Are smartphones secure for mobile banking

brisma
brisma used Ask the Experts™
on
Looking to get expert advice for my fellow co-workers who have questions about mobile banking.
How safe is mobile banking on the following OSes.
Apple iOS 11.4?
Android Oreo?
As a security expert would you use your smartphone for mobile banking?  Why are why not?
I want to thank you in advance for your answers.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I use my Mobile Phone for banking, payments and transfers and it is just as secure as my laptop. Both operating systems (IOS 11 and Windows 10) have underlying security and protections for security.

I use Fingerprint Security on my phone and secure password on my computer.

Recently the phone failed (bank issue) and I needed my voice print from my phone to have my bank reset my system.

So it all works fine.
btanExec Consultant
Distinguished Expert 2018

Commented:
I would minimally have the anti virus ir malware in the mobile device and only install apps from known appstore. Don't visit suspicious and non reputable sites.

Mobile banking apps will requires 2FA but most of the time it would be SMS or OTP token. And most of such apps do not store your bank details directly on your phone, but instead access it from a secure data centre. This means your mobile itself will never hold your personal bank information. Banks can also protect you with refunds if your account is compromised through your phone.

That said long the mobile is locked using and able to do remote wope when lost, keep the device OS patched, either apples or Android is fine. Android has it KNOX secure hardware and Apples has its secure element to safeguard the encryption keys that keep the device encrypted.  So longer you don't jailbreak or root your device, the apps still stands well to serve you securely.

You may be interested in this
https://www.experts-exchange.com/articles/32533/Is-my-smartphone-hacked-what-can-I-do-to-protect.html
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I do not go to dodgy websites, so the high level of security currently keeps my bank account safe
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

yo_beeDirector of Information Technology

Commented:
I would say nothing is 100%, but I have not had any issues with my account. I transfer money, deposit checks and check my account regularly.  

Most banks if not all will alert you if there is weird or unusual activity.  Also you can setup notifications that will alert when transactions happen.

Either way you will not be on the hook for any compromise.  

I use iPhone
Distinguished Expert 2018

Commented:
You should use online banking with 2 factor authentication. If the 2nd factor is outside of your phone, then I would consider this secure enough for me. Example: you have a PIN for accessing your bank account and also a Transaction authentication number (TAN) for any transaction that you do. If the TAN is generated on the mobile phone, you should not be entering the PIN on the same device.
That means: if you want to use a phone for banking, then you need a different device or method to create your TANs.

Author

Commented:
Question for yo_bee and McKnife
Is there any written guarantee from financial institutions that they will reimburse you if your account is compromised because of your device?
Would you need to coordinate with your bank to get a device to create the authentication number?
Distinguished Expert 2018

Commented:
"Is there any written guarantee from financial institutions" - what? No, what are you thinking...
About the "authentication number" - you mean the TAN? Yes, the bank should advice you what to do. My bank makes it even mandatory to use 2 FA (TAN and PIN). TANs come on paper ("TAN list"), or are created using online services (as in the bank texts you a TAN to your phone), or you can use authenticator apps.

Author

Commented:
The first question was for yo-bee who made the statement "Either way you will not be on the hook for any compromise."  so that is what I was thinking.  I don't believe there is any formal agreement between a bank and customer that they will reimburse you for all compromises.
As to your 2 Factor Authentication - sorry for my ignorance, but if you use an authenticator app or text to the phone wouldn't that be a security compromise?  
Not trying to be argumentative just making sure I understand.
Thanx
Distinguished Expert 2018

Commented:
The authenticator app could be on another device (pc or 2nd phone or dedicated authenticator device). The text message could be sent to another phone. Just make sure these 2 factors are not on the same device and you are good to go.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
So long as your IOS is up to date (and maybe you use your fingerprint) and your Windows is up to date, your banking security is quite secure. You should not have any issues as we have all said above.

I do not use anything on top of fingerprint, no special key or other access security.
yo_beeDirector of Information Technology

Commented:
I cannot say for sure, but from my experience to people that were compromised (my wife and co-worker) they were not on the hook for the money.  The same holds true with my credit card that was compromise 3 times and my wife's at least 5.  

My wife works for a large institutional bank and if she accepted an e-mail for request of transfer of money without verification the client is not on the hook for the error.  Now my wife's job most likely will be.  

