According to a new study from Yodlee Interactive, while physical banks continue their decline, nearly a third of U.S. adults with a bank account say they use a mobile device to access their banking information. The study conducted by Harris Interactive found that close to half of those with a bank account access their banking information on their smartphone compared to 36% of tablet owners who have a bank account.
But given the fact that mobile banking is a frequent target of mobile malware and most consumers don’t use security software on their mobile devices, just how safe is mobile banking?
It depends on banking customers’ behavior and on their physical location, according to James Gabberty, a professor of information systems at Pace University in New York City. In an article this year in American Banker, Professor Gabberty says smartphone connections made through wireless access points such as WiFi hotspots and homes and offices can expose banking customers to hacking attacks that result in the theft of their log-in credentials.
That’s not good news for smartphone users who bank on the go. Their devices account for 40% of all hotspot connections – more than any other device, according to a 2012 study from the Wireless Broadband Alliance.
Professor Gabberty says mobile banking at WiFi hotspots isn’t just a security issue for customers. Since most hotspots aren’t secure, smartphone owners connecting through public WiFi can expose banks’ internal networks to another possible entry point that can be exploited by hackers.
Another WiFi worry for those who use mobile banking: Professor Gabberty says a serious concern for smartphone-based banking apps is the encryption protocol used by the WiFi device to transmit customer data between the phone and the access point. WPA2 is the most secure while WPA is somewhat secure. But WEP is not secure. It was cracked years ago and can be hacked in minutes. For smartphone banking to work correctly, Professor Gabberty says banks should educate consumers to use secure encryption.
Every time mobile banking customers use unsecure wireless networks to deposit checks, pay bills or move money between their accounts, they risk falling prey to cybercrooks who can eavesdrop on their sensitive information or set up rogue WiFi hotspots to steal it. The risk is compounded because smartphones are always on. Yet study after study has demonstrated that smartphone owners fail to take the same precautions to secure their devices that they take with their desktops and laptops.
Professor Gabberty calls on banks to take the initiative to educate customers about safe smartphone use. Will that happen any time soon? Smartphone owners shouldn’t bank on it.
Here are several ways smartphone users can take responsibility for their own wireless security every time they use mobile banking:
- Install firewall and anti-malware apps on mobile devices. And be diligent about installing app and OS updates.
- Use long strong passwords of upper and lower case letters, numbers and symbols. Use different passwords for each site and don’t check the box that automatically saves them.
- Check before you connect to any hotspots with unusual names. Ask the establishment for the correct hotspot name to ensure the hotspot you’re connecting to is the real one, not a fake set up to steal your information.
- Don’t connect to any network name when you see two tiny computer symbols. That’s a sign you’d be connecting directly to someone else’s computer, not a legitimate WiFi hotspot.
- Disable features that automatically connect your device to any available network to avoid accidentally connecting to a fake WiFi hotspot or a stranger’s computer.
- Disable printer and file sharing options when you’re at a hotspot.
- Don’t be fooled by what may look like an authentic banking site. If it asks for additional sensitive information, it could be an example of phishing.
- Avoid logging in to websites that don’t have secure login pages, indicated by the padlock in your browser and https in the URL. But keep in mind that an encrypted website only protects the information sent to and from that site. It doesn’t protect all the information sent over a public WiFi hotspot.
- Log out of all websites and turn off WiFi connectivity when you’re not using it.
- Use a virtual private network to protect your sensitive information when you’re using WiFi hotspots. The Federal Trade Commission recommends it: http://www.consumer.ftc.gov/articles/0014-tips-using-public-wi-fi-networks. That’s because VPNs send your information through a secure tunnel that makes it invisible to hackers.