Mobile Banking Security FAQs
What is Mobile Banking?
Mobile Banking allows you to perform everyday banking functions through the convenience of your mobile device. You can access your account balances, review your most recent account activity, make a transfer, pay bills, and even get alerted on your account activity even when you are not on a computer. Used in combination, Mobile Banking and Mobile Alerts can provide enhanced service and security.
Mobile Banking can be used in two different modes:
- Mobile Text/SMS Banking: Using Short Message Service (SMS), our Mobile Text/SMS Banking service enables you to retrieve information about your bank accounts from a mobile device using text message commands.
- Mobile Web/Mobile Application Banking: Using your mobile device’s data connection, these services provide you with a friendlier Mobile Banking interface. To access our Mobile Web/Mobile Application Banking service, you will be required to use your User ID and Password. If you are signing in for the first time on a device, you will also be required to answer some additional authentication questions that were established when you enrolled for the service.
How secure is Mobile Banking?
According to many of the analysts, Mobile Banking can be more secure than Online Banking simply because of the controlled nature of a mobile network. The strict protocols for sending and receiving text messages, the ability of a customer to protect a mobile device with a PIN or password, the number of different devices that are Text/SMS-capable, and the layers within the mobile network infrastructure all contribute to create very large costs to malware writers or those with fraudulent intent. The largest weakness actually exists on the side of the end user. These Security FAQs help you understand those weaknesses and to learn what you can do to protect yourself.
Below is a summary of strengths and weaknesses as described by Javelin*:
Always present with customer
May store username, password, and personal data
Can be used as an authentication factor
A PIN or Password can be used to lock the mobile device
Most PIN/Password locks are not enabled by default; users must activate them
One-time passwords (OTP) can be generated on the mobile device
Not all mobile devices have the processor and memory required for OTP generation
Mobile Operating System (OS)
No dominant OS means malware is less likely.
No dominant OS means it is harder to obtain anti-malware software
Steep hardware costs required for attacks
*Javelin: The State of Mobile Security in Banking and Financial Transactions (September 2009, www.bankinfosecurity.com)
Texting and Mobile Phone Phishing Scams
Posing as a real Financial Institution (FI), phishers can try to use SMS as an alternative to e-mail, to attempt to gain access to confidential account information. Known as “SMiShing,” the typical scam informs the mobile phone user that the person’s bank account has been compromised or credit card/ATM card has been deactivated. The potential victim is directed to call a number or go to a “spoofed” Web site to reactivate the card. Once on the site, or through an automated phone system, the victim is asked for card and account numbers and PIN numbers.
What happens to my confidential account information?
Mobile Text/SMS Banking does not send confidential account numbers or Social Security Numbers, either to or from your mobile device. Just as is the case with ATM receipts, full account numbers are never displayed in Mobile Banking.
Hint: For your protection, we require the use of account nicknames. The nicknames you select for use in the Service should not include any digits from your account numbers. The use of account nicknames to request account information and receive account information can help ensure that account information required in order to effect a fraud is not available within the Service.
Hint: We encourage you to delete text messages when sent or received for Mobile Banking purposes. Unless you have arranged to lock your device with a PIN or Password, any Text/SMS messages may be viewed by any person who is using your device, unless you have deleted them.
Mobile Web/Mobile Application Banking uses encryption to keep your information secure and confidential. Mobile Banking does not store full account numbers, your Password, e-mail address, or mobile number, on your mobile device.
What information do you store on my mobile device?
With Mobile Text/SMS Banking, the only information “stored” on your mobile device is old text messages. These messages do not contain any information, that, standing alone, would be sufficient to effect a fraud. But old messages might have account balances in them (like an ATM receipt). As mentioned previously, we use account nicknames to communicate. You may include an account nickname in a command to request information or make a transaction using a specific account, and we respond with account nicknames when communicating back to you. We encourage you to delete your Text/SMS messages after you read them, just as you would destroy an ATM receipt.
With Mobile Web/Mobile Application Banking, the information stored on your mobile device does not contain your full account number.
Hint: You should not use your mobile device’s notepad or address book to store your login password(s)!
Is banking information on my mobile device “encrypted”? Why is that important?
Encryption is used in our Mobile Web/Mobile Application Banking to scramble the information sent to and from your mobile device to prevent the risk of a third party “listening” in and getting your information (just as we do for our Online Banking service).
With Mobile Text/SMS Banking, your messages are not encrypted on the mobile device itself. That’s why Mobile Text/SMS Banking doesn’t send any full account numbers to or from your mobile device, nor does it store confidential account numbers on your mobile device. We do encourage you to delete Text/SMS messages sent or received using our mobile banking service at the time they are sent or received.
