While waiting for my train on the platform at Richmond station, I see an advertisement of my bank inviting me to check my balance online using its mobile banking application. This strikes me as odd. Why advertise something many people would never intend to use? Banking via a mobile phone seems unsafe to many – and, actually, some of my colleagues too, despite the fact that we work in software development and can therefore see what the real security issues are, writes Dennis Margolin

According to recent research, only 35 percent of mobile users in the UK use mobile banking, below the European average of 37 percent, which is not a high figure either. Corresponding with this, Metaforic conducted research in 2012, showing that nearly 70 percent of smartphone owners do not use mobile banking apps because of security concerns.

Is this lack of trust in mobile banking justified? Let’s take a look at the latest McAfee Threat Report for a start. It states that banking malware is thriving with over 17,000 examples of "bad apps", some of which could even penetrate two-level authentication systems. Among the most frequent targets of attacks are some of the leading financial organisations, such as HSBC, Lloyds TSB, NatWest and Santander. The FCA is also concerned. It recently requested banks make their mobile banking policy more transparent. In particular, banks were asked how they would handle customers who either pay the wrong amount or wrong recipient, both potential results of phishing attacks. Also it is easy to make a mistake when typing in an amount on a mobile phone. With simplified transaction processes there’s little room for users to correct such errors.

It also did not help that smartphones received bad press in their early days on security-related vulnerabilities. Whilst this is still fresh in our minds, manufacturers have done their homework and fixed most of the issues. Apple, for instance, is a real stronghold if all settings are correct. Android is not that reliable but in general modern smartphones now are equipped with thorough data-protection systems. At DataArt, we have a fully fledged security practice team that carries out constant auditing of every system we work with, and we are impressed with the major improvements we see in the mobile platforms space. Despite of all the improvements, some risk is still there. As often, the technology is reliable. It is largely the human factor that triggers the losses of valuable data and funds.

Apple’s iOS is almost sterile. The app selection is highly accurate and assessed against malware. The iPhone itself is encrypted and can be wiped remotely if needed. However the user should know these options exist and most of all should use the password protection for screen-locking to keep data safe. It is becoming tougher for the more adventurous users who jailbreak Apple devices without understanding that when they give permission to hack their phone (and this is what the jailbreaking process is all about), they are creating a vulnerability hole the size of a train tunnel. And when they sideload apps to a manipulated device, circumventing the App store, they can never be sure whether they contain malicious codes or not.

In the Android world, things are even trickier. Here, sideloading is common. In fact, malware may be directly installed from Google’s Play store as the app platform is not as thoroughly pre-checked as the App store. It is fascinating to see how many suspicious Google apps are out there. Some of them come across as harmless; and some of them appear to be official apps – such as your own bank’s mobile app. Such an app will then ask to grant permissions in order to start using them, and it’s easy to overlook the actual source of the app. And when you least expect it, your account details are stolen.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Even following the rules to be "app protected" (by establishing the origin of an app and using password protection) does not guarantee transactions are 100% secure. The problem lies within the development process. When we develop mobile banking apps (Plastyc, for instance), we go through a number of auditing processes. These show that modern mobile operating systems are well-built and allow an app to be developed on a bullet-proof and secure architecture. However, the skills and expertise needed to develop an app on a secure OS are not always available in the development departments of financial organisations. Out of the several apps we recently audited not a single one was completely secure. A few had gaping holes waiting to be exploited by a hacker – even of mediocre skills.

In such a worst case scenario, a bank would take responsibility for any loss and the user would probably get the money back, once a fraud has been reported. But this experience and going through the process means hassle for customers, which will de-motivate them to use mobile banking in the future. They might also want to change their bank as a result.

This makes us even more wonder why banks spend money to advertise something which is unpopular and dangerous to use. I’m a big supporter of mobile banking products as they make our lives easier – but only if personal data are treated correctly and with the highest security standards available. I can’t really shake off a chilly feeling when I read the analysts’ reports and see the actual inner life of many publicly available apps. Even if the chances something negative happens are low, they are still there and should be considered as real and feasible. And only if banks realise that they need to spend money to get their apps right in the first place, they can advertise something of real value.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up