NEW YORK (MainStreet) — The question does not get blunter: Is it plain reckless and foolhardy to do banking and other financial transactions on a mobile phone?
Consumer survey after survey consistently tabs security worries as the number one deterrent to adoption. If there’s a number two, it’s gripes about the form factor (too small a screen, too hard to enter data). But the reality is that it is the security worry that keeps many of us from embracing mobile phones as the primary instrument for financial transactions.
Now worry even more: the architecture of the Apple iPhone operating system effectively precludes running meaningful antivirus or anti-malware programs. Android is slightly more open to protective programs, but a good policy in using mobile phones is to assume there is no protection whatsoever, said many experts.
Here’s the irony: At this very moment in time most users are much safer doing their finances on a mobile phone than on a personal computer, certainly if that computer is a Windows computer (which represents 90% of the computers in use). The reason: there are tens of thousands of sophisticated pieces of software aimed at stealing the money of PC users, such as the many variants of the so-called Zeus keylogger, which records typing and sends it back to the controller, thus reporting username and password for banking sites.
There is nothing nearly as effective for mobile phones.
“For the most part mobile malware fits into more of the nuisance category,” said David Lindner, global practice manager for mobile application security services at Aspect Security in Columbia, Mar.
There’s certainly increasing numbers of mobile malware, especially on Android but also on iPhone. Yet mainly the malware does things like send SMS to premium numbers where charges of $5 here, $10 there rack up, Horribly annoying to the victim? You bet. But this does not rise to the multi-million criminal level of a Zeus, not even close.
"As far as I know, it's all a bit ‘meh,’"said Carl Livitt, Managing Security Associate at security consultancy Stach & Liu in Phoenix, Ariz. "There have been a couple of reports of malicious or fake mobile banking apps that masquerade as legitimate banking apps and steal user information for the purposes of conducting fraud; however, these don't seem to be particularly prevalent,”
A There have been reports in Europe of exactly this nightmare--with a bogus app that appears real--but there's been nothing significant so far in the U.S. To boot, big banks, off the record, acknowledge they have teams devoted to scouring the mobile web hunting for rogue counterfeits. Best advice: download only from the Apple Apps store (for iPhone) or the principal Android storefronts, Google Play and the Amazon Apps Store, and you will probably be in the clear.
More advice from the security experts: download only apps that have already been downloaded thousands of times. Message boards are filled with complaints about deviant apps, meaning this crowdsourcing works to sound an alarm, at least for those who are slow to download.
Whatever you do, don’t “root” or “jailbreak” your phone, hip geek stratagems for obliterating manufacturer controls on the devices. It’s cool and, yes, if you jailbreak, say, a Verizon phone you probably can figure out a way to install a banned app such as Google Wallet (which Verizon currently blocks). But jailbreaking, said the security experts, also opens a phone to all manner of infections. It’s just unwise for any but the most technically slick.
Probably the biggest mobile phone threat, incidentally, is a lost phone because much data on it (possibly including banking passwords) could theoretically be retrieved by a technically astute crook. The fact is, most stolen phones are stolen for the hardware only. The other fact: set a screen password. Activate data encryption on the phone, and no matter who finds it - short of the National Security Agency - the data on the device will be safe.
Just don’t assume this peaceful interval where mobile threats are scarce will persist. What’s safe today won’t necessarily be safe tomorrow as crooks begin to migrate where a lot of unprotected banking is going on.
Alex Bobotek, AT&T Labs Lead of Messaging Anti-Abuse Architecture and Strategy, explained the situation as he sees it: “The people monitoring the crooks who make and use malware report that cybercriminals are talking about mobile and are shifting toward mobile. The criminal ecosystem is full of creative crooks looking for the easiest way to make big dollars, which ideally is to tap into large pools of rich victims who are the easiest to exploit."
Historically, the tech-savvy nogoodniks have aimed their efforts at PCs--for which they'd already developed efficient hacking capabilities.
"But the rise of mCommerce are changing the economics of abuse, drawing in the criminals,” Bobotek said.
Crooks go where the money is and that now is looking to be mobile.
What to do? By all means, know that today mobile banking probably is safe, very safe. Be extremely cautious about downloading apps and never download from unknown sources. Use commonsense and, quite probably, mobile banking security supremacy will prevail for some time.
Just don’t take it for granted.