Are Mobile Banking Apps as safe as banking via a PC browser?

k_man

Olinda99 said:

of course you can use mobile banking apps on an unencrypted wifi in Starbucks or wherever.

The app talks to the server using  256 AES encryption. You don't need a vpn which in any case just masks your IP address.

Not completely accurate.
A VPN also encrypts traffic between the device and the VPN server.
Without a VPN, traffic is encrypted, but the destination is visible i.e something intercepting traffic on the unencrypted WiFi can see that you have a connection to a bank (or any other connection) which makes your device potentially susceptible to social engineering, or app based targeting.
Note: this is unlikely, but possible.

With a VPN, all that is visible (on the local unencrypted WiFi) is your connection to the VPN server.

As such a VPN does add security and protection, albeit not to the same level as the adverts would suggest.

400ixl

[Deleted User] said:

Hackers don't break into bank accounts by breaking the security measures, they log into them with the same details as the user.

The security of banking whether via apps or internet browsers is virtually impenetrable. The data transmitted between your device and the bank is encrypted to a level that is nearly impossible to crack. The login methods are near impossible to brute force or hack.

The ways hackers steal money from bank accounts are much easier than trying to attack the security measures, instead, it is mostly one of the following.

1. Social engineering - pretending to be somebody from the bank, a technical helpline or friend and persuading the user to carry out actions such as revealing their user credentials or transferring money.
   
   
2. Phishing - fake websites/apps - getting the user to go to a fake website or app and enter their user details or bank card.
   
   
3. SIM swapping - getting access to your mobile provider, getting a new SIM sent to a different address and using the 2FA codes to access your account - requires some of your banking details gleaned from one of the above.
   
   
4. Malware/keyloggers - users inadvertently download dodgy software/apps that record keystrokes on the device or use unsupported software and operating systems that are vulnerable to malware.
   

So using an app or browser makes no real difference for the above - the user themselves are the weakest link, not the security of online banking systems.

These are by far the most common ways that people get compromised and should be more of a concern to the OP's partner than whether to use web apps, or mobile apps.

The point to the OP is that both Mobile and web are generally equally secure, both have things to be aware of and neither is better or worse than others, they both have risks, but with sensible precautions are very secure and the non hack routes are far more likely.

k_man

400ixl said:

[Deleted User] said:

Hackers don't break into bank accounts by breaking the security measures, they log into them with the same details as the user.

The security of banking whether via apps or internet browsers is virtually impenetrable. The data transmitted between your device and the bank is encrypted to a level that is nearly impossible to crack. The login methods are near impossible to brute force or hack.

The ways hackers steal money from bank accounts are much easier than trying to attack the security measures, instead, it is mostly one of the following.

1. Social engineering - pretending to be somebody from the bank, a technical helpline or friend and persuading the user to carry out actions such as revealing their user credentials or transferring money.
   
   
2. Phishing - fake websites/apps - getting the user to go to a fake website or app and enter their user details or bank card.
   
   
3. SIM swapping - getting access to your mobile provider, getting a new SIM sent to a different address and using the 2FA codes to access your account - requires some of your banking details gleaned from one of the above.
   
   
4. Malware/keyloggers - users inadvertently download dodgy software/apps that record keystrokes on the device or use unsupported software and operating systems that are vulnerable to malware.
   

So using an app or browser makes no real difference for the above - the user themselves are the weakest link, not the security of online banking systems.

These are by far the most common ways that people get compromised and should be more of a concern to the OP's partner than whether to use web apps, or mobile apps.

The point to the OP is that both Mobile and web are generally equally secure, both have things to be aware of and neither is better or worse than others, they both have risks, but with sensible precautions are very secure and the non hack routes are far more likely.

The question was also about mobile Vs PC (so slightly different to app Vs web), and as such the client platform plays a role.
Currently most exploits target PCs, rather than mobiles.
This will likely change over time.

CKhalvashi

k_man said:

400ixl said:

[Deleted User] said:

Hackers don't break into bank accounts by breaking the security measures, they log into them with the same details as the user.

