You’ve changed your computer passwords and you stay away from dodgy Wi-Fi hotspots. But hackers have found a new way to access your online banking accounts — and it’s on the rise across America.
Hackers are accessing smartphone users’ bank accounts through an increasingly inventive array of malware attacks, ranging from text messages to gaming apps.
As many as 3 percent of Android users have encountered a mobile threat in the past year, said Mike Murray, vice president of security at Lookout, a mobile app security firm. “While that number may seem relatively low, consider a business with 1,000 employees who use their phones for work and personal matters. That means 30 of them are potentially exposing the business to a threat, making this an even more serious problem.”
An estimated 43 percent of smartphone users who have a bank account used some form of mobile banking, according to the most recent Federal Reserve Consumers and Mobile Financial Services report covering 2015. And yet: "I know almost no one who has security software on their phone," Murray told NBC News.
Of the 781 data breaches tracked in the United States last year, 71 were banking-related, according to the Identity Theft Resource Center. Though that might appear to be a fairly low incidence, it is double what was reported the previous year.
People just aren't taking the same precautions to secure their phones the way they would their computers, leaving them in a vulnerable position, said Murray.
New Names, Old Tricks
Hackers' tricks include places you wouldn't expect, such as the Black Jack Free App in the Google Play store.
While the app, which has since been removed, promoted a fun game, Lookout found it had a hidden agenda.
"Apps from this malware family silently download a secondary app that displays overlay windows over legitimate banking apps and some other popular apps such as Facebook and Skype to trick people into entering their online banking credentials and credit card information," a Lookout blog post explained in May.
In another instance, a security researcher in Sweden found just a few lines of code exposed a vulnerability that could have allowed a bad actor to steal as much as $25 billion from an Indian bank, according to Motherboard.
While banks in the United States all have levels of fraud protection, a digital heist can create a major headache and even raise questions of liability if a phishing attack is used, Alex Rice, founder of HackerOne, a bug bounty firm.
One common phishing tactic involves posing as a company and sending a user to a site that appears legitimate, prompting them to enter their account credentials.
"Anytime someone is asking you do something online or take an action, you should be extremely skeptical," Rice told NBC News.
Trading the Password for a Selfie
As hackers continue to repackage the same tricks and find new vulnerabilities to exploit, one company is trading passwords for selfies.
"It takes half a second. You would hold the phone the ordinary way and you would take a selfie. If it is really you, you are logged in," Chris Barnett, executive vice president of sales and marketing at EyeVerify, told NBC News.
The selfie technology has about 1 in 50,000 odds of not letting the right person in or being fooled, Barnett said. “If I left my phone at a football game, everyone at the stadium would have to try it," Barnett said, noting that this method addresses something he calls "password pain."
"When I am on a mobile device, I have to use my thumbs to type the password, and most password managers don’t work in apps," he said. "Speed and convenience is also so much more important on mobile."
Three Things You Can Do Now to Stay Safe
The experts NBC News talked to all agreed that mobile banking is a convenience we should continue to enjoy. However, they noted it's crucial to take a proactive approach to your security.
Robert Siciliano, CEO of IDTheftSecurity.com, recommends people stay vigilant by asking their bank or credit card company to alert them any time a transaction is completed that is above a certain amount.
"They all provide some level of notification in regards to transactions," he said. "You can get a text, an email every time there is a charge, withdrawal, deposit — these are all options. I think that is such a great thing so you can know if something is happening in real time."
The second action experts recommend is making sure you are running the latest version of any apps, and that your operating system is up to date. This will ensure you're working with the most secure versions available.
The final action is one Murray of Lookout says most people haven't done: Download an anti-virus app on your smartphone.