The question you need to ask is your bank account manager.  They must have a policy written up stating what they are liable for.

Commented:
Android:
The majority of malware targeted at mobile platforms targets Android. This is due to a number of factors, including:
• Having largest market share.
• Users running older versions of Android with unpatched vulnerabilities.
• The open, customizable nature of the operating system.
• Usage of third-party apps.

iOS:
Malware targets jailbroken devices that remove restrictions, particularly the restriction of only being able to download apps from the official App Store.

Windows 10 Mobile:
Has a small market share compared to Android and iOS, and attackers tend not to target this platform with malware. However, Windows Store is not as tightly controlled as the iOS App Store.
Mobile apps on the phone have always been a bit less secure than on the computer.   Just because you haven't been hacked doesn't mean it's just as secure.  There are many reasons why using a banking app on a phone is less secure than on a computer.  It doesn't mean that it's entirely insecure, just that the risks can be higher when you use a phone to do banking.

https://www.helpnetsecurity.com/2017/04/27/mobile-banking-security/
https://nakedsecurity.sophos.com/2014/01/10/just-how-secure-is-that-mobile-banking-app/
https://securityintelligence.com/is-mobile-banking-safe/

You should avoid banking apps if you're not doing things securely in the first place.  I did not use early banking websites because many didn't actually use https.  When they finally supported https, I had to manually type that in for about a year, until https everywhere came out and I made sure my bank was in the entries.  It took a few years after that before the bank sites would finally redirect to https automatically.  I would frequently complain to the banks I use about their lack of website security, until they finally implemented them.  They eventually fixed the most egregious lapses.

The early phone apps where much more insecure than it is now.  I still don't use phone apps frequently because I carry my computer around everywhere and just use that.  The computer is still slightly more secure anyways.

While the banks will cover you when they make mistakes, it's just a hassle dealing with them.  I'd rather keep myself safer and not have to waste time to contact them to be reimbursed when something happens.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
On my phone you cannot get to my bank without Fingerprint, so it is quite secure.
BTW.  Use a 2FA app, not a text message.  Text can be hijacked more easily.  Phone numbers can be hijacked more easily.  If you can reduce risk easily, you should.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I will unsubscribe. Serialband - you always do NOT like any of my answers EVER

BYE
Brandon LyonWeb Developer/Designer

Commented:
Mobile banking is generally secure but it's going to depend on your bank and their app.

I use my phone for banking BUT I do certain things to make it more secure.

Use multifactor authentication NOT via SMS nor email (if someone breaks into your phone they probably already have access to those).
Don't store banking credentials on the phone (username/password) and don't send them via email or messaging applications.
Sign out when you are done with whatever you are doing. Don't stay logged in for extended periods of time.
Only use known sources of first-party secure software. Third party keyboards for example could theoretically steal credentials.
Setup (email) notifications for transactions over $X or from account Y.
Don't connect to strange wifi networks and use a safe VPN if possible.

If the phone gets stolen then someone has to break into the phone first. That is an extra layer of authentication.
If the person has your username/password, the multifactor authentication via non-phone methods means they probably still can't access your account.
If an attacker somehow still accesses your app, most banks still don't display private info in the app beyond dollar amounts.
Banks are generally paranoid and secure. For example, if I try to transfer money via their mobile app, I cannot transfer to an account I haven't previously transferred money to.
Banks are generally paranoid and secure.
If that was true, they wouldn't have lost so much money in several recent high profile hacks.  They're no more secure than any other private organization.  Hacking individual phone apps is more tedious and has smaller returns for the hackers.  It's not the most likely avenue.  They're actually not more secure.

