On the app stores, either for Android or iOS, many financial institutions have more than one application that can perform one form of banking process or the other. For some users, this is fine as long as they stick to ‘the devil they know’, that is, an app they have been familiar with for a period of time.
It however also creates a confusing user experience, when multiple mobile apps are available from one bank; some performing more functions than others, whereas these could have been integrated into an existing app, and possibly made more robust. The likely end result is cybercriminals deploying fake apps to deceive unsuspecting users into parting with what matters the most; login details and authentication access.
RiskIQ, a digital threat management firm, while reviewing the apps portfolio of one of its clients – a global financial institution – noted that the bank’s wide spectrum of products and services had resulted in many legitimate and illegitimate mobile applications bearing its brand name.
To retain its leading position and meet customer demand, the bank continually created new apps and maintained existing ones. App identification and management became a difficult, if not impossible, task because the bank’s consumer banking groups, internal business units and institutional banking divisions created multiple apps. Additionally, external third parties were creating and releasing bank-branded apps to promote marketing events and sponsorship.
With this massive proliferation of apps, the bank did not know if the apps available in mobile app stores were legitimate or if they had gone through the proper security checks prior to release. Even one copycat or fraudulent app could compromise customer privacy or sensitive financial data and damage the bank’s reputation.
In the end, the customer bears the brunt. The first step in staying secured is to check the developer section of any bank app to be downloaded; ensuring the information there reflects your financial institution. Also double-check with your bank (try to make this a habit, customer care staff get paid for this), that the app which appears on the app store is officially approved. As much as you can, avoid third party apps.
It is also important to keep the mobile app updated and unless the bank makes public announcements including through its official channels on new, improved applications, switching to any random, new application is not a good idea.
Additional precautions are also required in terms of device usage to ensure banking security is not compromised; this specifically refers to Jailbroken or Rooted devices.
SecurityIntelligence, a platform run by IBM, asserts that a mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS.
Risk factors such as outdated operating system versions, nonsecure Wi-Fi network use and pharming attacks allow cybercriminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device
A 2017 Accenture report on mobile banking applications and security concerns for banks, stated that issues related to transport layer security are a recurring theme as 40 percent of security issues identified were mapped back to insecure communication. This recurring vulnerability suggests that security around the transfer of data across communication channels is a challenge for developers and that they may be placing too much confidence in secure end-user behavior and back-end server-side communications.
Caleb Ojewale
