Online, open- or mobile banking — securing our many money management options
Fintech of some sort has been making its way into consumers’ hands since 1918, when the U.S. Federal Reserve deployed the Fedwire Funds Service, essentially, wiring money via telegraph. Seventy-seven years later, the first online checking account, offered by Wells Fargo Bank in the U.S., went live in 1995.
That kickoff to online/internet banking was a clear sign that digitalization had reached personal finance by creating a self-service platform. From there, online banking and digital commerce picked up pace. For context, in 1998 we saw a now-familiar service arise: DIY money transfers. They were launched by Confinity, now known as PayPal.
In parallel — and, unfortunately, very able to keep pace — cyberthreats advanced too. As banks added new security protocols, the tactics, techniques and procedures used to attack financial institutions and digital transactions matured too. Case in point: the 1994 hack by Vladimir Levin, who successfully tricked Citibank into allowing him to access $10 million in corporate accounts through dial-up internet.
While Levin’s work, executed a year before the launch of online baking, proved unsuccessful, the legacy of those who were successful is still with us today. Despite advances in technology, securing finance is tough work; failures are certain. Nearly 25 years later, both the financial and the computer security industries are busy securing an iceberg-size threat surface, with security issues above and below the water line.
Online, open and more options than you can count
To enable the necessary convenience, online banking required banks’ app developers to better secure access, data transmission and data storage methods. In large part that is what we have today: a mature system with multiple safeguards. At present, however, the scale and complexity of the threat surface around digital finance and fintech dwarfs traditional — even if modern — online banking.
With banks the world over offering online banking as standard, considerable attention has been paid to providing secure user access. Generally, a username and password, and hopefully some type of multifactor authentication, are required. Popular approaches generally involve password protection, a hardware authentication device, SMS-based authentication or in-app authentication.
ESET has helped address consumer protection with products like ESET Smart Security Premium, by providing two-factor authentication and by providing a secure browser where the customer’s credentials and banking sessions are made more secure. In addition, anti-phishing technology and full disk encryption also contribute to raising the level of effort and costs for cybercriminals who go after banking credentials and other valuable personal or financial data.
Threats to online banking
Whether native to your bank’s online portal or part of your chosen security product, technologies like those counted above reflect the fact that attackers consider banking transaction data as high value. Within online banking, direct theft of clients’ cash usually starts with a phishing email that tricks them into clicking a malicious link or downloading onto their devices what looks like a harmless attachment. A hotbed of such banking trojans can be found in Latin America. Malicious attachments often drop trojans that stealthily try to access and empty the victims’ bank accounts.
Increasingly common is theft of data, further enabling malicious actors to study user behavior, financial habits, transaction timetables, and balances and debts. Such data is gold for anyone — from unscrupulous advertisers and marketers to criminals directly targeting users. The data lets thieves take a tailored approach, targeting larger sums of money and maintaining stealth. While the general public should be careful, entrepreneurs and businesspeople — often targeted by business email compromise attacks — should be very wary.
With regard to online banking, especially mobile or online-only, you should confirm that any provider you are considering is insured. In the U.S. that would fall to the Federal Deposit Insurance Corporation (FDIC), and in Europe, the European Deposit Insurance Scheme (EDIS).
Mobile banking, Android malware and trojans
With traditional banks having gone mobile (via Apple and Android) around 2010, third-party app developers followed suit, seeking to provide many of the same conveniences for users. Millions of users have taken a “that looks handy, I’ll try it too” approach to downloading fintech apps. In close step, cybercriminals have followed the money and the personal data trail, in the past populating even well-managed app stores like Google Play with malicious applications targeting users’ banking credentials.
In 2019, Google created the Google App Defense Alliance to better secure the Google Play store. Now, largely gone are the malicious apps disguised as horoscopes and flashlights. Recent encounters with banking see more complex, largely purpose-built banking trojans or fake financial apps targeting your banking data, cryptocurrency wallets and the credentials needed to take over your device, steal passwords and two-factor authentication codes, or drop ransomware.
The best defense? Use a reputable mobile security app like ESET Mobile Security Premium with banking and payment protection integrated. Only use legitimate app stores and take time to evaluate the need and risk of adding any new application to your device.
Open banking + fintech — who’s welcome to the party?
Many users grumble about traditional online banking apps being clumsy, slow and inconvenient. Stepping in to address this gap, third-party app developers have added a host of solutions via application programming interfaces (APIs) allowing third-party apps to communicate with existing financial infrastructure. These have shaken up the status quo, introducing possibilities beyond managing checking accounts, breaking ground into digital transactions, insurance, and trading cryptocurrencies and stocks.
With these developments have come significant changes to regulation and the need for security. This has come via the European Commission’s (EC) Payment Services Directive (PSD2), which nudged EU banks and other financial institutions toward increased competition and innovation. Introduced in 2015, PSD2 saw the EC making provisions for secure ways to give third-party financial services providers access to your financial information via APIs — essentially allowing them direct and legal access to traditional banking systems and client data.
Security around the open banking approach becomes more apparent when contrasting it with regulation in the United States, which doesn’t have similar efforts in place. Concerns on both sides of the Atlantic revolve around where to draw the line between accessibility, convenience and security. In Europe, apps such as Erste Group’s “George” allow third parties to offer competitive services and rates — built from aggregated consumer plus account holder data — directly into clients’ dashboards. Seen through George, at least one of PSD2’s goals (empowerment for account holders) is addressed.
How these technical risks reflect with changes in legitimate user behavior — via increased and rapid access to data and updates — is another big question in how this may instigate riskier user decisions. Looking at recent trends around cryptocurrencies and e-trading, it seems clear that having more data does drive consumer interest and transaction activity. And, since both activity types seem to carry more cyber- and financial risks than day-to-day banking, it may also do well for account holders to be a bit conservative when reviewing offers enabled by open banking initiatives.
Only time will tell if Europe reaches a higher standard of security more quickly by taking a head-on approach to this brave new world of fintech. What becomes immediately clear, however, is that today, financial literacy requires cybersecurity literacy.
Fintech: A democracy of risks
Regardless of where or how we may be banking, COVID-19 has accelerated consumer, and even business, adoption of third-party apps —apps with real power to both help, and hurt, users.
Strongly paralleling open banking’s legislated efforts, other routes to fostering interoperability between third-party app providers and the IT environments of other established financial institutions are numerous. Broadly, we can call this the democratization of finance, which despite not having guidelines like PSD2, is still a force in the U.S. — where apps focused on personal finance and investing are hot.
This Fintech series has looked at several third-party apps servicing users’ interest in budgeting, cryptocurrency trading, digital wallets and e-trading in more depth. But clearly, best security practices and common sense dictate that the democratization sweeping finance is not just about choosing apps; it is about configuring your security-mindedness and having your wits about you when data is presented to you in rapid succession. After all, the novelty of entering these environments may lead to less-considered decisions. That poses clear risks.
Is tech driving account holders to “play” with their money, to take digital risks that they wouldn’t have taken if doing things the old-fashioned way? Again, while a lot of this advice may be more financial in nature, it does communicate that, today, financial literacy requires cybersecurity literacy.