The FDIC released their biannual Supervisory Insights report this week, and directed their focus towards mobile banking and the risks inherent to using one’s phone to do banking. The report recommends increased vigilance on the part of banks to protect their customers’ data, as they rush to put apps and products on the market.
It also makes a very clear distinction between mobile banking and mobile payments, but it does raise issues that plague both. Mobile security has been in the spotlight in recent weeks as Verizon blocked Google Wallet from its Galaxy phone, citing security concerns.
But the FDIC report focuses on mobile banking only, identifying its three manifestations as: SMS, mobile-enabled Internet browser, and apps.
SMS provides its own security risks, the FDIC says, “because text messages cannot be encrypted, increasing the likelihood that SMS-based mobile banking users may be susceptible to scams.”
As for mobile browsers, one of the biggest risks the FDIC sees is that your phone’s display is too small! Because of this, “customers may miss a visual warning that their online banking session has been compromised.”
Mobile apps, predictably, are considered about as secure as mobile browsing, if not more due to “secure coding techniques.” But the report adds that the “rush to get mobile applications to market, secure code review and testing may not be sufficiently robust.”
To illustrate this point, the FDIC cites a study by viaForensics, a tech security website, on app security across four different types of apps: banking, social networking, productivity, and retail. The study rates apps’ safety for users by examining how much data are stored on the device, and “whether these data are stored securely.” It gave three grades, from best to worst: Pass (no info is stored), Warning (some data is stored on the device, though it is done safely), and Fail (unencrypted data are kept on the device).
Banking apps had only a 44% Pass rate. 25% got a Fail. Social networking fared worse, with 74% receiving a Fail.
The FDIC believes that the three biggest threats to mobile banking are malware, data transmission security, and compliance risks. Of these, the last is the most troubling is likely that of data transmission. Your cellphone must “authenticate” itself when it interfaces with a cell tower, the report explains, but the cell tower need not do the same with the phone.
“Therefore, it is possible to build and operate a rogue cell phone tower, trick mobile devices into connecting to the rogue tower, and hijack the mobil session, potentially compromising mobile banking sessions,” says the report.
The idea of a rogue cell phone tower is at once hilarious and troubling. We transmit a lot of personal information with our phones, everything from our intimate thoughts to our Chase online password. It is worth considering as these apps proliferate: just who can see what you’re doing? And will mobile wallets, which are virtual versions of your credit and debit cards, be secure? viaForensics recently reviewed the Google Wallet, praising some security elements, but pointing out that it stores unencrypted information on the device — that’s a Fail.
With the convenience these applications provide, they also have their fair share of risks. It’s certainly worth considering before diving headlong into mobile banking.