Over the past decade, the way we bank has evolved dramatically. When the very first mobile phone was invented back in 1973, few expected that it would go on to find its place as a key element in everyday banking – but in 2018, it’s clear that mobile banking is on its way to becoming the norm rather than the exception.
But where there’s technological development, there are opportunists who try to exploit its weaknesses – and the latest stats on online banking fraud reveal that in 2016 there were over 20,000 cases of online banking fraud and 10,000 cases of phone banking fraud to a value of more than £130m.
So does that indicate an inherent weakness in mobile banking? Our Technology Director Steve Newson doesn’t think so. Read on to find out why he thinks banking from your mobile can be more secure than online banking…
Mobile banking is safer than online banking – bit of a bold statement, no?
Mobile and online banking each bring their own risks but the additional hardware security features in mobile devices can make mobile banking more secure than its online counterpart. In addition, as a mobile device user you tend to be much more aware of where your phone or tablet is. The combination of technological and physical security often makes mobile phones more secure than laptop or desktop PCs.
What would you say are the main reasons for that?
Physical security is the main one – you are at a higher risk of losing your phone over your laptop, however because you are much more aware of your device and its physical presence, that adds a level of security. Mobile phones tend to have built in cryptographic hardware (not found on some other types of devices) that’s better leveraged to improve security and authentication, as mobile phones tend to have one primary user, and compromising them requires a much more sophisticated hacker. You just need to look back at the number of court cases where governments have tried to access devices.
Most online banking now requires some form of two-factor authentication, usually a number generator on your phone or one of those devices that you have to put your card into. These make common phishing attacks harder to perpetrate, but hackers are becoming more sophisticated and using other forms of social engineering to trick customers into giving up these codes and their password recovery answers. Since the online bank cannot verify that you own the computer that is being used to login to your account, it’s tricky for them to differentiate your usual activity from that of a hacker.
Mobile banking potentially overcomes this shortfall by providing stronger guarantees that the login is coming from the device you own. Even if a hacker can get your bank account login details they’d usually need to get the physical device and be able to bypass the device security itself (FaceID, TouchID or PIN code).
Do you think most people are unaware that their mobile device can be more secure than their laptop or desktop computer?
Yes. I think people are fairly unaware of this, because they attribute the physical security of the device with the overall security. Actually the way this works is because a laptop or desktop is normally at home, the level of security put on it is much lower – easier passwords, or in some cases none at all. In comparison, you know your phone is going to be left on the side, but losable does not equal insecure in this case. Mobile phone manufacturers have spent a lot of time making sure if it is lost it is as secure as possible.
Why are our computers flawed?
You can theoretically make a very secure computer. Think about work laptops that are locked down and encrypted, even with locks to the desk. The downside to these high levels of security is that computers become more difficult to use. Forcing users to select complicated passwords every thirty days makes them more likely to write down passwords or perform the bare minimum to meet the requirements (maybe changing one letter every month, or changing the number at the end). Ultimately, computer security is flawed because people are flawed. It is unlikely that most people use the same, or indeed any, levels of security when configuring their home computer.
Why do you think traditional banks haven’t brought all their online banking features to their mobile app?
It’s hard for traditional banks to adapt to be mobile first. They started in a world with physical ledgers, then centralised systems, followed by the web, and they’ve still got all the branch networks to support. At first they replicated branch tasks on the web because customers were asking for it but the complexity of building that on top of the existing systems was huge. Over time it has become evident that the web’s importance has increased so more time and money has been invested in it.
This cycle has repeated with mobile phone apps. Traditional banks are still focussed on their existing infrastructure and may have difficulty adapting their existing banking structures to the new technology. They are now in a position to quickly deploy on the web, but much slower with a fully integrated mobile app at the moment.
To be fair to these traditional banks, they also have a large number of customers who aren’t using their mobile phone for their banking. At Starling we have an opportunity to meet the needs of a growing user base who currently aren’t being wholly satisfied, and our ability to move quickly and build solely for a mobile phone means we can be ahead of the curve.
How to easily lock your card in the app
Would you recommend people use their mobile banking app where they can instead of online banking?
I would recommend taking a level of suspicion on everything you receive, mobile phones are highly secure and people should trust them more than they currently do. But the inherent weaknesses in laptops and desktops is behavioural (Cyber Hygiene) and we need to improve that. Cyber Hygiene relates to the steps you, as an individual, should take to maintain your security online, for example, passwords, backing up data, securing your personal data and implementing anti-virus software.
What do you think are the main causes of online identity fraud that we can help prevent ourselves?
