Banking from phone has its risks
The use of mobile banking surged with the rise in the number of smartphone users in Korea and local banks are eagerly encouraging their customers to download apps.
But security experts warn that current mobile-banking applications are vulnerable to attack by hackers who see a whole new opportunity for mischief.
Industry analysts say the number of people who download mobile-banking apps to their smartphones is expected to surpass 30 million next month.
Statistics by the Bank of Korea showed a total of 13.6 million people are currently using such apps as of the first quarter of this year, up 3.31 million people from the fourth quarter of 2011.
Daily transactions involving smartphone banking apps stood 688.8 billion won ($600 million) in the first quarter of this year, up 140 billion won from the fourth quarter of 2011.
Korea’s seven major banks, including Kookmin, Woori, Shinhan and Hana, offer mobile-banking apps at online stores run by Android and Apple, but they’re still vulnerable, experts said.
The good news is that hackers haven’t gone after banks through their smartphone apps yet.
“Fortunately we don’t have reports of hacking involving smartphone banking apps,” said Hong Dong-cheol, an IT security expert.
The bad news is that hackers have already discovered an Achilles’ heel of the smartphone banking app: Customers who don’t download a bank’s certified app from the Apple or Android stores, but instead download rogue apps.
The people who do that are people who have “jailbroken” their iPhones or “rooted” their Android phones. Jailbreaking and rooting refer to a process of altering your phone to allow it to download a host of apps not available in official app stores. It also allows people to get apps for free that cost money in the approved stores. Some 10 percent of smartphone users in Korea have jailbroken or rooted their smartphones as of last year, according to the Korea Copyright Commission. In the age bracket of 19 to 29, that figure rises to 53 percent.
Once you’ve jailbroken or rooted your phone, the official mobile-banking app from a bank usually doesn’t work. Then a bank customer is forced to download an app developed by a third party, and that’s where the risk comes in.
The developer of the app might be a thief wanting to get into your bank account.
“In the worst case scenario,” said Hong, the IT security expert, “when the developer of forged app plants malicious code, he can steal your ID and password and secretly transfer money. People using forged or altered apps are exposed to greater threats than people using banks’ official apps.”
“Banks can’t 100 percent block access to their sites from such apps,” said Lee Jong-ho, an IT security expert at Luven Soft, “and this leaves a loophole for a hacker’s potential attack.”
According to media reports, NH Nonghyup Bank was accessed by forged smartphone apps 700 times a day in March. Sources suggested other banks might have had the same experience.
“We have built up our security firewall to block people who try to access of our banking app through forged apps,” said a Nonghyup official.
The Financial Supervisory Service Governor Kwon Hyouk-se said earlier this month it will conduct a comprehensive examination into 15 financial institutions, including four banks, four securities firms and four insurers, to see if they’re prepared for attacks by hackers who try to steal sensitive customer information via mobile apps. The examination will take place between this month and September, he added.
“We will invite outside information technology experts for the examination to find out weaknesses in financial institution’s IT security,” Kwon said. “The threat of smartphone hacking is increasingly growing. We will actively provide technology tips and guidelines to financial institutions so that they won’t be exposed to threats.”
The FSS has already ordered banks to improve firewalls so they can block access from forged banking apps and banks say they’re complying.
Experts said average smartphone users should use common sense. “We advise people to download apps from credible sources,” said Lee Ho-woong, chief of the software firmAhnLab’s security counter division.
By Kim Mi-ju [email@example.com]
More in Finance
5-day winning streak ends as Kospi drops 0.62 percent
Debt is the latest hot product being pushed into the market
China's WeChat Pay and Seoul's Zero Pay now interoperable
Kospi sets another all-time high as optimism continues
Kim Kwang-soo named as sole candidate to head banking federation