A hole in your e-wallet

While waiting for my train on the platform at Richmond station, I see an advertisement of my bank inviting me to check my balance online using its mobile banking application. This strikes me as odd. Why advertise something many people would never intend to use? Banking via a mobile phone seems unsafe to many – and, actually, some of my colleagues too, despite the fact that we work in software development and can therefore see what the real security issues are, writes Dennis Margolin

While waiting for my train on the platform at Richmond station, I see an advertisement of my bank inviting me to check my balance online using its mobile banking application. This strikes me as odd. Why advertise something many people would never intend to use? Banking via a mobile phone seems unsafe to many – and, actually, some of my colleagues too, despite the fact that we work in software development and can therefore see what the real security issues are, writes Dennis Margolin

According to recent research, only 35 percent of mobile users in the UK use mobile banking, below the European average of 37 percent, which is not a high figure either. Corresponding with this, Metaforic conducted research in 2012, showing that nearly 70 percent of smartphone owners do not use mobile banking apps because of security concerns.

Is this lack of trust in mobile banking justified? Let’s take a look at the latest McAfee Threat Report for a start. It states that banking malware is thriving with over 17,000 examples of "bad apps", some of which could even penetrate two-level authentication systems. Among the most frequent targets of attacks are some of the leading financial organisations, such as HSBC, Lloyds TSB, NatWest and Santander. The FCA is also concerned. It recently requested banks make their mobile banking policy more transparent. In particular, banks were asked how they would handle customers who either pay the wrong amount or wrong recipient, both potential results of phishing attacks. Also it is easy to make a mistake when typing in an amount on a mobile phone. With simplified transaction processes there’s little room for users to correct such errors.

It also did not help that smartphones received bad press in their early days on security-related vulnerabilities. Whilst this is still fresh in our minds, manufacturers have done their homework and fixed most of the issues. Apple, for instance, is a real stronghold if all settings are correct. Android is not that reliable but in general modern smartphones now are equipped with thorough data-protection systems. At DataArt, we have a fully fledged security practice team that carries out constant auditing of every system we work with, and we are impressed with the major improvements we see in the mobile platforms space. Despite of all the improvements, some risk is still there. As often, the technology is reliable. It is largely the human factor that triggers the losses of valuable data and funds.

Apple’s iOS is almost sterile. The app selection is highly accurate and assessed against malware. The iPhone itself is encrypted and can be wiped remotely if needed. However the user should know these options exist and most of all should use the password protection for screen-locking to keep data safe. It is becoming tougher for the more adventurous users who jailbreak Apple devices without understanding that when they give permission to hack their phone (and this is what the jailbreaking process is all about), they are creating a vulnerability hole the size of a train tunnel. And when they sideload apps to a manipulated device, circumventing the App store, they can never be sure whether they contain malicious codes or not.

In the Android world, things are even trickier. Here, sideloading is common. In fact, malware may be directly installed from Google’s Play store as the app platform is not as thoroughly pre-checked as the App store. It is fascinating to see how many suspicious Google apps are out there. Some of them come across as harmless; and some of them appear to be official apps – such as your own bank’s mobile app. Such an app will then ask to grant permissions in order to start using them, and it’s easy to overlook the actual source of the app. And when you least expect it, your account details are stolen.

Even following the rules to be "app protected" (by establishing the origin of an app and using password protection) does not guarantee transactions are 100% secure. The problem lies within the development process. When we develop mobile banking apps (Plastyc, for instance), we go through a number of auditing processes. These show that modern mobile operating systems are well-built and allow an app to be developed on a bullet-proof and secure architecture. However, the skills and expertise needed to develop an app on a secure OS are not always available in the development departments of financial organisations. Out of the several apps we recently audited not a single one was completely secure. A few had gaping holes waiting to be exploited by a hacker – even of mediocre skills.

In such a worst case scenario, a bank would take responsibility for any loss and the user would probably get the money back, once a fraud has been reported. But this experience and going through the process means hassle for customers, which will de-motivate them to use mobile banking in the future. They might also want to change their bank as a result.

This makes us even more wonder why banks spend money to advertise something which is unpopular and dangerous to use. I’m a big supporter of mobile banking products as they make our lives easier – but only if personal data are treated correctly and with the highest security standards available. I can’t really shake off a chilly feeling when I read the analysts’ reports and see the actual inner life of many publicly available apps. Even if the chances something negative happens are low, they are still there and should be considered as real and feasible. And only if banks realise that they need to spend money to get their apps right in the first place, they can advertise something of real value.