Can I get a computer virus from Mobile Banking?
No. With Mobile Text/SMS Banking, the text message cannot be a virus. Mobile Web/Mobile Application Banking employs special security features, including digital signing, to ensure that there has been no tampering with any “pages” sent to or from your mobile device.
- Save UMB’s short code (50106) in your address book as a Contact, so that when you receive a Text/SMS message from us, you will know immediately that UMB has sent you a communication.
- Make sure you know who has sent you any message – if in doubt, delete it.
- Never click on any links if you are not sure of the sender.
Never send any confidential information to anyone – the bank will never ask you to “go here and fill in this information” or “please send us this information.” The bank will also never ask you to respond with your password unless you are signing into one of our applications. Never respond to a request for your password and alert us immediately should you receive a message requesting your password or any other confidential information at 888-782-4325. You may contact us Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m.
Is mobile banking more secure than my debit card or credit card?
In some ways, your mobile device could be considered more secure, because it is doubtful that someone will use your mobile device without you knowing about it, unlike a debit or credit card. Studies have determined that people are likely to know that their mobile device is missing in as little as 18 minutes, which means that there is very little time to use it for fraudulent purposes. In contrast, studies have shown that it can take 36 hours before a person notices that he is missing a credit or debit card.
Is mobile banking more secure than online banking?
Mobile banking can be safer than doing online banking from a public computer, which may have software installed that could capture your login information and could be used later to commit fraud.
What happens if lose my mobile device?
As you would normally do, contact your mobile plan carrier and ask them to suspend your service. Next, contact UMB at888-782-4325. You may contact us Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m. to have us suspend your mobile banking service. We do not store your full account numbers, Password, e-mail address, or mobile number on the mobile device.
Hint: You should NOT store confidential information on your mobile device at any time. Do not store passwords or PIN numbers on your mobile device. For extra security you can enable the “LOCK” feature on your mobile device.
What if someone else tries to use my mobile banking service?
It would have to happen very quickly. On average, a person knows that his or her mobile device is missing within 18 minutes (it is typically 36 hours for a credit card).
UMB does not store full account numbers, passwords, or log-in information on mobile devices, nor do we recommend that customers do so. Moreover, your mobile device would have to be in an “unlocked” state for the other person to be able to access any information.
If you are using Mobile Text/SMS Banking AND if the other person knew where you banked AND knew UMB’s short code number, they could conceivably check your balance, transfer money from one of YOUR accounts to another of YOUR accounts (see the next item), or pay a Payee that you have set-up within our Online Banking service. We do not allow Payees to be added using our Mobile Banking service.
For extra privacy, simply “lock” your mobile device and regularly delete your text messages sent and received using Mobile Text/SMS Banking.
If you are using Mobile Web/Mobile Application Banking, the other person would have to know your user name and password. Never share this information with anyone. Do NOT store your password(s) on your mobile device.
Can my friend pick up my mobile device and get my bank balance?
Maybe. If you have UMB’s short code stored the number to contact the bank in your address book, or the person also has Mobile Text/SMS Banking with UMB, it is conceivable that that person could check your balance, transfer money from one of your accounts to another of your accounts, or pay a Payee that you have established within our Online Banking service. For your protection, we do not allow for Payees to be added through our Mobile Banking service.
Hint: You can use our alerts feature to send you a message when money is transferred from your account or you have paid a bill. You could also use Alerts to a second mobile device or an e-mail address of such events as they occur, making you aware.
If you are using Mobile Web/Mobile Application Banking, then an unauthorized person would need to know your user name and password. Do NOT store this information on your mobile device.
What if I replace my lost mobile device or upgrade to a new one?
If you lose your mobile device, you will need to contact the mobile service carrier and UMB at 888-782-4325. You may contact us Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m. You may also use the Manage Mobile link within Online Banking to remove the mobile number associated with the device that has been lost as well as deactivate any alert for which you have enrolled using that device. Your mobile device number and your mobile access will be suspended until you notify us to have your mobile device number reinstated, or reinstate the mobile number through Manage Mobile. Either way, you will be required to re-verify your mobile device number again to ensure that the device associated with the mobile number you provide is in your possession.
If you simply upgrade or change your mobile device (and you keep the same telephone number and mobile carrier), nothing needs to be done.
What happens if I change my mobile device telephone number?
As a security precaution, you will not be able to get alerts or use Mobile Text/SMS Banking until you re-verify your mobile device number either using the Manage Mobile link within Online Banking or by contacting us at 888-782-4325. You may contact us Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m.
What happens if I change my mobile device plan with the same mobile carrier?
As long as your mobile device telephone number stays the same, no action is required to continue your Mobile Banking service.
