Security-assessment firm IOActive recently identified security flaws in 40 mobile banking applications for iPhone and iPad that are used by some of the world's leading financial institutions.
The alarm coincides with recent data showing that more than half of smartphone users on both the iOS and Android platforms frequently use their bank’s mobile site or app.
Faculty experts at the University of Maryland’s Robert H. Smith School of Business say the risks can be mitigated.
Among the IOActive findings, all tested apps could be installed on jail broken phones, which nullifies the device’s built-in security features. Also, about half the apps were susceptible to cross-site scripting, a hacking method that prompts users to re-enter their username and password.
- Look to utilize two-factor authentication, which incorporates a username/password plus pin code during login and vastly increases the system's security against cross-site scripted impersonation attacks. “Banks are starting to roll this out, but it's usually user-enabled.”
- Create long passwords – as lengthy as your system allows. Short passwords, even with numbers and symbols, are easily hacked. “The structural security flaws in most online banking systems are minor compared to users’ weak passwords.”
- Never use a password based off of personal information, such as a child’s birth date or home address.
- Always log off any financial site when finished.
No security system is perfect, Rand says. “The endgame here is to make the degree of difficulty high enough to dissuade the attacker.”
“On the positive side, the ability to audit your own financial accounts online, 24 hours a day, rather than having to go to a bank in person to audit transactions, increases your overall financial security,” he says. “In the end, the convenience of online banking probably outweighs the risk to consumers, who ultimately must weigh that decision for themselves.”
Banks should be assessing themselves as well. “The (IOActive) findings, if accurate, suggest the banks have underestimated the probability of potential cybersecurity breaches associated with their mobile apps,” said Lawrence Gordon, Smith's EY Alumni Professor of Managerial Accounting. “Under this scenario, the Gordon-Loeb Model for Cybersecurity Investments would suggest that the banks are underinvesting in cybersecurity.”
(The model, a guide to calculating a firm’s optimal investment for information security, was established by Gordon and Smith colleague Martin Loeb, professor of accounting and information assurance and Deloitte and Touche LLP Faculty Fellow. Read more here.)
Rand, who uses computer models to help understand various complex systems including financial systems, suburban sprawl and traffic patterns, is available for further comment at email@example.com or 301-405-7229.