14 Feb Part 2: Mobile Banking and Buying: Best Practices
In the first part of this two-part blog, we outlined the kinds of banking and buying you can do on your mobile device, but also the things to watch out for. You might have noticed that our cautionary notes center around four threat vectors you need to track to stay safe: device, app, network, and account security. Here’s a list of best practices to stay secure, broken down by these categories. It’s long, but you can think of it as a knowledge bank you can draw upon to ensure your protection.
- Be careful when buying second-hand mobile devices. They may contain pre-installed malware. After your purchase, do a factory reset to make sure your device is clean.
- Prevent theft of your mobile device: never carry it in an outside backpack pocket or purse or leave it unattended in a public place. When traveling, be aware of people in your surroundings when you use it, to guard against it being snatched.
- Use a passcode, pattern, and/or biometrics (face, iris, or fingerprint recognition) to access your mobile device, with the idle timeout set to five minutes or less. Use a privacy screen protector, so people nearby can’t see your login credentials onscreen as they look over your shoulder.
- Update the device’s OS whenever an update is available. Updates typically patch vulnerabilities on your device and increase its efficiency.
- Don’t jailbreak or root your phone. This leaves the device’s system more vulnerable to malware and other threats, particularly when booting up, as it breaks the cryptographic chain verifying the secure loading of the operating system. To unjailbreak an iPhone, back it up to iCloud using a Mac, reinstall iOS, then restore it from the backup. Download and use SuperSU or ES File Explorer to unroot a rooted Android device.
- Don’t answer unsolicited calls, particularly those allegedly from your bank. Hoaxes often begin with suspicious phone calls. If you share your mobile device or take it in for repair, clear the browsing history, cache, and temp files first.
- Enable device data wipe or encryption after 5-to-10 login attempts. You be the judge on the number of attempts.
- Use an anti-theft function or app on your mobile device and enable remote find/lock/wipe for a lost or stolen device. For another layer of protection, use the OS function to encrypt the data on your phone and memory card.
- If your mobile device is lost or stolen, temporarily deactivate your bank account, or at least your debit or credit card. Remotely suspend/deactivate/lock down the device itself until it’s located.
- Download banking apps from trusted sources—e.g., Apple App Store or Google Play Store, not from third-party sources—to minimize threats from potentially harmful or fake banking apps.
- Turn on the setting on your phone or tablet that restricts you from downloading apps from such sites, or use a security app such as Trend Micro Mobile Security for Android to scan your banking apps for malware when you download or launch them, and keep the security app updated. (Note that you can also use its App Lock feature on Google Play and other App Store apps, so family members borrowing your device can’t install unsupervised or risky apps.)
- Update your financial apps as soon as the update is available, since the most current version will typically fix vulnerabilities in the app.
- Enable any built-in security features of your banking apps. These can include idle time-outs, requiring re-inputs of your username and password after each transaction or a period of elapsed time.
- Turn off any banking app’s home screen lock access or balance display functionality and set banking app permissions to an acceptable level.
- Delete junk, chain, and SMS/Text mail messages regularly. Don’t open enclosures accompanying them or click on any URLs embedded in the unsolicited message.
- Don’t bank while connected to unsecured Wi-Fi networks in public places; or, if you must, use a VPN to encrypt your transactions.
- If you’re using your mobile browser, only log onto banking or financial websites that use https addresses and that show a padlock, indicating that the site deploys encrypted communications.
- When using your banking app in a public place, use it over 3G/4G/LTE if you can, and turn off Wi-Fi and Bluetooth to prevent snooping.
- Turn on the NFC function on your mobile device right before your purchase, then turn it off once your purchase is complete.
- This can prevent the situation when your phone is “bumped” in a crowd by a criminal using an NFC sniffer device.Minimize location access that allows apps and websites to use information from cellular, Wi-Fi, GPS, and Bluetooth to determine a user’s location.
- Don’t use auto-complete names and passwords in your financial apps or browser log-ins.
- Don’t store passwords in your browser or in an unsecured notes app. Use a password manager.
- Generate and use strong, unique passwords for your accounts. Generate them using the password manager. Change the password to your account every 30-90 days, depending on how often you use the account, to minimize password hacks.
- Enable two-factor authentication in your bank accounts and install an authenticator app, if your bank supports it. A code will be sent via SMS or to the registered authenticator, which must be entered before you can log into your bank.Log out of banking apps after you use them and before you sleep your phone.
- Check your accounts regularly for any suspicious activity; set notifications for transactions.
- Don’t respond to phishing texts or emails that request your PIN, account number, or any debit or credit card number.
- If your account is breached, log in and change the password to your account. Then change your debit or credit card with your bank.
Mobile Tools to Enhance your Banking and Buying Security
Finally, depending on your needs, you should install some of the following Trend Micro Mobile Security Solutions on your mobile devices to help keep your mobile banking secure.
Trend Micro Mobile Security for Android and iOS provides a complete endpoint security system for your mobile devices, protecting you from browser/web, file, and app security threats. Using web threat protection, file reputation, mobile app reputation, and real-time and on-demand scanning, your mobile device is protected from all kinds of threats.
Trend Micro’s free QR Scanner for Android (and its equivalent in Trend Micro Mobile Security for iOS) lets you test-scan QR codes easily and safely, performing high-quality URL safety checks on all the codes that you scan. If it detects danger along the way, it blocks you from going to the page and alerts you instantly.
Trend Micro’s Wi-Fi Protection for Android and iOS, provides an easy-to-use VPN for public Wi-Fi hotspots, using Trend Micro’s highly secure cloud servers, so your Wi-Fi connection is encrypted and your data can’t be hijacked by man-in-the-middle attacks. Check if the app is available in your country.
Trend Micro HouseCall for Home Networks for Android and iOS (as well as Windows and Mac) scans all of the devices on your home network for privacy leaks and other network infections, since many home network devices have security issues that attackers can use to control them or the network itself. Check if it’s available in your region.
Trend Micro Password Manager for Android and iOS (as well as Windows and Mac) provides strong passwords and encryption for logging into your online accounts and works both with mobile browsers and apps, including banking apps, to ensure your privacy and security.