World Class Faculty & Research / February 3, 2014

Mitigating Mobile Banking Risk: Tips from UMD-Smith Experts

Security-assessment firm IOActive recently identified security flaws in 40 mobile banking applications for iPhone and iPad that are used by some of the world's leading financial institutions. 

The alarm coincides with recent data showing that more than half of smartphone users on both the iOS and Android platforms frequently use their bank’s mobile site or app. 

Faculty experts at the University of Maryland’s Robert H. Smith School of Business say the risks can be mitigated.

Among the IOActive findings, all tested apps could be installed on jail broken phones, which nullifies the device’s built-in security features. Also, about half the apps were susceptible to cross-site scripting, a hacking method that prompts users to re-enter their username and password.

Bill Rand, assistant professor of marketing and computer science, and director of Smith's Center for Complexity in Business, suggests these safeguards for consumers:

  • Look to utilize two-factor authentication, which incorporates a username/password plus pin code during login and vastly increases the system's security against cross-site scripted impersonation attacks. “Banks are starting to roll this out, but it's usually user-enabled.”
  • Create long passwords – as lengthy as your system allows. Short passwords, even with numbers and symbols, are easily hacked. “The structural security flaws in most online banking systems are minor compared to users’ weak passwords.”
  • Never use a password based off of personal information, such as a child’s birth date or home address.  
  • Always log off any financial site when finished.

No security system is perfect, Rand says. “The endgame here is to make the degree of difficulty high enough to dissuade the attacker.”

“On the positive side, the ability to audit your own financial accounts online, 24 hours a day, rather than having to go to a bank in person to audit transactions, increases your overall financial security,” he says. “In the end, the convenience of online banking probably outweighs the risk to consumers, who ultimately must weigh that decision for themselves.”

Banks should be assessing themselves as well. “The (IOActive) findings, if accurate, suggest the banks have underestimated the probability of potential cybersecurity breaches associated with their mobile apps,” said Lawrence Gordon, Smith's EY Alumni Professor of Managerial Accounting. “Under this scenario, the Gordon-Loeb Model for Cybersecurity Investments would suggest that the banks are underinvesting in cybersecurity.”

(The model, a guide to calculating a firm’s optimal investment for information security, was established by Gordon and Smith colleague Martin Loeb, professor of accounting and information assurance and Deloitte and Touche LLP Faculty Fellow. Read more here.)

Rand, who uses computer models to help understand various complex systems including financial systems, suburban sprawl and traffic patterns, is available for further comment at wrand@rhsmith.umd.edu or 301-405-7229.

Media Contact

Greg Muraski
Media Relations Manager
301-405-5283  
301-892-0973 Mobile
gmuraski@umd.edu 

About the University of Maryland's Robert H. Smith School of Business

The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 12 colleges and schools at the University of Maryland, College Park, the Smith School offers undergraduate, full-time and flex MBA, executive MBA, online MBA, business master’s, PhD and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in North America and Asia.

Back to Top