The methods of online banking and mobile banking use are constantly evolving, which is linked – first of all – with the development of FinTech sector. A key issue is still the security of transactions and funds kept by customers in the bank accounts. Is the use of online and mobile banking safe these days?
Is online banking safe – what can the history teach us?
Financial sector is especially prone to hacking. Over the last year, there were cyberattacks all around the globe that have paralysed the activity of financial institutions. One can, for example, mention the phishing attack on the Maltese Bank of Valleta. Due to the scale of the threat, it was decided to block all operations and disable the bank’s website to analyse the infrastructure1. In turn the British Metro Bank was a subject to a new type of cyberattack that was focused on the use of gaps in the SS7 protocol – the hackers were able to intercept authorizing messages used to confirm the transactions2.
Are the mobile bank applications safe? The cyberattackers use not only the vulnerabilities in the security systems used by the banks. They just as often target the customers, making use of their insufficient knowledge. An example may be a case when the hackers created and shared in Google Play an application pretending to be an application of a Polish BZWBK bank (currently Santander), the aim of which was to solicit information.
As seen in these examples, even though the safety of funds is not only the obligation of the banks, it is them who play a key role when it comes to securing transactions. In the era of constantly evolving threats, there is a huge pressure to implement new solutions quickly and to use them together with the already existing security systems. One of the answers to these threats is PSD2 Directive (2nd Payment Services Directive) adopted by the European Parliament that ensures two-step authentication of the customer identity by way of code received from the bank via other means than the bank application.
Security of the online banking apps – solutions used by the banks
Currently, the most effective method of securing the access to online banking is the two-factor authentication (2FA). First, the user enters their login data and then confirms the operation with the use of a unique code received from the bank via other means than the bank application. The banks make use of various additional strong authentication methods, including the already mentioned text messages sent to the customer’s phone number, one-time passwords, smart cards, hardware tokens and mobile solutions.
How secure are the bank applications and online banking in a browser if the bank uses the abovementioned solutions? Today, some of the mentioned methods are being replaced with more innovative types of security features. For example, the list of one-time passwords has two forms: a printout of passwords or scratch off labels (to read the code the user has to remove the external layer). However, due to the possibility of seeing the printout with passwords by others or the fact that the scratch off label may not fulfil the legal regulations, many banks stopped using these methods, implementing new and better ones.
The business customers and institutions can authenticate their identity and authorize transactions with the use of smart cards. This method utilizes a special smart card with a certificate that needs to be inserted into a slot of a card reader connected to a computer and then the transaction must be authorized with the use of PIN.
The fact that the SS7 protocol was prone to cyberattacks caused that in cases when security is of key importance, an authorization with the use of solutions utilizing the state-of-the-art cryptographic methods is used. For example, the tPro ECC is a hardware token developed by Comarch. It is resistant to remote attacks thanks to the use of e.g. Human Presence Detection mechanism (pressing the button by a user) and encrypted TLS channel. What is more, no drivers need to be installed. Due to the costs and the necessity to have another device at hand, tokens in their physical form are solutions mostly dedicated to entrepreneurs who use banking services.
How to ensure security for customers using bank apps?
While online banking has been a well-known feature for some time, the mobile banking has become popular only recently. Is the online banking on mobile devices safe? How does the security of online banking look like in case of Android or iPhone devices?
In the case of mobile solutions, the banks are also using varied methods for confirming the identity of their customers and advanced security systems. The most popular ones are the use of PUSH notifications and authentication with the use of biometric data.
Currently, many banks utilize PUSH technology in their mobile applications to authorize transactions ordered by the user and as an element of two-factor authentication. Depending on the solution, the user – when logging in, sending a transfer or changing the account or card parameters – receives notification on the mobile device registered in the bank. The PUSH notifications have an advantage over the text messages – they are resilient to any attempts of their interception or modification. To crack this security feature, the hacker would have to steal the customer’s device.
Are banking apps safe for Android and iOS?
Another commonly used security feature is authentication with the use of biometrics. The banks make use of varied biometric methods. A popular one is, for example, the Finger Vein (utilizes the unique patterns of veins in the finger), biometrics of voice or Palm Vein (biometrics of veins in the palm) used, for example, by the Bank of Tokyo. The use of biometrics for the purpose of authorization is becoming more and more popular in mobile applications. Is the online banking via iPhone safe if it uses biometric technology? In case of iOS phones, the commonly available method is the Face ID tool, meaning authentication by way of recognition of user’s face geometrics. Similar methods may be used by Android system users. One can also mention the fingerprint sensors, popular among Apple smartphones and based on Android system. Many bank applications allow for logging in or authorization with their use.
A solution for online banking that meets the requirements of PSD2 Directive is, for example, the tPro Mobile platform offered by Comarch. It is adjusted to be integrated with the products offered by the bank and at the same time it supports strong user authentication and transaction authorization.
In the ever-changing cybersecurity environment, the banks need to pay special attention to the safeguards they use. Online banking requires the use of advanced technologies thanks to which the bank applications will be one step ahead of the hackers and will protect even those customers who sometimes ignore the safety principles.
1Timesodmalta.com, BOV goes dark after hackers go after €13m (access 30/03/2020).
2Telegraph.co.uk, Metro Bank hit by cyber attack used to empty customer accounts (access 30/03/2020).