Mint
Mint

How safe are your mobile banking apps?

With the convenience of banking apps comes the risk of fraud. A few simple steps can keep your money safe

Last week, The Indian Express and various other national dailies reported that seven people from Telangana, including an Axis Bank deputy manager, have been arrested by the cybercrime police in Bengaluru for allegedly getting fake SIM cards and using those to access some bank customers’ accounts through banking apps and stealing money. According to the news reports, the accused had allegedly stolen money via Axis Bank Ltd’s mobile wallet app Lime and State Bank of India’s Buddy app.

On Monday, an Axis Bank spokesperson said that this incident is a case of data theft. “The bank had identified the act of irregularity during its internal investigation and had accordingly lodged a complaint with the Bangalore Police based on which these arrests have been made. The data stolen by the miscreants were used to gain unauthorised access to various banking channels. We confirm that all our banking apps are operational. There has been no financial loss to our customers," said the spokesperson.

In the past two years, all banks—small and big—have been launching apps one after another. For instance, the top 10 banks in India based on assets have over 35 different apps for their own customers as well as other banks’ customers. According to a PwC note, the Reserve Bank of India states that 22 million of the 589 million bank account holders use mobile banking apps.

Do you too want to use banking apps but worry about the safety of your data and money? Or, are you looking for a safety net before using an app for banking related transactions? Mint Money takes you through the risks faced when using banking apps and what to know before downloading an app.

Are banking apps risky?

Whether an app is risky or not, depends on four things—your bank’s fundamental data security feature for your bank account details, the telecom service provider, you (the customer) and the app itself. Any banker who has rolled out an app will tell you that they have invested heavily in security features of the app. “Our app is safe and we have not had any case of compromise. To ensure that the app is secure, we have put in place checks and balances. For instance, we have built device-based authentication. Here the bank authenticates your device instead of just your mobile number. We have also put in place a six-digit authentication PIN (personal identification number) instead of a four-digit PIN. Also, if a customer doesn’t use the app for a specific number of days we auto-block the customer," said Deepak Sharma, executive vice-president and head-digital initiatives, Kotak Mahindra Bank Ltd, which has launched five apps out of which two are used for financial transactions.

When it comes to the back end, the bank uses various tools to prevent fraud. “In cases where a manual intervention is required, we ensure that on the server side the details are encrypted. Hence, no data is shared with the individual who has access to the server. We also keep on scrolling for any fake apps. We can also track if a device is jailbroken (process of removing hardware restrictions and thus allowing free apps). We track an app based on volume of transaction, velocity and customer behaviour. Moreover, we don’t work with a third party for any of our apps," said Sharma.

While some banks have chosen to not work with third parties to develop their apps, many work closely with third-party app service providers.

“Mostly the compromise takes place either from an internal bank employee or from the telecom side by acquiring a duplicate SIM. When we provide the app, we ensure that highest standards of encryption are used. From the back-end we monitor the device’s operating system, app identity and customer behaviour. If we sense a breach, we automatically reset the app," said Sony Joy, co-founder and chief executive officer, Chillr, which has partnered with HDFC Bank Ltd and Bank of Baroda for apps. The company is set to launch apps with three more banks in the next two weeks.

What are the risks?

There are broadly four risks to your banking app—malware attacks on the app, downloading a fake app, SIM swap and providing your password to someone else. If a banking app is prone to malware attacks, a fraudster can inject a malware to attack the app and collect details from your phone and misuse it. Some fraudsters create a fake app that looks similar to the original one. If you download the fake app, the fraudster will be able to see the details you enter on this app and steal confidential information. Since the mobile phone number has become an important tool to access financial details, fraudsters first try to get hold of this by swapping your SIM card. In case of a SIM swap, the fraudster gets a duplicate SIM from your telecom service provider by providing a fake ID.

Another risk is divulging details to someone else. There have been instances where bank account customers have shared their passwords which were misused to steal money.

What you should do

Any transaction that takes place through an app requires two-factor authentication. Usually a customer relies on a one-time password (which comes through an SMS) as one of the levels of authentication. “You should not rely on SMS or voice for OTP. Many banks have apps for generating OTP. A password that travels through a telecom channel can get compromised. An OTP app is synchronised with a server and is, therefore, less likely to get compromised. What if your phone gets lost or is stolen? In that case, the person intending to misuse information will need your mobile phone password and the OTP app’s password before any damage can be done," said Amit Jaju, executive director, cyber forensics, data analytics, software license forensics, EY.

Don’t use a simple password to lock your phone; using biometric passwords will be more beneficial. Never download an app from a link that you receive on your Whatsapp or SMS. Always download from official app stores such as Google Play Store for Android phones or App Store for iPhones. Don’t jailbreak your phone as it is one of the safety nets to protect data. You could auto-lock your phone by enabling remote lock feature.

“If an app asks for your Internet password, you will know that your bank has not created a separate app, but is providing Internet banking in a mobile format. An independent app will have an independent password. Hence, be vigilant," said Jaju.

Don’t use public wireless networks such as at airports to log into your mobile app as these wireless services can be easily compromised or can be fake. Always use your own mobile network or private WiFi. Update to the latest app versions. “Updating to the latest version will help you fix vulnerability in the app," said Jaju. You can check if your banking app is vulnerable by going through the views from other customers on the Internet. You can also download a phone tracking app; if your phone gets lost, you can erase the data from it.

Close