Mobile banking once entailed little beyond the ability to receive a text message with your account balance. But these days, it's finally starting to live up to its name. Virtually every large bank and many regional banks and credit unions have rolled out applications that allow their clients to use a mobile phone for fund transfers, bill payments and even check deposits.
But with the increasing popularity and convenience of mobile-banking apps comes a big caveat: the risk of downloading and installing a fraudulent application that could steal your account information and, potentially, any other data stored on your mobile device. In other words, the next generation of phishing scams is about to explode, and it has the potential to do much more damage than earlier versions.
The trend is still in its infancy, but there have already been instances of potential fraud. In January, Google pulled 50 applications from its Android Market in response to concerns that they might be malicious. All apps were uploaded by the same developer and claimed to offer access to bank accounts from a variety of institutions, from big names such as JPMorgan Chase, HSBC, U.S. Bank, USAA and ING to local credit unions.
Even more worrisome, fraudulent apps may be more difficult to spot than were the fake Web sites used by phishing scammers. An unusual Web address, or URL, could easily flag a Web site as fake, but that's not the case with smart-phone applications. And the fact that an application is available through an app store gives it an aura of credibility, Holland says.
Google declined to comment on the incident, and it isn't known just how many consumers have downloaded those apps. Scott Moeller, the chief executive officer of mShift, a company that develops applications for about 200 banks and credit unions, estimates that number to be below 1,000. (At least one of mShift's clients was among the affected institutions.)
The apps were priced in U.K. pounds (at 0.99 each, or about $1.50), which must have kept U.S. consumers at bay, Moeller says. That would probably not have been the case if they had been free or priced in U.S. dollars.
"There's a yearning for mobile applications," Moeller says. "You could put out 50 apps at once, and people would start downloading them immediately."
The issue has already gotten the attention of banks' fraud departments, which are charged with monitoring for such incidents and warning customers. And it works both ways: Sometimes it's customers who flag potential fraud. Paul Berry, a spokesman for USAA, says the bank found out about the December 2009 Android incident "almost immediately" from a bank member.
"We have a fraud department that covers the vast range of banking fraud and insurance fraud -- and we have members who'll call us and let us know," he says.
Companies that own the application marketplaces say they, too, are on the watch for fraudulent apps. At Apple, the policy is to vet each application before it appears in the App Store. But no system is foolproof. For example, there are apps for so-called jail-broken iPhones, which are unlocked in order to allow the use of other networks besides AT&T or to download applications sold on third-party marketplaces. The practice makes the compromised phones more prone to fraud. Apple spokeswoman Trudy Muller says the company takes security "very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Continued: Steps consumers can take