The security of banking whether via apps or internet browsers is virtually impenetrable. The data transmitted between your device and the bank is encrypted to a level that is nearly impossible to crack. The login methods are near impossible to brute force or hack.

The ways hackers steal money from bank accounts are much easier than trying to attack the security measures, instead, it is mostly one of the following.

1. Social engineering - pretending to be somebody from the bank, a technical helpline or friend and persuading the user to carry out actions such as revealing their user credentials or transferring money.
   
   
2. Phishing - fake websites/apps - getting the user to go to a fake website or app and enter their user details or bank card.
   
   
3. SIM swapping - getting access to your mobile provider, getting a new SIM sent to a different address and using the 2FA codes to access your account - requires some of your banking details gleaned from one of the above.
   
   
4. Malware/keyloggers - users inadvertently download dodgy software/apps that record keystrokes on the device or use unsupported software and operating systems that are vulnerable to malware.
   

So using an app or browser makes no real difference for the above - the user themselves are the weakest link, not the security of online banking systems.

These are by far the most common ways that people get compromised and should be more of a concern to the OP's partner than whether to use web apps, or mobile apps.

The point to the OP is that both Mobile and web are generally equally secure, both have things to be aware of and neither is better or worse than others, they both have risks, but with sensible precautions are very secure and the non hack routes are far more likely.

The question was also about mobile Vs PC (so slightly different to app Vs web), and as such the client platform plays a role.
Currently most exploits target PCs, rather than mobiles.
This will likely change over time.

Unfortunately I can only agree with this, especially as I tend to find people would be more likely to choose a tablet (with its own OS) compared to a laptop these days.

I personally prefer to do my banking on my phone, as it doesn't require me to be in a certain place to access details required. If going through complex details for monthly reports etc, I will use a PC for ease of use.

You're not getting into my online banking without a fingerprint on my phone (or a device that is almost never with me now), no need to enter details, however in 99% of cases this will (to me) make the access more secure as it will stop anyone copying details down.

k_man

CKhalvashi said:

k_man said:

400ixl said:

[Deleted User] said:

Hackers don't break into bank accounts by breaking the security measures, they log into them with the same details as the user.

The security of banking whether via apps or internet browsers is virtually impenetrable. The data transmitted between your device and the bank is encrypted to a level that is nearly impossible to crack. The login methods are near impossible to brute force or hack.

The ways hackers steal money from bank accounts are much easier than trying to attack the security measures, instead, it is mostly one of the following.

1. Social engineering - pretending to be somebody from the bank, a technical helpline or friend and persuading the user to carry out actions such as revealing their user credentials or transferring money.
   
   
2. Phishing - fake websites/apps - getting the user to go to a fake website or app and enter their user details or bank card.
   
   
3. SIM swapping - getting access to your mobile provider, getting a new SIM sent to a different address and using the 2FA codes to access your account - requires some of your banking details gleaned from one of the above.
   
   
4. Malware/keyloggers - users inadvertently download dodgy software/apps that record keystrokes on the device or use unsupported software and operating systems that are vulnerable to malware.
   

So using an app or browser makes no real difference for the above - the user themselves are the weakest link, not the security of online banking systems.

These are by far the most common ways that people get compromised and should be more of a concern to the OP's partner than whether to use web apps, or mobile apps.

The point to the OP is that both Mobile and web are generally equally secure, both have things to be aware of and neither is better or worse than others, they both have risks, but with sensible precautions are very secure and the non hack routes are far more likely.

The question was also about mobile Vs PC (so slightly different to app Vs web), and as such the client platform plays a role.
Currently most exploits target PCs, rather than mobiles.
This will likely change over time.

Unfortunately I can only agree with this, especially as I tend to find people would be more likely to choose a tablet (with its own OS) compared to a laptop these days.

I personally prefer to do my banking on my phone, as it doesn't require me to be in a certain place to access details required. If going through complex details for monthly reports etc, I will use a PC for ease of use.

You're not getting into my online banking without a fingerprint on my phone (or a device that is almost never with me now), no need to enter details, however in 99% of cases this will (to me) make the access more secure as it will stop anyone copying details down.

