- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
CSO - Online banking is not 100% secure -- nothing is. That is not expected to change in 2014. But a number of security experts, along with an industry official, say it is reasonably safe, if users take reasonable precautions.
That can be a big if, of course. Convenience still trumps security for most people, even when it comes to protecting their own money. And while some risks come from vulnerabilities in banking apps, some come from problems outside the control of banks, including the carelessness or cluelessness of users themselves.
Joram Borenstein, vice president at NICE Actimize, said while mobile banking apps tend to have, "more lightweight authentication procedures," other risks come from factors outside a bank's control, such as, "communicating via an unknown Wi-Fi signal or running on a device with a rogue application on it."
Even those who shun mobile and only bank online from their desktop, "run the high risk of being conducted via an unpatched browser or infected PC," he said.
A security official at one of the nation's largest banks, who declined to be identified, said banking from desktops and laptops is riskier than mobile, not because of the quality of the apps, but because of social engineering and phishing attacks. If users can avoid those risks, he said, online banking is, "convenient, efficient, effective and pretty secure."
Whatever the risks, millions of people are doing it, with millions more expected in the coming years. The use of mobile banking apps is still not at the level of desktop Internet banking, but that is changing. According to a survey conducted last year by Princeton Survey Research Associates International and published last August by the Pew Internet & American Life Project, 51% of U.S. adults (61% of Internet users) bank from a desktop or laptop, while 35% of mobile phone users did so.
However, the increase in desktop banking from 2010 to mid-2013 was only 5% (46% to 51%), while the increase in mobile banking nearly doubled, from 18% to 35%. That number is expected to grow to nearly 50% in the next two years.
That is obviously an expanding attack surface that cyber criminals cannot help but notice. But there is considerable disagreement over how great the danger is and who is responsible for it.
A blog post earlier this month by Ariel Sanchez, a researcher at security assessment company IOActive, suggested that the danger is great, largely due to the failure of app developers to take security seriously. He said he found significant vulnerabilities in dozens of iOS banking apps.
Sanchez ran a series of tests on 40 mobile iOS apps from 60 leading banks throughout the world, and reported that 40-90% of them lacked various features that would guard against Man-in-the-Middle (MitM) attacks, credential theft, session hijacking and memory corruption.
More specifically, he reported that 70% of the apps had no support for two-factor authentication and 40% of them accepted any SSL certificate for secure HTTP traffic.
This, according to Michael Whitcomb, president and CEO of Loricca, should be no big surprise. "Security for both (desktop and mobile) is relatively poor," he said.