Assessment of Mobile and Online Banking Vulnerabilities

Hold on to your passwords folks – better yet, change them all. It’s a sad fact that your (or anyone’s) banking app may be one of the 87% banking apps that couldn’t pass muster against hackers. If that news isn’t disparaging enough, a study by Positive Technologies finds that out of all types of apps they tested, banking are the most vulnerable apps to hacking. The good news is that every year the apps are getting better with the high-risk vulnerabilities dropping fast. The vast majority of the vulnerabilities found will not result in your account being hacked or money stolen, that job belongs to malware that anyone can get any time.

Mobile banking apps came out far better than their online banking partners with critical errors per application at 0.6 vs. 1.5 with online banking.

A reminder of the Equifax mega-breach hack that put over 147 million consumers sensitive data up for sale, the largest single data breach of 2017, is believed to have been caused by Equifax itself. It was discovered it neglected to apply a security patch earlier that same year. The study finds hackers troll for cyber weakness of all types, from corporate data systems to individual users.

Another Positive Technologies study reveals that human error is responsible for opening many doors to hackers. Thieves use sophisticated phishing techniques, tricking employees into downloading malicious files. In this case, study emails were sent to employees with links requiring them to give their passwords. Out of the 3,332 emails sent, 575 (17%) of employees did what they were asked in the email. It also discovered that the best phishing method used was a simple email link. Without paying attention to the URL they were being redirected to, 27% of employees clicked their way into hackdom. Note: Whether at home or at work, always carefully check the URL before clicking.

By now we know hackers aim to get as rich possible as quickly as possible. Some have political axes to grind and still others ransom stolen information or cryptomine bitcoin. Although a hacker’s motives and modes may change over time, the need for safer banking apps is clear. The report concludes “Merely detecting (system) vulnerabilities, of course, is not enough: Developers have to make fixes to code…any delay in remediation means more opportunities for attackers.”

Barring that, what’s everyone to do to help protect data? Turn on multi-factor authentication (MFA) whenever it’s offered. Most financial institutions do offer this now and it’s a great line of defense. If a hacker pilfers your password, they will also need some other form of authentication to get into your account. It’s unlikely they will easily have or be able to get to both.

Also, keep your passwords strong, change them regularly, and don't give them to anyone else. Even the "IT Guy."

At one point in time, a robber would enter a bank, grab the money and run. Today’s bank robbers get online and keep the data-to-dollars hacks rolling with security-weak apps. The need for vigilant app developers, corporate dedication to cyber-resiliency, together with continuing employee education and consumer vigilance, might just lead to a financial fortress for us all. Much easier said than done.