounts regularly and immediately report any suspicious activity. It helps the cybersecurity department of your bank or credit union stay on top of the latest breaches, and you can protect yourself against liability for financial losses.
Protecting your device
As long as you have a bank account, there will probably be hackers who try to access it. By using a secure, trusted app, keeping your device up to date and using good consumer practices, you can help protect your money and keep criminals at bay.
This article was written by Margarette Burnette and originally appeared on NerdWallet. 07 August 2017.
Used by permission. Copyright © 2017 NerdWallet, Inc. All rights reserved.
Disclaimer: This article and any hyperlinks are provided because they have information that may be useful. BAC Community Bank and NerdWallet do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of BAC or NerdWallet.