About Chris Taylor: Chris is on the Community Review Board for SANS’s OUCH! (the security awareness newsletter designed for everyone), has given over 470 computer-related presentations at the Ottawa Public Library, and is President of the Ottawa PC Users’ Group.
I sometimes get asked if it is safe to do banking on phones. Keep in mind that there is no such thing as 100% security. It is always good to assess risks in any activity on a computer, be it a desktop computer or a phone. There are three main threats I can think of when it comes to online banking from your phone: keystroke loggers, man-in-the-middle attacks, and shoulder-surfers.
Keystroke logger
The risk is that an attacker has managed to get malware installed on your computer and they are tracking every keystroke you enter—including your account number and password—as you log onto your banking site.
Note that the risk is not unique to phones. It exists whether you are on a desktop, laptop, tablet, or phone. From Microsoft’s 10 Immutable Laws of Security: Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore. The best way to mitigate this risk is to do everything reasonable to prevent a keystroke logger from being installed. I recommend people only obtain phone apps from approved stores (Play Store for Android, App Store for iOS), and only install apps that have been around for more than a couple of months. While not a guarantee that an app is malware-free, it certainly helps.
And—preaching to the choir here—use a program like GlassWire on your Windows PC. Set the firewall section to Ask to Connect and turn on Automatically analyze all apps with network activity with VirusTotal. When a new program tries to access the network, you can see if the dozens of anti-malware programs at VirusTotal think it is clean.
Man-in-the-middle (MITM) attack
In a MITM attack, the attacker hosts a Wi-Fi hotspot with the same name as the hotspot run by a legitimate organization such as your favourite coffee shop. If you connect to the attacker’s access point, all your traffic goes through their computer and is then automatically passed on to the destination server you are communicating with. End-to-end encryption normally prevents the attacker from seeing the traffic, but it is possible for the attacker to establish an encrypted session between you and them and re-encrypt the data under a separate encrypted session between them and the destination server. In this manner, they can see all the unencrypted traffic.
This is one area where using a bank’s app is probably more secure that using your web browser to do online banking. It is far easier for the bank to build defences into their app to guard against man-in-the-middle attacks.
You can also mitigate MITM attacks by ensuring you are not connected on Wi-Fi and use the mobile network instead. While a malicious IMSI-catcher could intercept your phone signal, that only intercepts texts and phone calls, not data streams.
Another mitigation against MITM attacks is to use a VPN. By using a VPN, you establish an encrypted tunnel between your computer and the VPN server. The MITM attacker has no access to the unencrypted data. You are transferring your trust to the VPN operator, who is presumably more worthy of trust than someone who sets up a rogue WiFi hotspot!
Shoulder surfers
In this risk, someone nearby watches as you log onto your bank site and notes the account number and password as you type them in.
This is probably the easiest to guard against. Simply looking around is often enough. But it is possible for cameras to be watching as well, and these may not be as easy to spot.
Some password managers can automatically logon to sites for you, removing the need to manually enter your account number and password, and foiling a shoulder surfer.
Multi-factor authentication is also a good defence. In that case, simply knowing your account number and password is not enough; you also need your device or your biometrics. Your bank’s app may also have safeguards tying it to your phone.
Bottom line
Overall, I think the risk of banking on phones is pretty low. You can probably minimize the risk by using your bank’s app and—as always—keeping your phone free from malware. And don’t forget to have strong authentication to access your phone and always keep it under your control.
I would be happy if anyone has other ideas when it comes to any of my articles. I consider myself knowledgeable, but I don’t claim to be an expert. Please add your thoughts through the comment field.
