Banking and buying with your mobile device is powerful and convenient—and in some ways safer than using your bank card. You can check your balance, make secure payments, deposit checks, and transfer funds. You can even connect your debit or credit card to Apple or Google Pay (or another payment service) for quick and easy purchases with a mobile wallet and Near-Field Communication (NFC), or by scanning a Quick Response (QR) code at the checkout line.
That said, mobile banking and buying can have its pitfalls if you’re not savvy about how and when to use it and under what conditions. Unbeknownst to you, infections can hack the data stored on your device and cybercriminals can spy on transactions in transit, even steal the identity data and money in your accounts. A set of best practices for ensuring device, app, network, and account security can help keep your identity secure and your money safe. What are these best practices and what tools can you use to enhance your mobile banking security?
Mobile Banking and Buying: The Good and the Bad
First, let’s get a better picture of the good and the bad of mobile banking and buying. What kind of banking can you do on your mobile device, but what do you have to watch out for as you do it?
The Good
You can manage your accounts online. Among a long list of mobile banking management tasks, you can check your account balances, review recent transactions, set notifications and reminders, transfer money between accounts or to individuals, and set a schedule for recurring payments. You can even open a new account, apply for a loan, schedule a meeting with a banker, or get your credit score. But it doesn’t stop there.
You can use card-free ATM access. If you’re out and about and need cash but have forgotten your wallet and ATM card, you can use your mobile device to get it. The feature is typically enabled by logging into your account, enabling card-free access, then having a code sent to your mobile device that’s active for a limited time (say, 30 minutes). Once at the ATM, you simply enter the code and your PIN to access the ATM menu and withdraw your money. You can also log on to your bank’s ATM to withdraw or deposit money using your mobile phone’s NFC connection and your bank’s mobile wallet at ATMs displaying the contactless symbol. (More mobile wallet info below.)
You can deposit checks. Many banks now allow mobile check deposit. Again, you simply log into your account, enable the feature, enter the amount, then using your smartphone’s camera, take pictures of the front and back of the check and complete your deposit. You’re given a receipt and after five days or so, you can void or destroy the check or just put it in your banking folder with a deposited stamp.
You can buy goods. Finally, of course, you can enable your bank’s mobile wallet for payments at stores or link your account to well-known mobile wallets such as Apple or Google Pay or others. Once you do, you can make purchases via NFC-enabled terminals simply by placing your phone next to the terminal, then verifying the transaction with your PIN. A digital card number is passed to the merchant, not your real card number, making it safer than using your physical card. Alternately, you can use a QR Code scanner with your bank’s app and mobile wallet (as with mVISA, which has an embedded QR Code scanner), then make the purchase(s) by scanning the QR code on display (e.g., as at a restaurant, on a menu, or on the point-of-sale (POS) system, as a tally of your list of items); or by scanning the purchase item’s QR code to your phone, then exposing it to the store’s POS QR Code scanner, which reads it and completes the purchase. Bingo, you’re done. And again, the transaction is safer than using an actual card.
The Bad
All that’s great—but what should you be wary of, so cybercriminals don’t hack into your device or apps and turn your mobile banking into a nightmare?
A Compromised Device. Your mobile device can be compromised through dangerous websites, email phishing, and messaging apps, when malware is downloaded and infects your device. Clicking an attachment can start the infection process. Devices that are jailbroken or rooted can also be more vulnerable to malware infections, particularly during bootup, since the cryptographic chain that verifies the secure loading of the operating system has been broken.
An Insecure or Infected Browser or App, and Fake Banking Apps. Mobile banking can be done through your browser or a banking app. Browser-based banking can sometimes be risky because trojans, script injections and exploit kits that infect your machine via drive-by downloads can steal your banking information. Banking apps can also sometimes be risky because fake banking apps can show up in app stores, or infections can present malicious overlays over legitimate Android banking apps to steal your login credentials. Insecure browsers or apps can also be vulnerable to cross-site scripting or man-in-the-middle attacks, while poorly designed banking apps can contain insecure links and may not check the validity of SSL certificates. Note too, that storing passwords in your browser can also lead to data theft and compromised accounts.
Compromised Networks. Wi-Fi hotspots in public places, particularly in malls, plazas, hotels, and cafes, are susceptible to malicious monitoring or “network sniffing” by hackers, especially when unsecured by WPA2-PSK (AES) encryption and password requirements. You also might mistakenly log on to a copycat hotspot run from a hacker’s PC nearby. Login credentials can then be subject to theft, leading to compromised banking accounts.
Insecure/Stolen Account Credentials. Finally, email hoaxes that convince you your bank account has been hacked and that you need to log on to confirm or change your password are a favorite tactic among thieving cybercriminals. They’ll provide a link or button to take you to the hoaxed website that mimics your bank, from which they’ll capture your keystrokes, your name and password, as you log in. Then your identity, and your money, are severely compromised.
Watch for Part 2 of our blog, where we provide some best practices for keeping your banking and buying secure. We also provide a list of tools to help you do that.
