The current state of mobile banking security

Mobile banking is a 24/7 remote service offered by banks and financial institutions to their clients. It is delivered through mobile applications and allows to manage accounts, check balances, conduct transactions, or simply communicate with an advisor. Mobile banking is widely leveraged in the financial industry as it lowers the number of customers visiting local branches, hence reducing overall expenses, and allows for improved customer experience through agile services.

Along the massive growth of mobility, cybercriminals looking for valuable data naturally shifted their interest toward mobile banking. Indeed, mobile applications have inherent capabilities that, when exploited illegally, can provide a direct access to all the data they manipulate.

Application threats

Mobile applications are cybercriminals favored vector. They can feature a malware, hence being inherently malicious or they can be entirely sane and either leak the data they manipulate or be vulnerable to attacks. In all cases, and whether they are developed internally or externally, mobile applications have the power to strongly hurt data privacy.

Plenty of techniques are used to compromise mobile banking applications, from the most common ones to the unknown “0-days”

  1. Clones / Fake apps – A clone is an application that has been duplicated through reverse-engineering, tampered and repackaged.
  2. OTP Interceptor – Most online transactions require a two-step authentication, and the One-Time-Password (OTP) sent by SMS is often one of those two steps. The purpose of an OTP is to prevent fraud by confirming that the person making the transaction and the credit card owner are one and the same. Regrettably, this authentication process is nowadays easily bypassed by malicious mobile applications that intercept OTP in order to commit banking fraud.
  3. Man-In-The-Middle attack – A Man-In-The-Middle attack happens when a communication between two parties is intercepted by an outside entity. The perpetrator either eavesdrops on the communication or impersonates one of the two parties, making it appear as a regular exchange of data
  4. Keylogger and Screenlogger – A keylogger malware records the content typed on a keyboard, via the original one or via its own keyboard displayed on top of the real one. On the other hand, a screenlogger records what’s displayed on the mobile device screen.Then, both send the data retrieved to a distant server owned by the hacker. Most of the time, these malwares are silent and users are unaware that their data are being exfiltrated.Keyloggers and screenloggers are widely used to steal credit card details and banking credentials.


  1. Data leakage – When hackers attack mobile banking apps, they intercept the data displayed in the app or transmitted to the bank’s servers, causing a data breach that the financial institution is responsible for, according to the law. Credentials and credit card numbers represent the most stolen data.
  2. Fraud – Transactions emanating from banking apps can be intercepted and altered if not secured properly, causing great financial loss to the bank.
  3. Fines – Most data privacy regulations require organizations to communicate to authorities and users any security breach that happened on the data they collect and manipulate. The authorities are then in a position to fine them.
  4. Reputational damages – When a mobile application leaks the data it handles, it usually ends up in the news and its users get worried about the privacy of their own data, resulting in a drop in users trust. Read the full report here

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.

Leave a Reply

Your email address will not be published.