Over half of all e-banking transactions are processed via smartphone or tablet nowadays. Mobile banking has many advantages - but to stay secure, a few basic rules should be observed. That’s because the option to have a device with you anywhere and at all times and to continuously keep them connected to the Internet also entails additional potential risks.
- Only install apps you really need, and only from an official store
- Restrict access privileges
- Secure mobile devices against unauthorised access
- Don’t store any confidential data on your device or in the Cloud
- Only permit connections which are necessary and trustworthy
- Keep device up-to-date and clean
- Use two-factor authentication
- Stay alert
- In case of loss, immediately block your device
- Ensure your device is correctly reset before disposal or sale
You should only install apps (software) you actually need and ensure that they come from a reputable source, i.e. an official store (for instance Apple App Store or Google Play Store).
Be wary of any apps with a low reputation, or of recommendations by strangers. Before installing an app, you should obtain sufficient information if the provider is unknown to you.
Check from time to time which apps you are still actually using, and deinstall obsolete apps or such you no longer need - every additional app represents a potential vulnerability.
If you have one, use your financial institution’s official e-banking app instead of the web-based browser one.
Many apps grant themselves extensive privileges without any identifiable reason. Access to location data, address book or telephone status for instance are not necessary for every app. You should therefore have a critical look at whether certain access privileges are actually necessary for an app’s functionality, and if possible deactivate any rights which are not required.
As a rule, you should be very cautious about disclosing your location data: Avoid localisation services, and don’t save any location information in photos you upload to the Internet. Thieves and hackers could abuse such information.
Loss and theft are much bigger risks with mobile devices than they are with home PCs. You should therefore ensure that any security settings on your device are actually activated. Always activate your screen lock using a code, password, fingerprint or face recognition. You should also encrypt data on your mobile device. This will prevent unauthorised persons from accessing your data and apps via an USB cable.
iPhone / iPad: Under Settings/User/Password and Security you can protect your device using a number code or password. Under Settings/Touch ID and Codes, you can deposit fingerprints and protect your device that way. With the iPhone X, you can configure face recognition under Settings/Face ID and Code. Data are automatically stored in encrypted form on an iPhone or iPad.
Android: Depending on your device, you can set a coded block under Settings/Security. You should also activate the encryption of your data under Encryption.
You should never save any access data such as your PIN, TAN or passwords on your mobile device. Unfortunately, even a device secured as per rule 3 above does not provide 100% protection against hackers. You should therefore also deactivate automatic storage of passwords in your browser and at the store as well as any such back-up to the Cloud. An automatic Cloud back-up is convenient, but should not include any confidential information. Other data, such as photos, should however be regularly backed up via your PC/Mac or Cloud service so you won’t lose them in case your device is lost or affected by malware.
Your smartphone or tablet can connect to your financial institution or a different device in various ways: Wi-Fi or WLAN, NFC, Bluetooth, Infrared, 3G/4G/5G, USB etc. Deactivate any connection types you don’t need while e-banking. Also switch off your GPS function. Use WPA2 or WPA3 encryption on a WLAN. Deactivate setting “automatic call acceptance”, since this could be abused to establish a connection unnoticed.
The following applies to USB: Only connect your mobile device to trustworthy computers, since malware can also be transmitted that way. You should not accept any connection request either if it is not clear what the device trying to contact you is.
With Android devices, you can also set up a firewall app to monitor and secure active connections.
Install any available updates for your operating system and all apps installed as soon as possible. Activate the automatic update feature. Important: Updates can also result in changes in or expansion of access privileges (see rule 2). Install an antivirus app on your Android device (with iPhone and iPad, this is not necessary). In no case should you ever install a jailbreak on your iOS device.
If you connect your mobile device with a PC/Mac (e. g. via iTunes), this should of course also be kept up-to-date and clean (see “5 steps for your security”).
All current e-banking applications use two different security features nowadays. When mobile banking in connection with the mTAN or PhotoTAN procedure, you should remember the following: There is no security advantage here the way it is provided by the use of two independent channels of communication! In this case, you should use a separate device specifically used for this purpose (e. g. an old smartphone or a dedicated TAN device provided by your bank).
Always keep an eye on your device. Make sure that you don’t communicate your access data such as PIN, TAN and passwords to anyone, that you cover up your data when entering them, and that no-one is looking over your shoulder. Be careful when opening e-mails, attachments, messenger communications (e. g. WhatsApp) or MMS. Malware can also be spread using MMS and WhatsApp. Don’t click on any unknown links, and make sure to always delete messages from unknown senders immediately. Check unknown telephone numbers before ringing back.
Check unexpected e-mails or unusual ways your e-banking app is behaving with your financial institution or the relevant person or company. Remember the rules of conduct to prevent phishing attacks – these also apply to mobile users!
In case they are lost or stolen, you can remotely block a device with the help of several apps. This ensures your personal data are deleted from your device and can no longer be accessed. But beware: Such commands could be exploited by a malicious third party. Make sure that you obtain such apps from a trustworthy provider, too. Once you have blocked your device, you should also ask your provider to block your SIM card.
Apple or SRF (German language). You should of course also remove the SIM card and - unless you would like to reuse it - destroy that as well.