Is it safer to use an app or a browser for banking?
Why should I use a banking app instead of logging into my bank accounts with the relevant passwords via Windows 10 and Edge? Which one would be more secure? Irene
Over the past five years or so, I feel the consensus has changed to using apps. However, it depends on the devices, banking software and browsers, what else is loaded on the device (either knowingly or not), and the communications network.
Browsers are risky because there are trojans designed to collect banking information. Apps are risky because most banking apps probably have security flaws, and because fake/malware apps sometimes appear in app stores.
If you are a careful user with a secure PC, and if you only use it on your secure home network, you should not have any problems. However, if you want to perform banking transactions from wherever you happen to be, without taking too many precautions, then it should be safest to use an app over 3G/LTE (turn off wifi and Bluetooth).
Systems that use two-factor authentication, preferably with a separate device that generates new passwords on demand, are really the way to go.
What is an app?
When personal computers first went on general sale in the 1970s, the VisiCalc spreadsheet was hailed as a “killer app”, which was short for “application program”. However, the past decade has seen a huge growth in app stores for smartphones and tablets. These apps are different from traditional PC programs in that they are vetted by and downloaded from secure online stores. Further, these apps run in sandboxes to prevent them from doing bad things.
PCs, by contrast, can run unvetted software from any source, including malware-infected websites, unless your anti-virus software blocks them.
When Microsoft redesigned Windows 8 to run on tablets and smartphones, it introduced a similar subsystem for apps. This enabled Windows to run sandboxed apps installed by the Windows Store. These apps are much safer than the old programs, because there are limits to what they are allowed to do.
Today there are quite a few Windows banking apps – Alliance, Citibank, FNB, RMB, HDFC, BNP Paribas, UBI, Westpac etc – but none that I can see from UK banks. They are rather slow to catch on …
The Edge browser in Windows 10 is a new sandboxed app, so it’s much better for banking than Internet Explorer. Otherwise, Chrome is the most secure alternative, because it runs in Google’s own strong sandbox. Some security companies also provide add-ons, such as Kaspersky Safe Money and Bitdefender Safepay.
The browsers on smartphones and tablets are also sandboxed, but like their desktop counterparts, they may be at risk from phishing and “man-in-the-middle” attacks.
The biggest threat to banking security comes from using a compromised device: one with malware that captures logons etc and sends them to someone else without your knowledge. On Windows, the main banking malware comprises trojans such as “Zeus and its variants Neverquest and Gozi”. Zeus has been around since 2007.
Zeus is usually delivered as an email attachment with a text that persuades some users to click on it. It may say your bank or email account has been hacked and that you need to log on to confirm or change your password, etc. Zeus collects your logon details, or puts up a fake screen that mimics a legitimate website, or redirects you to a fake website. The malware captures your keystrokes as you try to log into your bank. Variants such as Gozi can even imitate your typing style and mouse movements, to defeat banks that use this kind of information to identify real users.
Banking trojans can also be hidden in Microsoft Word documents, pdfs or fake invoices. Some are distributed as “drive by” installations from websites that host exploit kits.
Smartphones and tablets are more likely to be compromised by fake or lookalike apps that have evaded the vetting process. Sometimes, devices are compromised by apparently simple apps that demand loads of “permissions” to run. (How can a flashlight app be allowed to monitor your network connections or modify the contents of your USB storage?)
Insecure banking apps
Banking apps ought to be more secure than browsers, but it ain’t necessarily so. In 2014, Ariel Sanchez tested 40 home banking apps and found that 90% included insecure links (ones that didn’t use SSL), 40% didn’t check the validity of SSL certificates, 50% were vulnerable to cross-site scripting, and 40% were vulnerable to man in the middle attacks.
In a typical hack, the user might get a message to say that their session or password had expired and they needed to retype their user name and password. (Don’t.)
Today’s banking apps should be much more secure, but I wouldn’t bet on it.
If you use public hotspots, your communications could be monitored, or you could mistakenly log on to a copycat hotspot run from a nearby PC. It’s not always easy to identify the correct network for a coffee bar, hotel or airport. These networks make you potentially vulnerable to monitoring and “man in the middle” attacks,
In fact, someone may be able to hijack an account without knowing your name or your password. This was demonstrated by a “network sniffer” called Firesheep, which could identify and steal the unencrypted “session cookies” some websites used to store information after you had logged on. This only works if you are on the same network as the attacker, but when you use a public network, you have no idea who else is logged on.
Whatever device you are using, the best solution is end-to-end encryption, shown by “https” addresses and a padlock in the browser. The whole of ecommerce – and egovernment – is totally dependent on encryption, which is why it’s insane to think about banning it.
Secure booting and SSL
Online banking depends on secure booting and secure communications. The secure booting system tries to ensure that the device starts in an uncompromised state. To do this, it uses secure hardware on the device that uses cryptography to verify the bootloader code, which uses cryptography to verify the secure loading of the operating system. This is built into smartphones and tablets. If buying a Windows PC, choose one with a UEFI system that securely boots Windows 10.
The secure chain is broken when people use exploits to “jailbreak” devices. Banking systems should detect and block them, but 90% of Sanchez’s 40 home banking apps didn’t.
Once the device is running, it must connect to your bank via an SSL/https connection, though it may not be easy to tell if does. (I assume that 3G and LTE mobile connections are secure enough.)
The simplest solution is to install the EFF’s HTTPS Everywhere extension in Chrome, Firefox or Opera. Not every website supports https, but if not, the extension should redirect you to the unencrypted site.
You can increase your banking security in Windows 10 by keeping one browser for financial transactions and never using it for anything else. Also, either use a private browsing/incognito mode or delete all caches and cookies after use. Indeed, you could use a separate standard user account (not an administrator account) for financial transactions. Switching between accounts isn’t arduous nowadays, and you can leave your original account open while you do it.
Going even further, you could keep a password protected Apple iPad at home for banking. Do not download any other apps and, out of the box, that’s one of the most secure home systems you can get. Government security services could hack you, but it’s unlikely that they would.
Have you got another question for Jack? Email it to Ask.Jack@theguardian.com