Make sure your connection is secure, it’s important to be aware of what that security is. There have been tests for people to see the difference between a legitimate website and a copy – and they can rarely tell. Most of it is about ‘does it feel right’? For example a government website will have .gov.uk in the url. Check the domain name. If you’re still suspicious, go back to Google and type in bank’s name then go through the organic search result.
Be more suspicious about emails and phone calls. Most banks will not require an urgent action, so if it’s a communication for you to send or update information immediately, that’s likely to be a phishing scam. The good thing that’s happened to the banking industry is that they’ve added so many controls and levels of security with the FCA to protect you as a customer. They can’t just close accounts or make charges without warning. If you get something that seems unfair to you, there’s a high chance it is not real so don’t respond emotionally.
What really is the safest password format?
You need to combine two things – something easy to remember and something that will restrict brute force. There’s two approaches to guess your password – a dictionary attack and brute force attack. The first attempts common passwords or words from a dictionary. The second tries every combination of letters and numbers. So, in general picking a password which is not a common password (e.g. not “password” or “123456”) or a single word from the dictionary is a bare minimum. This will not prevent the brute force attack though.
To reduce the effectiveness of a brute force attack you need to make your password much less predictable and more random (this is known as ‘entropy’ in the tech world!) That doesn’t mean you have to use a lot of random passwords, you just need to make the number of variations required in a brute force attack to be as large as possible. In general, longer passwords are more effective than short ones. New government and industry guidelines state that combining three random unrelated words, possibly with a number or symbol too is in fact one of the best ways to create a secure password.
Why don’t we use token generators?
Token generators exist for other banks to help increase security from a web browser. It enables them to verify that you have something that you know (your password) and something that you have (your phone or token generator device). We don’t need that because those things are already in place – your phone is already acting as the second authentication. If ever we did provide a web platform we might need a token generator, but that could be your phone.
However I think that could provide a level of complexity which is a contradiction to our main goals of making banking more straightforward and convenient. A token generator is saying look how secure we are, but what it’s actually saying is – we have a problem with security and for us to fix it we have to make it the customer’s problem. The bank should solve that with technology. It’s important for us to not make our problem your problem.
We get this question a lot… so what’s the issue with rooted phones?
I totally understand why people root their phones (meaning jailbreaking or unlocking your device so that you can customise it). The majority of people who root their phones do so for legitimate reasons like updating their operating systems, not because they want to install malware. But when you root your phone you elevate the permissions for some applications to see other data. There are subtleties to prevent that, but we cannot see whether that is the case. Allowing rooted devices could also prevent us from being able to offer certain features, for example, Google themselves do not allow Google Pay on rooted devices.
For that reason we take this position of concern until we’re more confident we can protect you from the risks with a technological solution. The people that know that this is even possible are ‘tech savvy’ but we can’t differentiate those from people who don’t know what they are doing. Most banks are banking first with technology second, and they often outsource that bit but our focus is technology first for the benefit of our customer, with banking alongside, and it’s central to everything we do, including security.
What can we do to stay safe when using mobile banking?
There are a few basic things that are easy for everyone to follow – make sure any apps you are installing or have are genuine, look at reviews, the number of downloads, and the company name. It is also important to keep apps up to date, there are often security improvements included in updates.
Do you think mobile banking security has any limitations?
Yes (at the moment). Ultimately the limitations are in relation to the things that require you to be physically present in banks eg. cash and cheque. Every year, I get a cheque from my grandparents and we have to find technological ways to handle these things, like scanning cheques, which will be increasingly important for us with sole traders. It’s really important for us because it’s an issue for our customers. The things that ultimately tie people to their branches are things like mortgages, large value and cash transactions. People want the confidence of talking to someone, it’s that perception of security being face to face with someone. But times are changing and people are becoming more comfortable doing things online so aspects like that will naturally change over time.
The volume of cheques has already been decreasing for a few years but I don’t think they’re going to go away (not just yet) – there’s a lot of industries and places that still need them. In areas of poor internet connection they are important and they give the ability for someone to pay on your behalf. Society is becoming increasingly cashless and that will continue but we need to solve the problems that are preventing it, for example, small retailers are being charged for small transactions and in turn need to add a minimum card payment value or additional charge. Things are changing though…
We built a mobile only bank because we want to improve everyday banking, and we believe it’s important that technology is at the core of that. Banking entirely from a mobile phone might feel a little daunting or unnerving for some, and we understand why – but we want to break this barrier down.
Security is still stated as one of the main reasons people are reluctant to use mobile banking (ING, Mobile Banking 2017 report) – but that’s a misconception that we’re trying to correct. We want more people than ever to be able to experience the benefits of this groundbreaking technology – and it starts with safety.