Security

Mobile banking: Is it worth the security risk?

There are upsides and downsides to banking via text. Jack Wallen highlights the security-centric cost of text-based banking.

Image: Jack Wallen

Recently I decided to give SMS banking a try. It was simple, convenient, and (as far as I could tell) fairly secure. I knew the features offered by my bank were innocuous enough that there'd be little to no risk.

So long as I used this service with an understanding that malice is always just around the corner.

Let me explain.

My particular bank doesn't offer a vast array of features with SMS banking. With it, I can:

  • Retrieve nicknames for all my accounts
  • Retrieve account balances of all accounts or a specific account
  • Retrieve the last few transactions for an account I specify
  • Retrieve a list of all supported commands
  • Retrieve basic help
  • Stop all text messages from the institution
  • Retrieve the balance of a virtual wallet
  • Retrieve rewards balance
  • Retrieve any payment due listing

As you can see, from the above listing, this is very much a minimal relationship. The only data I am transmitting is brief commands so that my bank will respond with a reply to said command. Neither I or my bank are transmitting account numbers (or any other data that could compromise my account).

However — yes, there is always a however, let me posit something for you.

Phone numbers are fairly easy to spoof. Once someone has managed to spoof your number, they could easily pose as your banking institution and send you an SMS that you need to submit your PIN (or even account number), in order to continue with the service. You assume this to be a valid text and place that sensitive information in the wrong hands. You have been socially engineered and your account has been compromised.

How to avoid this

As much as I don't want to say this, I will: if you've made SMS banking a part of your daily (weekly, monthly, whatever) life, it is imperative that you not do anything outside of the given commands your bank supports. Know that your bank will not text you (they are not your BFF) and ask for your PIN, password, or account number. Should you receive such a text, call your bank immediately and ask if they sent this SMS message. They will say "No" and you can then report the spoofing.

A word about spoofing. Under the Truth In Calling Act, spoofing without intent to harm (or if no harm is done) is not illegal. If, however, harm is intended (such as stealing your bank account information), spoofers can face up to a $10,000 dollar fine for each violation. If you do suspect you have been spoofed, report it via one of the following means:

  • File a complaint online
  • By phone: 1-888-CALL-FCC (1-888-225-5322); TTY: 1-888-TELL-FCC (1-888-835-5322); ASL Videophone: 1-844-432-2275
  • By mail (please include your name, address, contact information and as much detail about your complaint as possible):
Federal Communications Commission
Consumer and Governmental Affairs Bureau
Consumer Inquiries and Complaints Division
445 12th Street, S.W.
Washington, DC 20554

Setting up SMS banking

How you set up SMS banking will depend upon your banking institution. Most likely, you will have to log onto your account, and then search for a Mobile Banking section. With my particular institution, I had to add my phone number to the Mobile Banking section and then enter a confirmation code (one received via SMS on my phone) online. Once that was complete, I could then begin sending commands to my bank to check balances and such.

What is the cost?

I'm not talking about dollars and cents here. Clearly, the big cost is your security. As I've already explained, so long as you remain within the usage constraints of your bank, you should not fall under any undue malice. This same thing applies to any online activity. A nod to caution and common sense will go a long way. However, should you find yourself on the wrong end of a spoofing (or other) attack and a ne'er do well winds up with your account information, you can rest assured (according to this Bankrate post) that most banking and credit card institutions promise to cover 100 percent of mobile fraud loss. Although that is reassuring, there can be a period of time before your bank actually does cover that loss. That means you cannot lean on the bank to make up for missteps when using mobile banking.

In other words, use the service wisely. A short list of do's and don'ts should look like this:

  • Do not transmit anything other than the supported list of commands
  • Make sure your mobile banking is set up with two-factor authentication (if available)
  • Use only strong passwords (for your bank account, for your mobile device, etc.)
  • Do not share your passwords, PINS, or account numbers with anyone
  • Should your phone be lost or stolen, immediately remote wipe the device phone and report the lost phone to your bank

Very convenient, mostly safe

The one thing you must understand is that banks aren't sending out SMS messages that are encrypted. That means anyone could intercept that information and read it. Fortunately, the information they will see is really only account balances. The caveat to that is someone could know how much you have in your account and, should that number be high enough, their interest could be piqued.

Getting your account balances on the go is a nice convenience. You just have to decide for yourself if it is worth the risk. Remember, your banking institute does have your back (so long as you are using their service within the outlined parameters), but they are not your BFF. Text only those short commands and you should be good to go.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox