Editorial Policy

Is my mobile banking app safe?

Laura Mohammad

March 21, 2014

My kids think I’m technologically illiterate — even though I edit for a website.

I text too slowly. I huff at my computer too much. I’m just hopeless, they say.

So when I spent too long on my Android for their liking, they sighed and asked what I was trying to do. Loading my credit union’s banking app, I said. Well, that launched a diatribe.

“Banking apps aren’t safe.”

“Your personal information could be hacked.”

“Identity thieves could take money out of your accounts.”

Oh, and, “Androids are evil.”

I was a little surprised by my boys’ reaction, because you think of millennials as the embracers of all things mobile. But actually, that isn’t necessarily true: Angus Reid Public Opinion recently found out for TD Bank that while 88 percent of adults under the age of 35 bank online, only 47 percent use mobile banking. That’s below in-branch banking (53 percent) and ATMs (72 percent).

OK, so my little millennials are reticent. Was it for good cause?

Of course, I couldn’t refute any of this, including the personal attack on my phone, because I had never done research on it. So, I turned to Domingo Guerra, president and cofounder of Appthority. His company has tested 2.5 million apps for their safety or about 15,000 apps a day.

We got straight to the point: Are banking apps unsafe?

“It’s a mixed bag,” says Guerra. “Some of the smaller banks and credit unions aren’t as secure. Sometimes, they just launch a mobile browser.” Larger banks have the resources and manpower to develop their own apps, and they can build tighter security into the technology, he says. “It’s not that they don’t know how to do it,” says Guerra of the smaller financial institutions, “but big banks can do it in-house.”

That said, don’t give up on your smaller bank, because it may actually have a terrific security system. How do you know? Here’s what to look for:

What do the user ratings say? If there are complaints that it is difficult to log in to, that’s actually a good sign, says Guerra. That means strong security is likely.

What security systems are in place? If it only requires a four-digit number, that is the lowest level of security. An alpha/numeric password is better. Dual authentication is ideal, Guerra says. That’s when there are two ways to log in. For example, a password is required, then there is a security token, or a number that changes every 30 seconds.

What about the password? Both your bank password and your email password need to be strong, because you will receive any temporary passwords in your email. And, the bank and email passwords need to be different, Guerra says.

Which network should you use? Only use your cellphone’s 3G or 4G network, or your home or work networks. Don’t bank through wireless network systems provided by merchants, which you share with whomever else happens to be nearby — including fraudsters. “Hotel rooms and coffee shops are notoriously insecure,” Guerra says.

Guerra said Appthority has found that makers of free apps are more likely to harvest data and sell it, making them less secure. However, because they are service apps, the banking apps are usually safer; they are not trying to make money by reselling your data, Guerra says. (Check out this recent, comprehensive study, in which Appthority found that in general, free apps are more likely to do such things as track your location and access your address book.)

And the real question: Are Androids evil? “There is higher incidence of malware for Androids,” says Guerra. “But the apps are built by the same team at a bank, so there’s not a lot of difference” between apps for the Android operating system from Google and the iOS system from Apple.  Just don’t jailbreak your phone, he warns, because then it’s not protected by Google or Apple. (Jailbreaking is hacking into your phone so you can access apps not available through the official app stores.)

“As users, we forget that cellphones are computers as well, and everything that we learned applies to them,” Guerra says. “We need to remember what we have been taught about security.”