How secure are mobile banking apps?

Mobile security comprises several challenges of web security such as rapid development and continuous network connectivity, coupled with the threats common to more traditional applications like local encryption and malware. Mobile banking apps can be targeted from different surfaces, which we cover below.

Browser-based attacks
As a matter of fact, browsers are integral to an efficient working environment but they also serve as the ideal cyber attack vector. Web-based threats exploit browsers as well as their extensions, browser third-party plug-ins (e.g. JavaScript) and content management systems (CMS) to harvest credentials and infect systems with malware.

Man-in-the-Mobile (also known as MitMo attacks). This attack enables malevolent users to leverage malware placed on mobile devices to bypass password verification systems that send codes via SMS text messages to users’ mobile devices for identity verification. In that way, intruders can access or manipulate mobile functionality including getting access to victim’s bank account. Because one-time passwords are easily defeated by this attack, the effective solution is known to be the offline and time-generated passwords.

Clickjacking. Clickjacking is a malicious attack where the attacker hijacks a UI component on a website. Technically, an invisible iframe (a frame within a frame) is placed above a clickable element on the page and instead of doing the action that was planned, the attacker’s iframe is in function instead. There are different variations of the clickjacking attack, three of which are likejacking, cropping and cursorjacking. Apart from stealing bank account information and social security numbers, clickjacking can also install different apps on a device without the user’s knowledge.

Phishing. Phishing is a type of social engineering attack often utilised via emails to steal login credentials and financial information. Banking institutions have email filtering in place, and these products do a decent job of keeping phishing and malicious emails away from users. However they are far from perfect, simply because the phishing landscape is evolving tremendously. Yet, be informed that bank websites always make use of “https” on their websites and if you do not see the “https” prefix before the site’s URL, it means that the site is not actually secure.

Phone/SMS-based attacks
The growing pool of mobile devices has become an attractive target for cyber criminals. Your mobile phone can be attacked and infected with worms or other viruses, which can compromise your security and privacy. Phone or SMs-based attacks can result in theft of sensitive information, so remain informed.

SMishing. SMishing (also known as SMS phishing) sends a text message to a user’s phone in an attempt to get them to reveal personal information. This attack is a growing and serious concern for all banking unions. The most common type of smishing attack is that a person gets a text message that directs them to call a number to confirm account information. In smishing attacks, success rates are higher compared to a traditional phishing attack because a user considers that the communication is legit.

NFC attacks. NFC that stands for Near Field Communication is a short-range contactless communication standard. Today, NFC technology is widely used in a number of applications including physical access control and cashless payment. But, how secure NFC is? There are several potential threats to NFC which you should be aware of. The first threat is eavesdropping which happens when an intruder deletes or modifies data that is exchanged between 2 devices. Another threat is a relay attack which refers to the extraction of data, utilising a bridge between a NFC or mobile payment system and the PoS or terminal in real time.

Application-based attacks
The influx of new financial applications released every year has increased the volume of cyber security threats against mobile banking apps. Given that, incorporating mobile app security into overall security strategy must be of topmost importance for financial institutions.

Insecure data storage. According to a report published by titled “In plain sight: The vulnerability epidemic in financial mobile apps“, 83% of financial institutions apps stored data insecurely. Some examples of the errors that are usually made while securing data storage include improperly storing certificates and passwords, weak algorithm choices, not including the necessary maintenance precautions, and many more.

Weak encryption. One of the most crucial components for banking apps is encryption. When an app has weak encryption, it may lead to sensitive data exposure, broken authentication and spoofing attacks. Once data is encrypted, only authorised parties who have a ‘key’ can read it. Banks should use advanced encryption standards to keep customers’ data out of the hands of unauthorised users.

Improper SSL validation. SSL is a digital certificate that use encryption security for the protection of data. Their existence offers authentication to the sites, confidentiality of transactions, as well as integrity of information. Bugs in a mobile banking app’s secure socket layer (SSL) validation process may result in data security breaches.