Increasingly, when choosing a bank, its future clients pay attention to the ease of working with the banking mobile client for Android or iOS. But, in addition to convenience, you need to pay attention to the security of the software. Can the user evaluate the reliability of the application?
Convenience or safety?
There is an annual rating of mobile banking applications. One of the criteria for an application to be included in it is the size of the user audience. And leadership is determined depending on its functionality and convenience. It turns out that the more actively the application is refined during the year, the greater the number of technologies that speed up and facilitate work with them, from the user’s point of view, will be introduced, the greater the chance of the application being at the top of the rating. However, the topic of application security remained outside the scope of the study.
It’s no secret that most often the most convenient applications that satisfy any user needs suffer from an insufficient level of security. And those that, on the contrary, prioritize enhancing security, are not so easy to use. What to do? Should you sacrifice protection for the sake of comfort? Or continue to “cry and prick yourself on an uncomfortable but safe cactus”?
In order to answer this question, we have identified a number of criteria that affect the security of a mobile banking application. The greater their number is implemented in a particular application, the higher the guarantee of the safety of its user’s funds. By the way, application users can evaluate some of the proposed criteria on their own, while others require higher technical competence. Nevertheless, it is necessary to know about them.
1. One-time passwords
The first thing you need to understand about passwords: the absence of two-factor authentication using SMS (or other methods) dramatically increases the chance of successful theft of funds from client accounts and this is the first factor that indicates problems with online banking. Therefore, we recommend that you pay the greatest attention to the presence of two-factor authentication. Moreover, this particular criterion does not require a deep dive into the technical part.
What you should pay attention to?
- Firstly, do you even receive SMS messages with one-time passwords?
Most often, the application developer’s logic is as follows: “You are already using a mobile application, why else send a message with a password to it?” As a result, an attacker who stole only the session ID and did not take over your phone can carry out operations without any confirmation.
- What actions with the application (or in it) are confirmed by a one-time password.
Moreover, the options in this case can be, as they say, “in assortment”: registration, login, financial transactions, change of personal data, change of password…
- Thirdly, it is worth assessing whether it is possible to disable confirmation via SMS completely.
- How many attempts are given to enter an incorrect password and what happens next.
If, say, you were given three attempts to enter a password three times (and there are thresholds of even ten attempts) due to incorrectness and were not blocked, this is more than a reason to think about the security of the application.
2. Traffic interception
How easy is it to intercept traffic using an installed use banking certificate? For this test, you need to conduct a so-called man-in-the-middle attack. It is difficult for an unprepared person to carry it out, but there are detailed instructions on the Internet, adapted for Android and iOS. Moreover, it is the banks’ responsibility to make it difficult for an attacker to carry out a man-in-the-middle attack. Otherwise, if a client can be tricked into installing an arbitrary certificate, attackers can easily intercept its traffic.
3. Malware and attacks
It’s never a bad idea to find out whether there are malware developed specifically for your mobile application – various information resources regularly publish data about emerging (or activated) malware.
The information field on the Global Network allows you to assess the level of current risks for users of various services, including mobile banking. If your bank’s clients are being targeted by all sorts of hackers, this clearly increases the chance of your personal account being compromised.
4. Response to suspicious transactions
Remember what happens when a card is blocked: to unblock it, you have to go to the office, or is it automatically unblocked after, say, a day? The first is clearly safer, and the second is more convenient, there’s no arguing about that. And this is the most significant example of a compromise between convenience and security.
5. Operating system
Our research statistics show that depending on which platform we are talking about (Android or iOS), the situation may also change.
On average, each Android app today has 3.8 vulnerabilities, compared to 1.6 for iOS apps. At the same time, vulnerabilities for Apple operating systems are exploited in real conditions much less often than vulnerabilities for Google mobile operating systems. And, accordingly, users on iOS have a much lower chance of being attacked in totally online banking. Android owners are strongly recommended to use antivirus software, which can reduce the likelihood of known vulnerabilities being exploited.
6. Automatic search for vulnerabilities
We discussed 5 bad things about online banking, how many of them coincided with your online banking. If at least one point coincides with your Internet banking, then it’s worth checking out before your next use banking.
Did you know that there are mobile application verification services? But they exist. And they are worth using. By the way, even if the service did not find any vulnerabilities, this does not mean that they do not exist. And vice versa: if vulnerabilities are found, this does not always mean that they are critical. But any additional information about the application will be useful. Analyzing such applications running iOS is much more difficult, so there are no corresponding free automated online services yet.
7. Updates
Only the lazy today are not aware of the importance of timely updating of systems installed on a PC. This rule also applies to the story of mobile banking applications.
If developers do not pay due attention to operating system updates (including security issues) and allow their applications to run on older operating systems, this increases the chances of the application being hacked using known vulnerabilities in the operating systems themselves.
If developers regularly search for and fix vulnerabilities in their applications, and prevent vulnerable applications from running on vulnerable systems, this leads to the application running environment becoming more secure than if there were no constant updates.
