The Current State of Online and Mobile Banking Security
IOActive Labs recently found that most iOS mobile banking applications are susceptible to major security vulnerabilities, after testing 40 different iOS banking apps used by 60 different banks in 20 different countries.
They found that 70 percent of these apps offered no alternative authentication solution, like two-factor authentication, which can help mitigate account takeover or unauthorized account access.
That’s disturbing, considering back in 2011, the FFIEC released guidelines for ‘Internet banking authentication’ in which they state that single-factor authentication just doesn’t provide enough security for banking activity like high-dollar value transactions, privileged user access or sensitive communications.
Without two-factor support, that means 35% of U.S. adults that bank with their mobile phones are left vulnerable to possible account takeovers and fraud. And yet another 51% that bank from a desktop or laptop may also be susceptible to theft, according to a survey from the Pew Internet & American Life Project, as reported by NetworkWorld.com.
The mobile banking trend has been on the rise and shows no sign of stopping, as from 2010 to mid-2013, the increase in mobile banking has nearly doubled, from 18% to 35%, with projected growth to reach nearly 50% in the next two years.
While major email providers (Gmail) and social media sites (Twitter, Hootsuite) give users the option of setting up their phones as a secondary authentication method, it’s strange to think that 70% of banking apps lack similar security.
Phishing & Trojans Target Banking Credentials
According to the IOActive Labs report, one phishing attack that targets online banking users prompts a victim to retype his/her’s username and password, claiming the online banking password has expired, after which credentials are stolen. Two-factor authentication, whether enabled via a mobile app or SMS/voice, can prevent attackers from accessing your account even after they’ve stolen your username/password.
Aside from phishing, one of the latest Trojans targeting online banking and financial institutions is called Neverquest. According to TechRepublic.com, Neverquest is introduced to a user’s computer via social media, email or file transfer. After it’s installed, it searches for financial terms and banking sites that users type into their browsers, then relays login info back to the attackers’ command and control server.
The attackers don’t just steal the credentials; they remotely control the user’s computer using VNC, log into the banking site, and transfer money, change login credentials, write checks, etc.
In this scenario, banking sites can’t immediately identify an attacker’s login vs. the user’s. However, one way banks can implement security in this situation is by leveraging transaction-level two-factor authentication - one example is using Duo's two-factor APIs to protect transfers and transactions within banking applications.
That way, if someone attempts to remotely transfer money from your bank account to a different account, you can set it up so the transaction doesn't go through unless you verify your identity via your mobile device.
As you can see below, Duo's mobile app can integrate with banking applications to provide transaction-level security, displaying the time, transfer value, and last four digits of the account.
Point is, there’s lots of real threats to online and mobile banking apps. In addition to integrating two-factor authentication, a few other ways to ensure online banking and app security includes using only your bank’s official app, and avoiding online banking while using public WiFi networks (disable WiFi and use your carrier’s service).
If you’re the victim of identity theft, the FTC put together a handy guide with checklists and credit reporting company contact info to help you figure out what to do, in Taking Charge: What To Do If Your Identity is Stolen (PDF). Also, don’t wait until longer than 60 days past your last statement, because apparently, if you’re a consumer, you could lose all of the money taken from your ATM/debit account, with no reimbursement from your bank.