Mobile banking security – secure financial transactions on the go

Mobile banking is a specialised form of e-banking that allows customers to conduct banking transactions via mobile devices such as smartphones and tablets. Despite its popularity, many users have only limited trust in the security of mobile banking. However, with a few simple rules of conduct, you can carry out your financial transactions on the go without security concerns.

Well over half of all financial transactions are now carried out using specialised apps on mobile devices, and the trend is rising. Mobile banking apps often offer additional features such as scanning invoices with the camera or push notifications for transactions. According to a recent study by the Lucerne University of Applied Sciences and Arts, the most advanced banking apps in Switzerland contain over a hundred different functions. Here, too, the trend is rising.

While only a small number of customers use the sometimes extensive range of functions offered by the apps, traditional banking transactions such as paying bills, checking account balances or verifying payments are used frequently and willingly. Despite the high popularity, many users are unsure whether mobile banking is just as secure as traditional e-banking. On closer inspection, however, it quickly becomes clear that it is not so much the app as the use of the mobile device itself that can lead to potential security vulnerabilities. A few simple measures can go a long way towards ensuring that mobile banking apps are used securely and conveniently.

Security thanks to banking apps

Mobile devices are space-saving, handy and almost always with you. In addition to these obvious advantages, smartphones and tablets also offer security advantages over traditional computers. Due to the fact that in mobile banking the financial institution installs a piece of software, namely the mobile banking app, on the user’s device and banking is done via this, important security functions are also integrated directly into the app.

For example, the connection to the financial institution is made through the app, so that, unlike with traditional e-banking, the bank’s address does not have to be typed into a browser. This eliminates the need for the user to perform unpopular tasks such as checking the secure connection. This represents a significant increase in security compared to browser-based e-banking, because it makes phishing attacks much more difficult. These typically use fake banking websites to which bank customers are directed by e-mail, text message or instant message. This is not possible when using a mobile banking app because it is programmed to connect only to the corresponding bank.

Furthermore, the security mechanisms integrated into the mobile device can also be used to their full advantage. For example, the banking app can be accessed using biometric methods such as fingerprint or facial recognition. This is convenient for end customers and, if these procedures are used correctly, it is also secure. In addition, only one device – the smartphone or tablet – is required, whereas with traditional e-banking, in addition to the computer, a second device (today usually the smartphone) is usually required to log in using two-factor authentication.

However, the advantages mentioned only apply if the mobile device is also used securely, i.e. as long as certain rules of conduct are followed.

Secure your mobile device

First of all, you should minimise the general security risks associated with using a mobile device. This includes activating the automatic screen lock using a PIN, password, fingerprint or facial recognition, promptly installing operating system and app updates, and installing an anti-virus app on Android devices.

A cautious approach is particularly important when it comes to smartphones and tablets: Do not leave your device unattended and make sure that you do not share your login details with anyone and always enter them in a hidden way. As with PCs, do not tap on any unknown links and delete messages from unknown senders immediately. Keep in mind that links to fake bank sites or malware can also be distributed via short messages such as SMS, WhatsApp or Snapchat. So check first, then tap.

Special attention should be paid to eSIM offers. The electronic alternative to physical SIM cards is considered more susceptible to counterfeiting, so the use of the latter tends to be more advisable.

Banking apps: it’s all about the source

Once you have ensured the basic protection of your mobile device, the next thing to look out for is the apps on it. Make sure that they come from the respective official store, i.e. the Apple App Store, Google Play Store or Samsung Galaxy Store. Be suspicious of apps with a poor reputation and recommendations from strangers. Find out about the provider before installing an app. All the security precautions are of little use if an impostor’s app is installed instead of your bank’s app.

When you first start a newly installed app, it will often ask for certain access rights, such as to use the camera, access the location or the contact list. Many apps grant themselves extensive rights for no apparent reason. Therefore, check critically whether the permissions are really necessary to fulfil the functionality, and deactivate any unnecessary access rights if possible.

In addition, only install the apps that you really need and check from time to time which apps you are still using. Uninstall outdated and no longer needed applications – every additional app represents a potential security vulnerability.

Be careful with free Wi-Fi and when abroad

Your mobile device can connect to the internet and thus to your financial institution in a number of different ways. If you use a WiFi or WLAN connection while on the move, you should ensure that it is secure. Dubious network providers could redirect the banking app to the wrong server or tap access data that you enter.

Especially when travelling, for example on holiday, ‘free WiFi’ networks, for example at the airport, in the hotel lobby or in the restaurant, should only be used with caution. In particular, critical applications such as financial transactions should not be used when using such networks. If necessary, you can secure the connection to the bank using a VPN app (VPN = virtual private network). Such apps are offered by various providers at different prices.

If you use a data roaming option over your provider’s mobile network instead of a Wi-Fi connection when you are abroad, a VPN app will also provide additional protection. However, bear in mind that you may be charged twice for this: once for roaming and once for the VPN.

If the device is lost…

Smartphones and tablets often have more than one owner during their lifetime. Used devices are resold, given away, sometimes lost or stolen. If your mobile device falls into the wrong hands, files or access data stored on it can be tapped and misused under certain circumstances.

Lost or stolen devices can be remotely locked using special apps, which deletes personal data on the device. After a device has been locked, the SIM card should be blocked by the telecom provider. When passing on or disposing of the device, the SIM card should be removed and the data on the device should be deleted by resetting it to the factory settings.

Conclusion

Mobile banking apps offer a high level of convenience and security for financial transactions while on the go, provided they are used correctly. This includes protecting the mobile device with a screen lock and security updates, installing the banking app from the official store and restricting the app permissions. When on the go, the device should only be connected to trusted networks or secured via a VPN app. And if passed on, lost or disposed of, all data on the mobile device should be securely deleted.

Author: Björn Näf, Lecturer in Cyber Security & Cybercrime, ‘eBanking – but secure!’ team (www.ebas.ch), Lucerne School of Information Technology

«eBanking – aber sicher!»

«eBanking – aber sicher!» (EBAS) ist eine unabhängige Plattform der Hochschule Luzern – Informatik, die Sie dabei unterstützt, Ihre persönliche Informationssicherheit mit Fokus auf E-Banking wahrzunehmen. Die Website www.ebas.ch bietet umfassende und praxisnahe Informationen im Bereich der Informationssicherheit, die darauf abzielen, die Sicherheit digitaler Bankgeschäfte (E-Banking, Mobile Banking, Payment etc.) zu gewährleisten. Die Informationen richten sich sowohl an Anfängerinnen und Anfänger als auch an erfahrene E-Banking-Anwendende und werden zum Teil auch spielerisch, wie beim Phishing-Test oder Ransomware-Game vermittelt. Die Website dient somit als umfassende Informationsquelle für alle, die ihre elektronischen Bankgeschäfte sicher gestalten möchten. Des Weiteren bietet EBAS Kurse zu verschiedenen Themen (Mobile, Kryptowährungen etc.) und Zielgruppen (z.B. Endkunden, KMU).