Mobile Banking: How Secure Are Banking Apps?

using a bankin app

More and more people use their smartphone as a bank counter. But how secure is mobile banking, and what do consumers need to be aware of?

Germans have struggled to get used to doing their banking business from home on their computers. But once they have overcome their distrust of Internet banking, they will have to face the next stage of development: mobile banking.

The reason for this is simple. The banking industry is currently facing a tough battle in the competition, especially for young customers. The symbol for this is N26. Until 2016, the so-called Fintech operated under the name of Number26 and has since held its own banking license. The trademark of this credit institution is account management with the smartphone. One of N26’s advertising slogans is that you can open a checking account with your smartphone within eight minutes.

Banking becomes easier

Large direct banks such as ING-DiBa or Comdirect, but also the savings banks, are jumping on this bandwagon. „Our customers can scan an invoice with our app. The program identifies the IBAN, the payee and the invoice amount on the invoice and generates a transaction from this, in which the customer no longer has to laboriously enter the 22 letters or digits of the IBAN by hand as was previously the case,“ explains a speaker of Comdirect.

Another example is the much praised Kwitt function in the app of the savings banks and Volksbanken. This is used to specifically address young people. Kwitt enables bank customers to transfer money to friends and acquaintances using their smartphones without having to enter an IBAN. All he has to do is click on the contacts in his smartphone.

When the bill is due after a social evening with friends in a restaurant, only one pays. The others transfer their share within seconds with one click on their cell phones. This works up to an amount of 30 euros even without a TAN.

The simplest banking today, however, is offered by modern Internet banks, which are often also called virtual banks. There are no branches any more, everything runs only via cell phone or, if necessary, via the browser on the computer at home. This is especially beneficial for online business banking.

Sophisticated security concept

Sounds all good. But how secure is mobile banking? What risks do bank customers run when they transfer money via their smartphone at the stop in front of the next bus or elevator? What do they need to do to make their cell phones safe from cyber attacks?

With classic online banking, it works like this: anyone who transfers money on their computer via the Internet is given a transaction number (TAN) with which they authorize the transfer on their computer. He usually receives the TAN on his smartphone – either by SMS or as a photo TAN. But this two-channel procedure, i.e. the separation of the bank transaction and access to the TAN, does not actually work with mobile banking, where everything takes place on the smartphone.

Only the savings banks are trying to maintain the two-channel procedure for mobile banking as well. To do this, they work with two apps. In addition to the actual Sparkasse app for banking transactions, they offer a so-called S-pushTAN app. This means that the customer receives the TAN required for a transfer separately via this pushTAN app. This TAN can either be manually transferred to the actual banking app or is automatically taken over by the app. Only then a transaction is possible.

New security architecture

N26, on the other hand, relies on a multi-level security concept: „The first step is to link your smartphone to your account. To do this, the device is registered with us,“ explains a speaker from N26. For this purpose, the customer, who has a password for his account, receives a link code from the bank via SMS. Once the smartphone is registered, the customer must later log in to N26’s app. This is done either with the password or by fingerprint. With Apple devices, it also works via face recognition.

For the actual transaction, for example for a bank transfer, the customer then needs a transaction PIN, which he or she sets up in advance. Hauer: „You can compare this with the PIN you use when you withdraw money from an ATM.“ N26 also offers a fourth level of security. „We send our customers a push notification every time their account is moved.“ The customer is notified by push message or e-mail that, for example, 100 euros have been debited from his account to pay for a product. If he does not know this account movement, he can immediately object to the debit.

Security Risks

The German Federal Office for Information Security (BSI), on the other hand, is skeptical. There it says on this topic: „When it comes to mobile banking, we believe caution is advisable. The fact that the communication with the bank is not carried out via two separate hardware components is a weak point from the point of view of the BSI.

In reality, attacks on smartphones would in any case be less likely to be carried out with the help of malware that is secretly installed. „In everyday life, the good old phishing mails with which access data and passwords for accounts are fished off are a much greater danger“.

So far no damage cases

ING-DiBa takes a similar view. „We know that some customers make mistakes when using our app on their smartphones. But we have never had a case of damage where a third party would have gained access to a customer’s account due to a security gap in the app.

Anyone using the ING-DiBa banking app must first register the app with the bank, similar to N26. The app is then „wired“ to the smartphone. This means that the app only works on this device. For transactions, the customer must then log in to the app either with a five-digit mobile PIN or via fingerprint or face scan. When accessing the account, the bank then checks whether the smartphone and app are authorized to do so.

Login via biometrics

Biometric procedures, such as touch ID (fingerprint) or face scan, suggest that you are on the safe side with mobile banking. But is this also true? A fingerprint stored on a smartphone is actually nothing more than a saved file.

A speaker of INGDiBa disagrees: „To identify a fingerprint, we use a technology that is offered by Apple, among others. This has nothing to do with our own security architecture. If Apple’s iOS operating system were to be hacked, it would be an attack on Apple. In other words, a hacker would not attack our bank, but Apple worldwide“.

Update operating systems

The fact that neither N26 nor ING-DiBa and Comdirect require their customers to have virus scanners on their smartphones shows that this self-confidence is not fake. „In contrast to traditional online banking, where customers access our site on the net using a third-party browser, with mobile banking they use our specially developed app, including its protective mechanisms,“ explains Comdirect.

A BSI spokesperson confirms that mobile banking really does give banks the ability to detect and respond to attacks on their apps. However, it is too early to be able to assess these defense strategies in the long term.

After all, all three banks merely recommend that their customers keep the operating system on their smartphones up to date. This is because older versions of the operating system are sometimes no longer supported by the banks, as security gaps can actually open up here. They switch off their banking app on smartphones with older operating system versions, such as Android 4.0, to protect the customer.

Conclusion

Sooner or later there will be no way around mobile banking. However, anyone who does not need to access their account on a daily basis should first dose this form of banking. To get started, it is advisable to try out the banking app for simple account balance queries only. Transactions that need to be authorized should only be carried out with it later.