Here are some of the larger, well known hacks:
http://www.bbc.com/news/technology-28654613
https://arstechnica.com/information-technology/2018/07/prolific-hacking-group-steals-almost-1-million-from-russian-bank/
https://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html
https://www.nytimes.com/2014/08/28/technology/hackers-target-banks-including-jpmorgan.html
https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery
http://www.dailymail.co.uk/sciencetech/article-4476700/Bank-hack-affect-millions-world.html

If you have ever lived in a poorer neighborhood or had friends there, or just knew some people from there, they'll tell you that their neighborhood bank gets held up quite frequently, but doesn't get into the news because it just happens too often in the poorer neighborhoods and nobody had gotten killed.  There are quite a large number of bank robberies in progress all over the USA, averaging more than 10 each day.  https://www.fbi.gov/investigate/violent-crime/bank-robbery  The bank tellers just give the money quietly and quickly with very little mishap, so they hardly ever get reported in the news.  The news really only report on repeat robbers and affluent suburban neighborhoods, because they're out of the ordinary and sensational.  There are probably a lot of small hacks that we don't hear about for the very same reason.
Brandon LyonWeb Developer/Designer

Commented:
I didn't say ALWAYS, I said GENERALLY. It's in the bank's best interest to be paranoid and secure. This is also why I started my previous comment by saying "it depends on your bank and their app". It's also why I gave several steps that one can do to protect themselves.
I disagree.  Big Banks are about short term profit, just like any publicly traded business.  Being secure is not their top priority.  Making a profit this quarter is their 1st priority.  They are in no way more secure or paranoid than any other public company.  They mainly do just enough to satisfy requirements.  Otherwise, those big hacks that have been reported would not have happened the way they have.

They are big enough to get the government to bail them out with taxpayer money.  They'll only be as secure as the risks and laws and profit margins allow.

Commented:
I'm no fan of the banking sector. I live in Europe and the way they treat their retail customers seems to get worse
every year.
 
>>>It's in the bank's best interest to be paranoid and secure.

However, I have to agree with Brendon on this. While some banking brands might display a less-than-nice attitude towards customers...The moment their bank account gets hacked. They do actually go into a mode which could only be described as "paranoid". Firstly, they will usually refund the customer extremely quickly and then re-issue cards asap. So from the point of awareness of a hack to restoration of accounts and cards can be as little as 48 hours. The customer does not given get a chance to go on Twitter, local or national media to broadcast they've been hacked!

Is online banking safe - yes. Is online banking safe when you're an Android user who downloads every crappy app they come across - probably not.
btanExec Consultant
Distinguished Expert 2018

Commented:
Online banking is safe with the proper precautions. The latter is not really dependent on device and apps only but the big piece is ourselves - are we vigilant and watch out for red flag as well ad not to be overly be lax in being secure by default. For example, will it be secure to do online banking in public hotspot or in home wifi hotspot? We can make the more secure choice to reduce our exposure.

Collectively if the user are constantly educated about the threat and able to stay active in adopting  good secure online practice and habits, I do then see and hope more of focus go into having more secure code developed online apps for mobile smartphone and mobility is here to remain.
That's after the fact that it happened.  It's all reactionary and it's standard operating procedure.  If they were paranoid, they'd fix things based on the more secure methods that others in the industry have already adopted to prevent some of the fraud that their customers face.  If they were paranoid and secure, then the customer would not have to deal with calling in to report it.  It's all about their profit margin.  If the loss hasn't exceeded their risk threshold, they don't fix it, only react to it.

It's done at phone companies as well.  I know someone at Verizon that does the data monitoring.  They basically do the same thing that you've described.  They tag calls and billing issues that are possible fraud and block it as it happens, but only after years of fraud had increased to the point where the costs exceeded the prevention.

It should definitely be in their interest to be paranoid and secure, but if they truly were they'd have adopted better security already.  I'll list some reasons.

