How to use mobile banking safely

Woman's hand on a smartphone showing a mobile banking app

Mobile banking is now more popular in the UK than via a PC – and twice as popular as going into a local branch – so it's no surprise that cybercriminals are just as interested in hacking your phone as your laptop. However, let's not get paranoid. This doesn't mean hackers are changing their modus operandi, and mitigating the threat boils down to some simple steps.

In fact, hackers don't need to change their approach much when it comes to attacking mobile banking instead of internet banking. The route of least resistance is still favourite and that usually means exploiting end user behaviour.

What has changed is the "attack surface", which has become larger with the move to mobile. While in the past attackers concentrated on exploiting badly written application code and social engineering, now there are devices and network connections to target as well.

Lock your devices

Let's start by looking at the devices themselves, which means the phone in your pocket. Whatever platform your device runs on, an old operating system is always going to bring greater risk when banking than an up-to-date one. By the nature of Apple's upgrade system – the fact there's only one version of the OS and how hard Apple pushes each update – an iPhone is always going to be more secure than the average Android phone, especially if your Android device runs a version specific to your vendor. Unpatched vulnerabilities are far more prolific on older versions of Android, and will likely stay unpatched. Your first step should be to always check for updates.

Then there's locking the device. The number of people who sacrifice security for the convenience of not having to enter even a four-digit lockscreen PIN is remarkable. Yes, most banking apps will require a username/password combo to log in, often with some form of secondary authentication, but these may only delay the hacker. With full access to the phone, a smart hacker will be able to garner information from contacts, email and social networks that may point to the username and passwords.

Mitigate the risk by enabling the lockscreen, preferably with a password or a "long PIN", rather than the default four-digit one. If a device is fingerprint-enabled, use this to keep attackers out. Also, make use of any remote lock and wipe functionality that the mobile platform provides. If there isn't any, consider the peace of mind offered by third-party software and services such as Avast (opposite).

Lock down your network

Network connections are even more problematic, and insecurity comes down to the convenience factor. If a phone isn't getting a decent cellular signal it will switch over to Wi-Fi where available, and in a coffee shop that's likely going to mean an unsecured public hotspot. Or worse.

Yes, worse. Hackers are adept at setting up their own open hotspots with plausible names for the location. If an unsuspecting user connects to one of those then their data will be logged and credentials copied when logging in to check a bank balance or transfer funds.

Not that genuine Wi-Fi is so much safer, because the hacker can easily "sniff" any traffic being sent across it using readily available tools. To mitigate this, the best solution is the most obvious one: don't use public Wi-Fi to connect to mobile banking. Disable Wi-Fi on the phone before setting off so that only the more secure cellular network connection is an option.

If banking while you drink is unavoidable then make the connection via a VPN client (see opposite) so that all the traffic goes through an encrypted tunnel and prevents criminals from intercepting the data.

The apps

I haven't even mentioned the mobile banking apps themselves yet. There's a reason for that, though, as on the whole, they're pretty secure. That said, pretty secure isn't the same as airtight. When IOActive security researcher Ariel Sanchez decided to revisit his 2013 research last year (pcpro.link/258bank), he discovered that mobile banking app security had improved greatly, but still had some way to go.

The "good" news: 42.5% of the apps provided an alternate authentication method. The bad news: 35% of them contained non-SSL links. This makes it easier, in theory, for an attacker to intercept traffic and inject arbitrary JavaScript code to launch fake login prompts. That's another good reason to always use a VPN when banking on a mobile device.

Then there's the login credentials, which should be as strong as possible, meaning the usual strong password construction advice applies. Most apps will apply a secondary form of authentication before access is granted, which may come in the form of a code generator, either as a separate device or built into the app.

The latter may seem like security suicide, but the code generation will be protected by another password (different from the account login) and it's more to prevent man-in-the-middle or malware attacks where the criminal doesn't have physical access to the phone. Using this "something you know" (login/password) and "something you own" (code generator/phone) approach to account access has vastly reduced the risk of mobile banking. That the banking password shouldn't be reused elsewhere goes without saying, but the fact that I'm still saying it speaks volumes.

All of this assumes that we're talking about genuine banking apps in the first place. Clones, or the real thing with added malware, can hoover up login details and empty accounts with little fuss. The mitigation here is to use the official app store for each chosen platform. Downloading apps from an unofficial source to a rooted device is just playing into the hacker's hands.

The same goes for non-banking apps, which can reduce the security of banking, especially if they contain malicious components. Innocuous-looking apps that have had their app permissions clicked through without reading could have sideloaded a keylogger or other malware that will capture credentials.

What else can you do?

There is plenty of debate as to whether an antivirus or security package is necessary for smartphone users, but for the relatively small outlay (most cost a few pounds per year at most, some are free) it makes sense to adopt the better-safe-than-sorry approach. Mobile security packages are best for monitoring background activity, filtering dangerous SMS messages and even checking the privacy implications of the apps you have installed. Coupled with sensible use and up-to-date banking apps, there's no reason why the hackers should win.

Three security apps to complement mobile banking

Avast SecureLineLastPass

The importance of strong passwords can never be emphasised enough, along with not reusing the same password across multiple services. Apps such as LastPass, which is free in its basic form, will not only generate a strong password for each banking application, but save them in a securely encrypted vault. Access to the Android version, for example, can be authenticated first by fingerprint (if available on your device) and then by a two-factor-authentication code from Google Authenticator for good measure.

Avast Antivirus & Security

Additional layers of security for your mobile device are never a bad bet. The sting is taken out of mobile antivirus a little by this Avast app for Android, which offers free protection, including malware scanning (SMS), SMS filtering, app privacy reporting and a web shield to block malware links. There's also a "premium" upgrade for £12 per year, which is more about protecting your phone against theft, including remote data recovery and remote photography of the thief. However, the free core protection is perfect for hardening your device when banking.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.