8 tips to stop banking app fraud
ID theft prevention tips for before and after you download to your smart phone
By Minda Zetlin
Having an app from your bank on a smart phone or tablet computer is incredibly convenient, but watch out for fakes.
About a year ago, owners of Android smart phones began downloading mobile banking apps from Google's Android Market. The apps cost about $1.50 each and connected users with about 40 major banks, including Bank of America and Wells Fargo.
There was only one problem: The banks hadn't put them there.
The apps were created by a developer known only as 09Droid whose identity remains a mystery to this day. Once the fraud was discovered, Google removed the apps from its marketplace, but not before many users had downloaded them to their smart phones. The fraudulent apps were apparently intended simply to bilk people out of $1.50 each. Still the threat of phishing -- stealing bank log-in and password info -- was so obvious that many banks recommended that customers who had downloaded them actually have their mobile service provider
remove the apps from their phones.
The deception was only discovered by a fluke. A mobile banking software executive happened to be playing with his wife's Android phone when he noticed an app from a bank that was one of his clients. He knew the app couldn't be legit -- because it if were, his own company would have created it. This raises the alarming possibility that other fraudulent financial apps could still be out there, undiscovered.
As mobile banking is simply too convenient to ignore, is there a way to do it safely? Yes, experts say, if you follow a few precautions.
Before you download a bank or financial app:
1. Consider the app store. Different app stores have different standards for which apps they'll offer to the public. Google's Android Market is famously open, accepting nearly every app developers submit, while Apple's App Store puts apps through rigorous testing first. When the online payment company mPayy wanted to publish its apps, "we just published our app to the Android market, while Apple looked at the entire code base and tried out every feature of the application. We also had to fax our articles of incorporation to Apple," says Conrad Sheehan, mPayy CEO.
Though developers love the free-for-all world of the Android market, users should be cautious when downloading financial apps from there. One good alternative may be a more "curated" market, such as Verizon's Media Store. Another would be to download the app directly from your financial institution's website, or follow a link from there to its Android market app.
A lot of banking apps will ask if you want to save
your password or stay logged in. You definitely don't want to do that on a
|-- Chris Wysopal
In addition, check to see if the site itself is clearly written and correctly spelled. "Typos are a remarkably accurate predictor of spoof sites," he adds.
3. See what others are saying. "Most mobile application markets are very good about posting real, live user reviews," says Steve Schultz, chief operating officer of the mobile financial app Pageonce. Look for a large number of reviews because a small number could be fakes put there by the developers themselves. "You should also search social networking sites and check out the Twitter stream about it," Schultz says.
What if there aren't many -- or any -- user reviews? "You
don't ever want to be the first person to try out a banking app," Sheehan says.
4. Try a bookmark instead. Before downloading a banking app, find out if you actually need one to do your online banking. Simply access your bank through your phone's browser. If it has an easy-to-use mobile interface, that might work just as well as an app would have. If you're using a tablet, even the traditional website might work fine for you. If you decide to go this route, it's smart to create a bookmark, both for convenience and to avoid the risk of winding up at a spoof site if you later mistype your bank's URL by mistake. (Creating a fake site with a typo in the Web address is a common tactic of fraudsters.)
After you have a bank or financial app:
1. Password-protect your device. With the growing popularity of financial mobile apps -- not to mention phone-based mobile payments -- you risk financial disaster if your phone or tablet is lost or stolen. Both the app and the device itself should be protected with a password to ensure that no one but you can get into your accounts.
"Make sure the password isn't stored -- you want to type it in each time," says Chris Wysopal, chief technology officer of the app security firm Veracode. "A lot of banking apps will ask if you want to save your password or stay logged in. You definitely don't want to do that on a mobile device."
2. Make sure you know how to remotely wipe your phone or tablet. If your device is ever lost or stolen, you should remotely "wipe" it -- that is remove all your personal data and restore it to its factory state. iPhones and iPads, BlackBerries and Windows 7 devices come with this capability included in their operating systems, and you can download Android apps that will do it as well.
Whichever mobile technology you use, it's a good idea to learn the steps for remotely wiping your device and write those instructions down somewhere that will be easy to find. If your device is ever lost or (especially) stolen. The last thing you want to do is waste time paging around a website or waiting on hold on a support line trying to find out how to wipe it while some stranger is out there with access to all your data.
3. Don't use public Wi-Fi for banking. Most smart phones and tablets can use both wireless Internet and a mobile provider's 3G or 4G network. Make sure you're using the latter and not the former if you're banking or doing anything financial via free Wi-Fi at public places such as restaurants or airports.
Most banking sites and apps have encryption that protects against the most common forms of online eavesdropping. But that may not be good enough, Wysopal says. "Potentially, someone on the same Wi-Fi network as you could do a 'man-in-the-middle' attack," he says. A man-in-the-middle attack is just what it sounds like: A third party inserts itself between you and your financial institution and can collect information about your account -- without you ever knowing it happened.
4. Be alert to changes in your smart phone's functioning. If you download an app, and your phone starts acting differently, such as responding more slowly to commands or draining its battery more quickly, that could be a sign of malicious code, Wysopal says. "Make sure to remove any app that changes the behavior of your phone."
See related: Trial version of iPhone credit card processing app available, Don't take the bait when you receive a 'phishing' e-mail, Tips to handle online debit card theft, Free, public Wi-Fi can be dangerous to your credit card
Published: February 18, 2011
Three most recent Legal, regulatory, privacy issues stories: