It's easy to feel like mobile banking must be risky: Carrying around all your account information in your smartphone? Couldn't it be hacked? And what if you lose it?
The big selling point of mobile banking -- its ease of use from anywhere -- has induced millions of people to overcome those fears. But mobile banking, it turns out, may be doubly blessed: IT security experts say "thumb banking" is actually more secure than online banking from your computer.
TK Keanini, chief technology officer at nCircle, a network security and compliance auditing firm, says mobile's advantage comes down to a pair of factors: First, counter-intuitively, some of those perceived vulnerabilities in mobile devices security actually act as protective mechanisms; and second, hackers have a multiple-decade head start in creating malware for PCs compared to smartphones.
Turning Weaknesses Into Strengths
The rise of frictionless mobile payment options like Square, and remote capture options that allow you to deposit checks from your couch, has been unsettling to some. As Lynn Javitz told DailyFinance a few months ago for an article about remote check deposit apps, she took a pass on getting Chase's iPhone app due to her anxiety over security and identity theft.
But the things she sees as vulnerabilities may actually be assets.
Your smartphone is tied to you in a fairly personal way, Keanini notes, and it can be seen as "leaking personal information" about you -- for example, transmiting your location. Some might view that as a negative. "But that's a very strong factor to authentication," Keanini says. "I'm at a certain spot, and I'm authenticating it. There's no way I can be across the country doing the same thing."
It's that kind of information that can be leveraged into a range of "two-factor authentication mechanisms" that aren't as readily available on a PC, said Andrew Storms, nCircle's director of security operations. "It's pretty easy for banks to use GPS co-ordinates, SMS text messages, phone calls or some combination of these things to make mobile access to your bank account more secure."
Plus, banks can in turn use the smart phone as a type of Swiss Army knife for security -- employing the various apps and embedded features in their authenticating mechanisms, said John Pironti, security and risk advisor with the Information Systems Audit and Control Association. A bank could, for example, limit high-value transactions to certain geographic locations -- even as specific as a customer's home or office -- and require more sophisticated authentications steps in locations that have higher risk for fraudulent activities.
And the same factors that make it easy to lose a smartphone -- that they are small and we take them everywhere -- actually allow people to keep constant tabs on account activity.
"Because most users always have their phone with them, they can enable banking account alerts that identify fraudulent transactions in nearly real time," said Lamar Bailey, director of security research and development at nCircle.
Finally, in the event that a mobile device is lost or stolen, its much easier to wipe its data remotely than to do the same thing to a PC.
Beyond those technical advantages mobile has another, more sociological leg up: For the foreseeable future, hackers will keep targeting computers more than phones due to pure economic efficiency.
"It's not cost effective for attackers to develop new malware specifically targeting mobile devices as trends shift," Keanini said. "If we boost mobile security now, then we can raise the costs for future attackers and realize the potential of online banking."
Crime pays -- but, in the case of hackers, it only pays if the overhead of developing new software isn't too high.
"When you look at crime-ware in general, the bad guys also have to pick a platform," Keanini said. "They figure out how they go to market. And they can't build a crime form for every platform."
Mobile banking currently has what's called "security by obscurity," said Pironti.
"The population of hackers who have the knowledge and capabilities to develop and leverage malware for popular mobile operating systems is limited compared to the availability of tools and capabilities for more mature and widely developed operating systems such as Microsoft Windows," Pironti said.
Also, because smart phones arrived on the scene much later than PCs, they have a relatively strong "network posture" to start with, said nCircle's Storms. In other words, with because they were designed with built-in firewalls and few open services, mobile devices are much less vulnerable to network-borne attacks than computers, which are burdened by the vestigial structures of their earlier versions.
"[Smart phones] started at a place in the security development cycle much further along than the PC," Storms said, "and didn't need to account for any legacy baggage that can plague a PC."
Technical Obstacles: Mobile Apps and Hackers
On the software side of the equation, mobile banking apps pose a problem for hackers, because they are hard to imitate and are constantly changing.
"The updates come over the air and could mutate the banking application ever so slightly on a weekly basses," Keanini said. "[Hackers] would have to write custom malware every week."
"Mobile banking apps are small and very limited in functionality," Bailey said. "Often, the links to the bank servers are hardcoded, making it extremely hard to hijack sessions and send users to rogue servers. The best mobile apps are also keyed to the hardware they are installed on and don't save user names or passwords as an added security measure."
Plus, mobile devices such as Apple's iPhone typically only allow the installation of apps through app stores.
"In order for applications to be available in these stores, they typically have to go through some degree of quality review, including a security review, prior to being available for distribution and installation," Pironti said. "This limits the ability for a hacker to use traditional techniques such as phishing or trojan applications to surreptitiously install malware on a mobile device without the user's knowledge."
Hackers could make their malware available through third-party app stores with little or no oversight, such as GetJar, Slideme, Handango, and Cydia. But users can easily avoid that risk by only downloading finance-related apps from reputable sources, Bailey said.
Room to Improve
Mobile banking, of course, isn't immune to security breaches. There's a tendency in the mobile world to want to store more information on the devices, which allows them to provide a better quality of service when they are on slower cell connections, Storms said. But this can lead to trouble, as Citibank discovered a few years ago.
"Banks need to stay away from caching anything too private on the device for long-term storage," he said, "and instead rely upon a well-architected, thin application." Keeping less of your personal information on the device reduces the risk of it being compromised by anyone malicious who may come into possession of your phone.
For now, your mobile device really does have some security advantages over your PC. But that may not last.
"In time, this will most likely change," warns Pironti, "as the mobile operating systems become more widely used and attractive for the hacker community to exploit as their capabilities increase."