  • Right now, people just don't get individually hacked through the Mobile apps.  It's not profitable.  The hacks target the back end, because you can get thousands of accounts and millions of dollars in one go.  An individual US account holder will have maybe a few thousand dollars, but more likely just a few hundred dollars in their bank account.  That's the reason Mobile Banking is "safe".  Not because the App itself is inherently safe.
  • US credit card companies finally adopted the Chip, but they have not adopted the PIN to go along with it.  Retailers are still asking for a signature, or just forgoing  a signature completely.  That's not more secure.  A lot of US bank ATMs still allow an outside card swipe, where the card is retained by a customer, so a fake or stolen card can be retained by a scammer to reuse or remagnetize with another account.  That's not secure.  I've used multiple banks and some take the entire card into the ATM until the transaction is done, allowing the bank to reclaim a card.  We only go the chip recently because the Eastern European carders are finding their markets a little harder and more crowded.
  • Look at what happened in 2008 when the Banks bought junk loans.  That was not being paranoid and secure.  That was wild speculation.  If the law doesn't make them do it, they won't do it.  If it doesn't affect the bottom line, they won't do it.
  • When online banking first existed, they used html web sites. - I complained to them frequently.  I had to manually type in https for a year, until HTTPS Everywhere came out.  They still had HTTP access to the sites for several years, but with SSL in the backend, making it harder for the average user to know if their site was even actually secure.  I had to tell everyone to remember to use https for a year, then had HTTPs everywhere installed as a default extension for 300+ systems I managed back then.  It would be several years before they automatically redirected to https and turned off http, so that the average person can look at their browser for the security lock.  Why does it matter that they not use HTTP for their landing page?  Because most coders are sloppy.  How can you be sure that the coder, that used the HTTPS link on the HTTP page, sent the credentials properly through to the SSL page?  Even if the credentials were encrypted, an eavesdropper can now grab that hash and run brute force attacks on it.
  • The early banking apps were completely insecure. Here's an article from 2011. https://www.americanbanker.com/news/mobile-apps-insecure It was only after publicity that they eventually tried to secure them.  Again, a fix only happened afterwards as reaction.  That's not being paranoid and secure.
  • Here's another one about mobile banking app security in 2014, 3 years later with some security, but not much has changed.  https://ioactive.com/personal-banking-apps-leak-info-through/
  • Finally in 2017, 6 years after the initial investigation, some real improvement.  However, while the most severe holes have been patched, there are still a few banking apps with medium and low level security issues.  https://www.helpnetsecurity.com/2017/04/27/mobile-banking-security/  6 years to patch is not a sign of being paranoid and secure.

Wanting to believe that Banks are paranoid or secure is wishful thinking.  I stand by my statement that they're not paranoid or secure.  They're a public company like any other.  They compete on profit margins.  As long as the profit margin is there, they couldn't care less about security.  It's a cost sink to them.  They only react to security when it affects their bottom line.  That's just business.



P.S.  I'm providing facts to the issue of banking being paranoid and secure.  We've strayed from the initial topic.  The mobile banking apps are secure enough for use since around 2017.

I would not have trusted them to be safe to be used it before then.  Due to the nature of mobile apps and the phone market, they are still not as secure to use than using a computer.  There are still other security issues when using a phone to do banking.  As long as you are aware of the issues and know how to mitigate them, it's safe enough to be used.  I'm just providing context and facts with links to research and articles to back them up.

Here's my 4th sentence from the very 1st paragraph of my 1st comment reply.
 
It doesn't mean that it's entirely insecure, just that the risks can be higher when you use a phone to do banking.
I've never said it was unsafe to use, just that the risks are higher than on a computer.  Just because you haven't experienced a problem doesn't mean that others haven't either.  I'm paranoid about security, so I do as much as possible to mitigate my risks.
Brandon LyonWeb Developer/Designer

Commented:
Due to the nature of mobile apps and the phone market, they are still not as secure to use than using a computer.

I disagree. I'd say phones are more secure because there are more layers of authentication and unique identifiers in addition to more accurate location tracking. Furthermore phones tend to be personal devices unique to an individual whereas computers are often shared. Apps are compiled executables, client-side website frontends are modifiable.
We must work in different sectors, because I don't have users that share computers, except in their own homes.  Work computers are locked down with authentication and have managed software firewalls and hardware firewalls, as well as managed antivirus.  Phones travel outside of the controlled networks.  You're looking at security differently.

Even in their homes, most users I've had to deal with have a separate computer for kids and guests.
Brandon LyonWeb Developer/Designer

Commented:
Phones travel outside of controlled networks

 ... or they use VPNs which can have all of those things you mentioned. But you're right that network security is quite important.

I should add "use a VPN and don't connect to strange wifi networks" to my earlier comment about safe mobile banking practices.
I'm going by the security news and research posts.  That's how I'm determining whether the phone is technically more secure.  Most users don't use VPN, unless it's forced upon them by work security requirements.
Here's one other reason why phones are less secure:
https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping

Your phone company is very stupid.  They will allow any jerk to hijack your phone number.  If you're known to have a lot of money, it's best not to use any phone apps for banking, unless you really understand security and use proper 2FA.  You fingerprint won't protect you from this.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial