Hi, my name’s Marcus and I could steal your money. How? Easily: through the online banking app that is on your mobile device. If you’re thinking that I must be a handsome computer hacking genius, deciphering code in an exciting visual way like Hugh Jackman in Swordfish, well…
All you’d be right about is “handsome.” 😉
Hacking the mobile apps of the most well known banks in the world is easy thanks to the fact that:
- The average online banking app is not particularly well made from a security perspective.
- Many online tutorials exist to direct even the most novice of internet hackers, with free software available.
- You think that you’re safe in your online banking app, and act accordingly.
Out of all of these your ignorance is the worst offender, followed by how poorly most of these banking apps are made.
Reverse engineering: How mobile banking apps on Android and Windows are hacked?
Reverse engineering is an old trick used by legitimate programmers who want to find errors in their source code. Hackers are using this common coding technique to take these banking apps apart, and then build themselves into your transactions through these apps.
There are two ways that this works. First, the app can be connected to an external server that the hacker runs. The hacker can then see your username, password, and even account balance. See ya later, money.
Second, the hacker can get access by ‘piggybacking’ onto a transaction. Say you send money to me because we’re good friends and I lent you cash last week (this story is fiction, I don’t lend money). You use your online banking app to send me the $40 you owe me.
The hacker can then add themselves into the transaction so that you’re authorizing the banking app to send me my $40 (thank you), while the hacker has the banking app also sending $100 their way (“Double thank you,” says the hacker) before you even know what’s going on.
— Mark Newton 📷☕️🏡✡️ (@aroundthehouses) July 6, 2016
How else are mobile banking apps on iOS devices vulnerable?
There are two more ways that don’t involve so much hacking. They’re more about general security vulnerabilities not being addressed properly, both of which were uncovered in a study by iOActive Labs.
70% of the online banking apps that they tested did not support two-factor authentication. This security feature makes it so you have to use a second code, sent to you via SMS in order to access your account. This makes it so even if a hacker steals your username and password, they will also have to steal your phone so that they can enter that SMS code.
The second issue is that 40% of these online banking apps would accept any SSL certificate for secure HTTP traffic. A genuine SSL certificate will allow for encrypted communication between you and the website. You’ll know you have it when you see a lock in the left of your address bar, and that the web address starts with HTTPS.
HTTPS is the secure encryption code that makes the internet world go ‘round. When your mobile app accepts these bogus SSL certificates, you won’t know. Not because you’re uneducated, but because you literally can not find out as these apps do not even give warnings, and will blindly accept any SSL certificate.
Now if you look at that statistic again, it says that 60% of online banking apps for iOS do notice these problems. 60% hasn’t been a passing grade for me since I became an adult, and developers need to do a better job.
What can users do to protect themselves?
None of these studies revealed which banking apps were vulnerable. What can you do to protect yourself when you’re unsure of whether or not you’re vulnerable? Here are my suggestions:
- Immediately stop using any mobile banking app that doesn’t have two factor authentication. A bank that doesn’t protect you any better than Facebook protects your shared LOLCats photos isn’t worth it.
- Only download apps from the official app store of your phone. That means going to the Apple App store, Android Market, or Windows Phone store.
- Use the online, laptop or desktop, version of your online banking. Honestly, how often do you absolutely HAVE to bank from your phone? This will minimize risk as the online version have had nearly 2 decades to increase their security, while mobile apps are still very young.
- Install a VPN client on your smartphone for those moments when you have to use a mobile banking app. This will offer a layer of encryption over everything you do online, making you a more difficult target for hackers. Find out more about well reviewed VPN providers at the link.
- You need an antivirus app on your phone. We’re a long way from rotary phones, you need an antivirus app to help stop attacks on your phone that don’t start with “Is your refrigerator running?”
- If you’re slightly technically inclined, look in the background of your apps to see if anything unusual is happening. Do a search for anything that looks odd and see if it is a threat.
While all of these are excellent tips, I’d like to sum up my advice in one sentence:
I have never installed a mobile banking app on my phone, and neither should you.
The reasons above are why I haven’t done this. Until there is a significant shift in the online security policies of the major online banking apps, I will continue following my current path. If your life dictates that you use them at some point, follow my advice and protect yourself.