The term “Mobile Banking” has come to mean interacting with and controlling your financial accounts, and using your mobile device to make purchases using funds from those accounts. It’s convenient and mostly secure, allowing you to manage your accounts, deposit checks and make purchases, all from your smart devices. But there is a dark side to this convenience, and we will share some best-practices to keep your accounts secure.
First, the situations that can put you at risk:
- Lost device – physically misplacing or losing device where it gets into unethical hands.
- Compromised device – already infected from risky website or attachment.
- Out of date/Compromised browsers and banking apps – may store passwords and pre-filled form field data and be more vulnerable than up-to-date software.
- Vulnerable networks – device connects to public wifi, is instantly visible to other devices already connected, then you perform mobile banking or on-line shopping.
- Phishing attacks – your account details may be provided by you in response to an email scam.
The most common threat is from the Mobile Banking Trojan, Asacub. First release in 2015, it quickly became the world’s most dangerous malware targeting mobile banking users. Today it still arrives via SMS Text Messages that are phishing, and will download if the device is set to “Allow installation of apps from unknown sources”. Once downloaded, the malware will annoy the user with repeated requests for Device Admin Rights or permission to use Accessibility Services. Once it gains access, Asacub sets itself as the default SMS Messaging app and notifies the hacker. Then when the bank sends one-time passwords through SMS, the rogue app intercepts these and gains access to the account.
A recent Mobile Banking Trojan is BackSwap which first appeared in 2018, and injects malicious JavaScript into a browsers address bar which bypasses security in the browser and at your bank. It is most often delivered via phishing emails with a Link or Attachment the user clicks.
Now let’s explore some best-practices to reduce your risk:
1. Buy new devices, keep software up to date, don’t jailbreak or root them, and use biometric security to block non-owner access.
2. Regularly clear your browsing history, cache and temp files.
3. Whenever you are asked to grant an app permission, stop, think, and research the request using another device if you’re still not sure.
4. Explore your device’s settings for failed logins and finding or wiping a lost device.
5. Use only software downloaded from trusted app stores. This includes banking apps.
6. Keep software up to date, usually accomplished from your app-store app.
7. Explore security settings in your banking app and set them appropriately. Questions should be directed to your institution’s online-banking department, or your local banker. And call them from a number you already have, not a number offered by the mobile app.
8. Use your mobile banking app only when connected to trusted Wifi networks or cellular connections, and turn off it’s BlueTooth radio while banking.
9. Do NOT store your banking login or password when your web browser asks.
10. Enable 2 Factor Authentication with all your accounts, so your device will be used to verify your logins.
11. When done banking, LOG OUT of the banking app.
12. Start using a Password Manager and enable 2 Factor Authentication for access. We like LastPass.com.
13. Change your on-line account password annually, and more frequent if you ever see unusual activity or a device is lost or compromised.
14. Select and use mobile security software on your device. We like Trend Micro Mobile Security.
For a confidential discussion of your situation, followed by recommendations based on industry best practices, give your Technology Partner a call.
The LeeShanok Team
Tucson: 520.888.9122
Phoenix: 602.277.5757