Hello everyone, my name is Viacheslav Aksenov. I'm a backend developer with extensive experience in fintech companies.
During my career, I managed to work in two very large Eastern Europe banks. The first one has over 96 million users; I was involved in the process of accepting payments from customers through mobile applications and a web interface. The other bank has 14 million customers, and my area of responsibility was the anti-fraud system responsible for fighting fraudsters.
In this article, I would like to touch on the topic of how safe it is to use mobile applications and web versions of banks to make payments. And also, to give you advice on how to protect yourself from attacks by intruders and how to save your money.
Introduction
Instead of going to a physical branch of the bank, the user can now pick up the phone and, in a matter of minutes, solve almost any of their questions without a queue, unnecessary paperwork, and fuss.
Sounds like the real future. However, such opportunities also give rise to a number of risks - after all, if someone can find out all your passwords and use your phone, then this will be tantamount to the fact that this someone has become the full owner of your bank account.
What Actions do Banks Take to Protect Users’ Data?
To protect the data of their customers, banks are building an architecture so that nothing is stored in applications or web versions. All user data is stored in a closed-loop directly inside the bank. And mobile applications and web versions are just a face on which this data is displayed. But with any request, they are sent and requested from the bank's backend.
Thus, it becomes possible to steal data either when gaining access to the internal network of the bank, or when the session of the mobile application/web service is compromised.
As a rule, a self-respecting bank has servers that are installed in special data centers; provided with all possible systems of physical protection and security. So, it will be difficult for an attacker to get inside, firstly, and secondly, he will need to know which of the thousands of servers stores the information that he needs.
Access to the internal network, in turn, works according to the whitelist scheme - this means that requests are skipped and answers are given to only those addresses that are specified in the whitelist. Therefore, it is impossible to get into the internal network from the outside.
User session means the presence of a unique token that is generated every time you enter the mobile application. Usually, it remains valid for several minutes, and then a new one is requested, which is issued only if the previous one is available. Otherwise, the session is terminated.
Therefore, we come to such a scenario that the most possible attack vector is a compromise of the user's session, or directly the bank's mobile application located on the user's device.
Vulnerabilities in Banking Mobile Applications
To protect banking users, mobile applications have several levels of protection against various attack vectors of intruders. And if, at the technical level, all the possibilities for hacking the application are actually absent, then with the human factor, everything is much more interesting.
In many current applications, authorization occurs through a mobile phone. You enter your mobile phone number, you receive a one-time two-factor authorization code, you enter it into the application, and set your own pin code to enter the application.
And there is a very dangerous moment in this, the application believes that the SIM card cannot be compromised. And this, in turn, opens up opportunities for attackers to gain access to your account through the banal theft of a phone.
Even if the phone is password protected, the SIM card can be moved to another phone and used as a way to receive any SMS with second-factor codes. And the bank application is already installed on the attacker's phone, into which, like him, it is you, and the entrance takes place.
And here we come to the picture that two-factor authentication through the phone is fiction. After all, both the phone and the SIM card live together and are often compromised together as well. Thoughts immediately come to mind - how can this be? Couldn't banking security experts have come up with anything better?
And here, as a person who understands the topic, I can say that you can protect anything as seriously as you like. However, each new level of protection reduces the usability of the system.
For example, if you had to connect a special physical token to your phone to enter the application, it is unlikely that anyone would continue to use such a banking application. Trite because it would not be as fast as quickly logging in with a fingerprint or face.
How to Protect Yourself
But is everything so hopeless and all that remains is a panic fear that any pickpocketer can steal your entire bank account with a phone? Not at all, there is a procedure that you can take in order to secure your bank account.
First, the most basic - the phone must have a password to enter. It is desirable, not the simplest so it is impossible to guess it.
Second, you should never use banking apps on rooted phones that you have no control over. This applies to both android phones and smartphones from apple (jailbreak).
Many banking apps won't even launch if they detect that the phone is rooted. But even if you somehow get around this, then know that past your access, any application that just wants to be able to can scan your traffic and calculate payloads with which an attacker can get a lot of sensitive data.
"Root" is a term commonly associated with UNIX-like operating systems such as Linux (Ubuntu, Fedora, OpenSUSE, etc.) and Apple's OS X. Simply put, root is a username or account that, by default, has access to all commands and files in Linux or another Unix-like operating system. Simply put, this is a superuser without access restrictions.
This means that a person can install any application himself, even one that can affect other applications or do anything with the phone. Phones without root do not have such capabilities - each application in them has clearly limited access rights.
Thirdly, have a banking application PIN-code different from the one you use to block your phone.
Fourth, and this is perhaps the most important tip, be sure to include the PIN-code on the SIM card. Thus, even if an attacker can gain physical access to your SIM card, he will not be able to simply rearrange it into his phone and receive all the authorization codes. This may not seem like the most convenient advice, but in the current realities, the PIN-code of the phone is entered extremely rarely, but it can save a lot of nerves.
And fifthly, do not forget that even on the side of mobile operators, there may be unscrupulous employees who can give a copy of the SIM card to their accomplice, who will receive all your SMS codes. Unfortunately, this cannot be protected. but with any suspicious behavior of any service tied to a SIM card, you should ask the telephone operator to double-check if there are any duplicates of your SIM card.
Conclusions
With digital hygiene in the first four points and vigilance in the fifth point, you can protect yourself from any vulnerabilities that currently exist in the use of mobile banking.
If you know information that can be useful in protecting your data and money from intruders - feel free to add your tips in the comments.