Unfortunately, many mobile banking apps don’t support 2FA at this time. Which means that if someone manages to get a hold of your phone and can figure out your banking password, they’ll have access to your account. (If you don’t have two-factor enabled on your web-accessed account, they’ll have access to that too, but you do have 2FA enabled, right?) If your banking app does support 2FA, you should enable it as soon as possible.
On the other hand, if it doesn’t offer 2FA, you may want to consider removing the app from your phone. Also, make sure that it’s not possible for a phone thief to get the authentication from your phone without another password or form of identification (if the bank just texts you a code, that’s not going to do you any good if someone else has your phone).
Poor Password Protection
Another weakness that many mobile banking apps have is that they allow you to save your password. This is great for opening the app quickly, but it also means anyone who has your phone can access your accounts. Hopefully you don’t have your password saved, but if you do, you should disable this feature right away.
SSL Certificate Validation
In 2014, researchers found that many mobile banking apps didn’t verify SSL certificates sent to them over encrypted connections (this vulnerability was found in a number of UK mobile banking instances again in 2016). This means that an attacker could impersonate your bank by sending a homemade SSL certificate, and the app wouldn’t check to see if that certificate was valid.
Of course, finding out whether or not your mobile banking app has this flaw is going to be very difficult. I looked at the FAQ for, my own bank, and its explanation of the security features doesn’t answer this question:
We use 128-bit Secure Socket Layer (SSL) technology to encrypt your personal information such as User IDs, Passwords and account information.
Getting more information than this is likely to be quite difficult. You could try to find research or tests done on your specific app to see if verifies SSL certificates or get in touch with your bank to find out. Or, if you’re worried about this particular vulnerability, you can just stop using the mobile app.
Another study found that many banking apps could be installed on jailbroken or rooted devices, which could potentially be a security risk, as jailbreaking or rooting your phone removes some of the security features that keep apps from passing information back and forth when they shouldn’t. This could lead, for example, to a keylogger or another app hijacking the connection.
Potentially Unknown Risks
As with any other app, there could be vulnerabilities in mobile banking apps that we aren’t aware of yet. Banks haven’t exactly earned a great reputation for securing their mobile apps, and it’s quite possible that someone will find more vulnerabilities in them in the future (or already have).
All in all, unless you absolutely need to use a mobile banking app, it’s probably a better idea not to. They can be convenient, especially if you use the app to make transfers on a regular basis, and it’s unlikely that you’ll be the victim of an attack… but the stakes are awfully high. Having someone else get access to your bank accounts could be an absolute financial nightmare.
Is the added convenience worth the risk? It’s ultimately up to you, but it’s important to be aware of the potential problems you could face.
Do you use mobile banking apps? Will you continue using them after finding out that there might be some security risks? Or do you find the convenience worth the potential problems? Share your thoughts in the comments below!