Are Mobile Banking Apps Secure?

We have apps on our Smartphones to chat with friends, maintain our schedules, and purchase our morning coffee.  Both Apple and Android catalogue millions of apps, targeting users from all age groups and demographics, across the globe.  The convenience of having your world right at your fingertips has spawned a revolution.  People are now so in tune with their mobile lives that they simply forget that accessing some information across public Wifi connections or through untrusted apps can lead to major headaches.

Like identity theft.

Jumping on the bandwagon to attract more customers, banks recently launched mobile apps for both Smartphone platforms to ensure people can transfer money, check balances and pay bills on the go.  But, considering the vital information that is stored on a banking website, are these apps secure?

One researcherat IOActive conducted his own tests against 40 different iOS mobile banking apps and found that 70% do not support two-factor authentication and only 40% operate over SSL.  What does this mean?  Two-factor authentication consists of two of three authentication mechanisms – what you know, what you have, and who you are.  Typically, for most organizations, this includes a password (what you know), a fob with a rotating PIN (what you have), and, in highly secure areas, a fingerprint scanner (who you are).  Most banks offer 2-factor authentication into their sites by a bank card number/password combination (what you have), and a secondary secret question to verify you are who you say you are (what you know).  What’s surprising about bank mobile apps is that, it is hard to find a reputable bank that hasn’t implemented 2-factor authentication for its website, yet most haven’t bothered to include this vital need into their apps.  

SSL certificates act as a second factor in authentication, as well, because your correct password tells the banking servers that you are now a legitimate user and a public certificate is used to set up the session.  Traffic between your computer, logged into their website, is encrypted right up until their internal server.  This means, only well-intentioned hackers should be able to intercept the data in transit, obtaining important bank card, password and balance information.  The lack of secure connectivity between mobile apps and the bank is shocking – this information is sent in clear text across the public Internet where anyone can see it!  

Recently, it was reported that 8 out of 10 banking apps for mobile devices, both Android and Apple, contain major security flaws.  Credit unions were at the top of the list, with JavaScript errors one of the most predominant problems.  

Protect yourself.  The most secure thing you can do is NOT use mobile banking apps until the implementers have figured out that there is a critical need to encrypt this data and force two- or –three factor authentication for all users.  Mobile devices are inherently at higher risk for theft, loss and data capture, so running insecure apps is the worst thing you could do.  

The RoyalBank makes a statement that all transactions are guaranteed to be secure when using their mobile app.  However, this same app also allows the user to save his or her card number or username.  Even this information presents opportunity for data theft.  Read the fine print or call your bank first before using any mobile banking apps to find out about their security controls.