Information security watch – m-Banking
Internet-enabled smartphones have triggered a rapid growth in the mobile applications market, which includes mobile entertainment, mobile information services and mobile shopping, facilitating a fundamental change in the banking industry. Smartphones have enabled banks to offer banking and payment services (m-services) through the mobile applications. Some banks just offer mobile financial information such as account information or currency exchange rates, while others provide full-fledged services, allowing account management and financial operations such as bill payment to its customers. Banks operating in Sri Lanka too have started to offer m-services, and many customers have started to use a wide array of smartphones to conduct various banking transactions. Hence, this convenience will allow more customers to adopt mobile banking services in the days to come.
The Internet as the communication platform, computers and the end-users are the three components that make online banking applications vulnerable to attacks. However, various technologies such as firewalls, anti-virus software and two factor authentications help protect the users and e-banking systems from Internet based attacks and malware. While consumers are gradually migrating to various mobile solutions for business and personal use, confidence in the security of those mobile websites and applications has become a great concern. Hackers are resourceful and continue to devise new attack vectors every day.
The weakest link in the mobile banking security is also the user and their behaviour. Smartphone user behaviour creates a suite of vulnerabilities, and fraudsters and hackers are eager to take advantage. These mobile applications are developed by third parties with questionable security practices. Some of these applications, developed by fraudsters and hackers, even contain malware such as viruses and trojans. Hence, inadvertently downloaded malware through these infected applications from third party stores allows hackers to access sensitive information directly from smartphones, or even by side loading via user-enabled settings. Likewise, an attacker could develop a mobile phishing site which looks exactly like the m-banking application. The phishing sites are used to capture user information or transactions and use the captured information to log onto the legitimate banking site to perform fraudulent transactions.
Smartphone users like to connect to free Wi-Fi hotspots to connect to Internet and sometimes to carry out banking transactions. These unsecured wireless network / free hotspots are also used by fraudsters and hackers to gain access to smartphones, either to seize control of these devices or gain access to bank account information. A user credential shared between smartphone and online banking applications over an unsecure communication link can be stolen and then used to obtain access to the account by a hacker. Further, a smartphone can easily be lost or stolen. And unprotected smartphones can be compromised, even if turned off and locked, by someone who knows what they are doing.
Hence, the mobile banking application should adhere to industry best practices and here are some recommendations to minimise the application related risks. The mobile banking application should limit the storage of personal information on the device, always use a Secure Socket Layer (SSL) connection for communication, do not allow installation of the application if the phone has been jail-broken, apply a connection timeout, use a multi-level authentication mechanism viz., user, password and reference code such as a one-time password from a security token or a code sent via SMS, minimising and obfuscating software code, and using virtual keyboards to mask user-entered passwords and codes.
Users should also lock their phone when not in use, and change smartphone access codes. Do not disclose passwords, keep the smartphone up to date with the most recent operating system software updates, apply antivirus software, use secure networks whenever possible and limit the use of unsecure networks. Do not jailbreak smartphones and install only trusted applications from official app stores, are some other recommendations to minimise user-related risks.
These safeguards are easy to implement for both the bank and the user, and they can make mobile banking as safe as online banking. The future of mobile banking depends on both sides taking responsibility to reduce risk.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He can be emailed at sujit@layers-7.com).