Most banks ask their customers to download the respective banking apps. And with more smartphones in India (networking infrastructure company Cisco Systems Inc. expects the number to grow 4.7 times to 651 million by 2019), there are many who use banking apps.
But how safe are these? “Telling whether an app is secure or not is very tricky,” said Saket Modi, co-founder and chief executive officer, Lucideus Tech, a cyber security firm, which provides online security solutions to banks such as ICICI Bank Ltd, Kotak Mahindra Bank Ltd, Standard and Chartered, HDFC Bank Ltd and DBS Bank India.
There are various reasons behind why Modi doubts that a banking app is foolproof.
A fraud survey report released by Deloitte Touche Tohmatsu India Pvt. Ltd in April, said, “There has been a substantial increase in the dependence on technology in the banking sector.
With cyber crime continuing to increase in volume, frequency and sophistication, it is not surprising that the top three areas giving sleepless nights to the survey respondents were Internet banking/automated teller machine fraud, e-banking fraud and identity fraud.”
Many experts voice similar concerns. Mumbai-based cyber expert Vijay Mukhi wrote a letter to the Reserve Bank of India in October 2014, pointing out the dangers that lurk behind using banking apps. “There exists a very major security breach in over a dozen banking apps by Indian banks that I have personally tested. These apps use the standard Android keyboard to enter your username and password.
The keyboard in the Android ecosystem is a simple Java app that can be replaced in seconds by a virus,” read a part of the letter. If a virus infects the app, a hacker, sitting anywhere, will have possession of the customer’s username and password, and can control the bank account. “The hacker can also use the bank’s website to use my account,” said Mukhi, who runs a computer training centre, and is former chairman, information technology committee, Federation of Indian Chamber of Commerce and Industry (Ficci) and Indian Merchants’ Chamber. He is still to get a reply from the central bank.
The problem is that when a customer tries to log in through a banking app, an Android keyboard is used to key in details. It may be that the user has loaded some other app or has inadvertently clicked on a link that leads to a keylogger getting installed in the phone. A keylogger maps keystrokes, and this can be used to capture personal data whenever keyed in. Someone can also physically install a keylogger on a mobile phone. Mukhi admits that this is difficult to do, but not impossible.
Android apps are more susceptible as Google Store does not vet apps posted on it, and since the source codes of these apps are available, the vulnerability increases. “If you look at normal Android apps, 99% are hacked because source code is available. Around 52% of Apple apps are hacked, even though they have a vetting process,” said an executive of a private bank, who oversees the bank’s online security, requesting anonymity. “Guaranteeing 100% security is extremely difficult,” he added.
One of the reasons behind this is that when an app is downloaded, it asks for permissions, which users give. “The way technology is changing, the new mode of attack will be malware residing in mobile phones and extrapolating data from other apps,” the bank executive said. In other words, there could be apps which may capture data from other apps on the phone which may include financial information.
Level of threat.
According to Wegilant Net Solutions Pvt. Ltd, a cyber security firm, out of the 33 Android banking apps in India (22 from state-run banks and 11 from private banks) that allow financial transactions and which it tested, at least 29 apps (21 state-run banks and eight private banks) had at least one security loophole. The firm also tested an app by a state-run bank that does not allow financial transactions. On clicking “about us”, the app was so tampered with that it redirected the user to a login page. An unsuspecting user may think that to proceed any further, it is necessary to login. If she does that, the data got captured. Mint has seen a demonstration video of this process.
Toshendra Sharma, founder and chief executive officer, Wegilant, said, “We have found many vulnerabilities in banking apps, most of which are made by outsourced third-parties.”
“India is no less developed than markets such as Hong Kong or parts of Europe in terms of security, and that too at a lower cost. It’s not about the money spent but the understanding of the problem at the top level, especially in state-run banks,” said Modi.
However, the bank official quoted earlier said that many banks are aware of the threat and constantly monitor for rogue apps.
If the level of threat is high and widespread, what can a banking app user do to protect personal information?
Most phones use a system called “containerization”, said Modi. The system does not allow one app to “talk” to the other, or exchange data. But this won’t work with apps that are using common shared resources. For example, two apps using global positioning system on the phone.
There are basic rules that banking app users can follow, even if banks are striving to offer the most secure apps. “A bank may be taking all security measures, but if your phone is breached, it’s not the bank’s fault,” said Modi. Users must realize that protecting personal data is their responsibility as well. Many users fall prey to socially engineered hacking wherein a user gives out data inadvertently to fraudsters.
The bank official added that a lot of people route their mobiles to become the administrator of the phone, download and install keyboard apps, thus becoming vulnerable to hacking.
Updating software regularly; not clicking on random links; avoiding to download too many apps—these are a few things that a user can easily do to avoid theft of financial information.
As for the problem of Android keyboards being used to input data on banking apps, Mukhi suggests that banks could add a virtual keyboard—same as what’s available for Netbanking on a desktop or laptop—as an immediate solution.