How secure are banking apps? Here are some key steps all banks – and users – should be following

These days, banking apps have become integral to financial transactions. As a result banks are finding that ensuring the security of their apps is more critical than ever. Cybercriminals have evolved and so financial providers like banks need to evolve their tools as well.

That said, as large corporates, banks have access to substantial resources and are uniquely positioned to invest in advanced technologies and implement robust cybersecurity strategies.

But sometimes the bank’s protective measures against cybercrime aren’t enough. It can often be the responsibility of customers^[1], especially small^[2] and medium-sized enterprises (SMEs) and micro businesses (those with ten workers or fewer) that are more exposed to cybercrime^[3] to adopt technology and work to raise cyber awareness among their staff. This is something that some consumers have been slow to catch on to.

Understanding the threat

Banks face numerous cyber threats that can compromise the security of their apps. Phishing attacks can trick users into revealing sensitive information, while malware can penetrate systems to steal data or disrupt services.

Social engineering tactics, where a criminal poses as a trusted source like a bank to manipulate app users into doing things like revealing confidential information, clicking links or sending money to criminals, pose significant risks. As these threats evolve, especially with the rise of generative AI, banks must continuously update and enhance their security measures to prevent potential breaches.

Generative AI can be a tool to fight fraud. But it also represents a real threat, creating more sophisticated cyber-attacks and meaning banks must stay vigilant and adaptive in their defence strategies.

But it’s not all bad news. Banks have the money to invest in the latest cybersecurity technologies and there are some key measures they should implement.

• Multi-factor authentication (MFA): By asking for multiple forms of verification, banks can significantly reduce the risk of unauthorised access. MFA combines something the user knows (such as their password), something the user has (like a mobile device), and something the user is (biometric verification such as face ID).

• Encryption: Data encryption ensures that sensitive information is unreadable to everyone apart from the bank and the customer. End-to-end encryption should be standard nowadays for all transactions and communications within banking apps.

• Regular security audits and testing for weaknesses in the system: Conducting frequent security assessments helps identify and address vulnerabilities before cybercriminals can exploit them.

• Secure development practices: To minimise the risk of weaknesses creeping in during app updates, banks need secure coding standards and should carry out regular code reviews.

The importance of cyber awareness

While technology plays a crucial role, the reality is that human error remains a big vulnerability for any organisation. Banks must invest in comprehensive cyber-awareness programmes for both employees and customers.

Regular employee training sessions on the latest cyber threats and security practices can help staff recognise and respond to potential attacks.

But it’s not just down to staff. Banks should provide resources and guidance to help customers understand common threats such as phishing and social engineering. Simple tips, such as not sharing passwords and recognising suspicious emails, can prevent many attacks.

And keeping things simple for all customers is vital too. Introducing security features that are easy to use, such as biometric authentication (including fingerprint or facial recognition) and secure password managers, can help customers follow better security practices.

When it comes to the SMEs and micros, the reality is that often they lack the resources to introduce advanced cybersecurity measures. This can make them potential targets for cybercriminals. Banks, being large corporates that can afford the latest tech, can and should provide support to smaller businesses like these.

First of all, banks should encourage all their small business customers (SMEs, micros and the self-employed) to cover the basic cybersecurity practices by getting Cyber Essentials^[4] certification. This involves small businesses covering a checklist of security controls that will protect them from some of the most common attacks.

And giving SMEs access to affordable cybersecurity tools and services can help them protect their data and financial assets.

Banks should also collaborate with cybersecurity firms and industry groups to provide SMEs with the expertise and resources they need to bolster their defences.

The reality is that to combat any cyber threats requires a unified approach. Besides the technological tools that banks and financial providers can use, it’s essential to emphasise the role of the National Cyber Security Centre^[5] (NCSC).

The NCSC offers valuable support, including threat intelligence and expert guidance, to help enhance cybersecurity measures. And after an attack, it can provide advice to help banks safeguard both their own and their customers’ financial assets. It can also offer advice to individuals who have concerns about their own cybersecurity.

Addressing banking threats is a complex challenge. Safeguarding consumer data and sensitive assets is vital, as a security breach can be costly for an organisation, both in terms of reputational damage and financial impact.

But if your bank – and you – are following the latest guidance, you can feel confident that banking on an app is no less secure than entering a branch.

References

1. ^{^} customers (theconversation.com)
2. ^{^} small (www.insurancetimes.co.uk)
3. ^{^} more exposed to cybercrime (www.techuk.org)
4. ^{^} Cyber Essentials (www.ncsc.gov.uk)
5. ^{^} National Cyber Security Centre (www.ncsc.gov.uk)