For balance, mobile malware is on the up, and specifically targeting banking:

https://www.zdnet.com/article/almost-100000-new-mobile-banking-trojans-detected-in-2021/

That said, I still feel mobile banking is safer (and easier) than web/PC.

And as has been stated, there are many other concerns to be addressed first (e.g. security updates/out of date apps, poor password management, weak passcodes)

400ixl

The simple answer is the OP's partner should not be limiting their choice on web or mobile app. Both are suitable and as long as basic precautions are taken (as they are both fallible) they will be fine.

The social engineering side is something to be of more concern about, but again some basic understanding of the approaches will protect the majority of people.

We have gone down some rabbit holes based on disproving some wild claim. 

zagfles

CKhalvashi said:

k_man said:

400ixl said:

[Deleted User] said:

Hackers don't break into bank accounts by breaking the security measures, they log into them with the same details as the user.

The security of banking whether via apps or internet browsers is virtually impenetrable. The data transmitted between your device and the bank is encrypted to a level that is nearly impossible to crack. The login methods are near impossible to brute force or hack.

The ways hackers steal money from bank accounts are much easier than trying to attack the security measures, instead, it is mostly one of the following.

1. Social engineering - pretending to be somebody from the bank, a technical helpline or friend and persuading the user to carry out actions such as revealing their user credentials or transferring money.
   
   
2. Phishing - fake websites/apps - getting the user to go to a fake website or app and enter their user details or bank card.
   
   
3. SIM swapping - getting access to your mobile provider, getting a new SIM sent to a different address and using the 2FA codes to access your account - requires some of your banking details gleaned from one of the above.
   
   
4. Malware/keyloggers - users inadvertently download dodgy software/apps that record keystrokes on the device or use unsupported software and operating systems that are vulnerable to malware.
   

So using an app or browser makes no real difference for the above - the user themselves are the weakest link, not the security of online banking systems.

These are by far the most common ways that people get compromised and should be more of a concern to the OP's partner than whether to use web apps, or mobile apps.

The point to the OP is that both Mobile and web are generally equally secure, both have things to be aware of and neither is better or worse than others, they both have risks, but with sensible precautions are very secure and the non hack routes are far more likely.

The question was also about mobile Vs PC (so slightly different to app Vs web), and as such the client platform plays a role.
Currently most exploits target PCs, rather than mobiles.
This will likely change over time.

Unfortunately I can only agree with this, especially as I tend to find people would be more likely to choose a tablet (with its own OS) compared to a laptop these days.

I personally prefer to do my banking on my phone, as it doesn't require me to be in a certain place to access details required. If going through complex details for monthly reports etc, I will use a PC for ease of use.

You're not getting into my online banking without a fingerprint on my phone (or a device that is almost never with me now), no need to enter details, however in 99% of cases this will (to me) make the access more secure as it will stop anyone copying details down.

Unless they copy your fingerprint. I'm sure the technology exists to create a "finger" with a copied fingerprint - you leave a copy of your fingerprint everywhere - that's how crimes are often solved! So someone steals your mobile, which will have copies of your fingerprint all over it, feed it into an app which 3D prints part of a finger with your fingerprint, then they're into your phone, and if your banking apps only need fingerprint to access them, they're into them too!

Or less subtley - if you're asleep/drunk etc, someone just puts your finger onto the sensor.

I don't trust a single factor of authentication whatever it is - far more secure to have authentication based on at least 2 factors, something you have and something you know.

RumRat

At the end of the day, for the majority of people the only choice for banking is either mobile or PC. Personally, I use whichever one is handy at the time. Mostly this will be mobile banking on my phone.
Most of the arguments are if's and but's....If your Aunty had nuts, she'd be your Uncle...If you cross the road you will be killed, unless you keep your wits about you and do the needed safety routines......Same for banking really...

mobileron

ask her if she has fingerprint control on her Pc

razord

400ixl said:

The server will talk SSL with whatever connects to it, that doesn't mean it is not a proxy in the middle which then creates its own SSL connection with the app and can read everything that goes through it.

SSL Pinning is present in virtually every banking app now, so this doesn't apply.