Online and mobile banking are on the rise, but we need to understand what the stakes are for the protection of our personal information.

 We’d all like to think that our personal information is as protected by our banks as we would protect it ourselves, but unfortunately it appears that our information is not always secure- especially if we’re using online banking. In a recent security test as part of the 2017 Online Trust Audit & Honor Roll by Online Trust Alliance, 65% of banks failed to meet a minimum standard. Furthermore, of the 100 biggest banks in the United States, only 27% met the Honor Roll Standards by achieving a score of at least 80%. This test considers site privacy, overall website security, and customer protection.

What's going on with banking security?

In addition to several site crashes and data breaches throughout the last year, IBTimes reports that the websites of several of the most prominent U.S. banks have trackers trolling visitors on their web browsers. These trackers can collect and follow a trail of breadcrumbs made up of our online activity. They can gain access to any personal information we submit while using online banking, track how we engage with a web site, and even note seemingly useless information, like our battery power, in order to identify users. These trackers try to construct a “pseudo identity” of each individual based on the information they have on their online behavior.

What’s the problem with trackers?

So who cares if these third party trackers see what I Google or how long I spend scrolling on Facebook? Sure those actions might be harmless, but problems arise when users enter financial and private information online. All of that data - including credit card numbers, social security number, and online transactions - can be scooped up and stored by a tracker. Furthermore, there is no requirement for these companies to disclose what information is recorded and how they are using it. We do know that fair game includes any information that is entered into an online form (like all of the times you plug your credit card number in) and any details on how you interact with a website (even down to the mouse movements). But without knowledge of when and why our information is being used, we cannot protect it and become vulnerable to fraud.

Why do banks let this happen?

Banks allow trackers to permeate their websites for a couple of reasons. Banks can actually use the information on their clients that trackers obtain for their own benefit. They want to understand why a visitor did not fill out a form or left the web site quickly. This can be explained by the information on online behavior the trackers pick up. A bank can also gain access to all of the relevant data on an applicant for one of their financial services before the client even fills out any paperwork. This means the bank can know whether or not they’re willing to grant an applicant a loan before they actually visit the bank.  

Because banks are not required to disclose what third-party servers are present on their webpages, there's nothing stopping them from tracking personal information. In the United States, there are no privacy rules to prevent the collection of this data. However, GDPR in the European Union requires internet servers to inform their users if, where, and why personal data is being processed. European Union citizens even have the right to have their personal information erased and prevent the future use of that data. If this type of tracking is not allowed in other countries, maybe we should be concerned about why our banks can continue to do it.

What about mobile banking?

Banking on a mobile device is the next big hurdle financial institutions will need to tackle. According to the Federal Reserve, 67% of the millennials in the U.S. are already frequent users of mobile banking. It also reports that 73% of people are concerned about the security of mobile banking. The major issue here is that a lack of security in mobile applications does actually make them a vulnerable target for cybercriminals. Many mobile bank apps use static passwords rather than two-factor authentication.  With two-factor authentication, users are required to confirm their identity in two ways, such as answering various personal questions. Security problems on mobile apps could also lead to risks like phishing attacks where a user’s confidential information (passwords or a social security number) are stolen and their bank accounts are abused for financial transactions.

An easy way for cybercriminals to gain access to a mobile app is through the software development cycle (SDLC). Because the SDLC is often unprotected, it is susceptible to reverse engineering. Through reverse engineering cybercriminals can gain access to source code. Once the source code is in their hands, criminals can access any personal data stored in the app. Banks need to ensure they are developing a secure SDLC to help them both predict and fight against attacks.

Overall, mobile banking users need to be aware of the security risks, and educate themselves on how to mitigate them, in order to make smart choices regarding their bank and financial activity.

Read: Could Blockchain Ensure Financial Data Security?

How do we get better online and mobile security?

Users might want to start taking privacy into their own hands. Through private network security and tracker services, many third party servers can be identified. It is also important for active online and mobile banking users to learn how to avoid these risks. With mobile banking, users should regularly update their software and mobile apps that contain personal information. It is also important to communicate with your bank about the security measures they are taking to prevent fraud. Similarly, financial institutions need to stay up to date with the latest security technology.

Blockchain technology decentralizes economic transactions by creating a shared, self-auditing database. Simply stated, it functions in regulated time intervals by compiling transactions into groups called “blocks” and then adding each block onto the end of a “chain” made up of preceding blocks. The main excitement surrounding Blockchain’s potential include an opportunity for transparency and an eliminated risk of corruption of information. Because Blockchain is not stored in one location, but instead is hosted on millions of computers all at once, the transactions stored are constantly public and verifiable. If the information is publically accessible, it becomes an incredibly difficult victim for a hacker. Blockchain technology promises revolutionized security in storing and transferring information. In the wake of major security struggles, it might be time for banks to explore the potential of Blockchain technology.