What happens if I change carriers, but keep my mobile device telephone number?
Your mobile device telephone number will be disconnected by your old carrier and they will automatically notify the entire telemobile device network that your number is disconnected. This automatic process can result in your mobile banking service being blocked as a security precaution. Once you are connected with your new carrier, you will need to re-verify your mobile device number for mobile banking to work. You may do so by using the Manage Mobile link within Online Banking or by contacting us at 888-782-4325. You may contact us Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m.
Do I need a special type of mobile device?
Almost every mobile device in the market today supports text messaging (SMS). For Mobile Text/SMS Banking, you might need to have text messaging enabled on your mobile device plan. You should contact your mobile carrier for additional information around the text message plans that they have available. For Mobile Web/Mobile Application Banking, your mobile device would have to support Web browsing, which usually requires a “data” plan as part of your service. You should contact your mobile carrier for additional information regarding its data plans.
Will this cost me more money?
For Mobile Text/SMS Banking, it may cost you more money depending on the text message plan you have established with your mobile carrier. You should contact your mobile carrier and determine which text message plans are available and which best suits your text messaging needs. For Mobile Web/Mobile Application Banking, you need to have a data plan, which may also cost you money. A data plan allows you to browse the Internet using your mobile device and will allow you to use services like our Mobile Web/Mobile Application Banking. If interested, you should check with your mobile carrier and determine which data plans they have available and which is best for your mobile needs.
Can I use Mobile Banking when I am traveling and “roam” to different carriers?
Yes, but you should check to see if there are roaming charges for the type of plan you have with your mobile carrier. Please refer to our Mobile Banking Travel FAQs for additional information on how traveling will affect your Mobile Banking service.
A common smishing practice is a SMS text message telling recipients that their debit card had been deactivated, and that they should call the given number to reactivate the card.
A real-life example:
Commercial Bank of Texas
Alert: Your card has been deactivated.
Please contact us at: (936)622-6016 to reactivate your card.
However, the text messages did not come from the Commercial Bank of Texas and it wasn’t the bank waiting at the other end of that phone line. Instead, calling the number resulted in bank customers hearing an automated voice asking them for their account details. Typically, when you call the number given, you are asked to “verify” (give them) your sensitive information such as credit card number, account number, expiration date, your Social Security Number, Bank Account Number and pass code.
Some people may be fooled into doing this, believing that it was the bank confirming their identity rather than an elaborate scam to steal information. Always note the “from" telephone number. It should always be our short code of 50106 if UMB is responsible for sending the message.
Hint: We recommend that you save UMB’s short code in your address book as a Contact, as the contact name that you assign will always come up on your mobile device.
If you receive a text message that asks for sensitive information:
- Do not reply to the message.
- Do not click on any of the links that may be embedded in the message.
- Delete the message.
- Contact UMB immediately so that we may determine if the request is legitimate request.
Always call UMB at a known number if you are unsure of any message you receive. You may contact us at 888-782-4325. Our hours of operation are Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m.
What other kinds of security risks should I know about?
Being aware of the more frequently attempted types of fraud is a good way to protect yourself and ensure the security of your confidential information. Since most mobile devices lack a personal firewall, anti-virus software and other protections common on personal computers, these devices can be vulnerable to a variety of security threats. Understanding what they are and how they work is the first step in ensuring your mobile device is secure.
Terms you should be familiar with:
- Malware: A term for “malicious software” that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system, or otherwise annoying or disrupting the victim.
- Spoofing: A fraudulent process in which a person or program masquerades as another in order to acquire sensitive personal information, such as usernames, passwords, and credit card details. Examples of spoofing include phishing, SMiShing, and vishing, discussed below.
- Phishing: Luring unsuspecting customers to provide sensitive personal information or downloading malware through an e-mail. Popular scams including phishing e-mails that appear to be coming from an FI and contain a link to a spoofed Web site. The site tricks victims into logging in using their personal credentials, which are then captured by the criminal.
- SMiShing: A contraction of “SMS and phishing,” in which criminals pose as an FI and use SMS in an attempt to gain access to confidential account information. The typical scam informs the mobile device owner that the person’s account was compromised or credit/ATM card was deactivated. The victim is directed to call a phone number or visit a spoofed Web site to reactivate the card. Once at the Web site or through an automated phone system, the victim is asked for card, PIN, and/or account numbers.
- Vishing: A contraction of “voice and phishing,” in which victims are tricked into disclosing sensitive personal information through a phone call.
- Hijacking: A type of network security attack in which the attacker takes control of a communication between two entities, masquerading as one of them.
- Man-in-the-Middle Attack: An attack in which the attacker positions himself between the FI and customer with the intent to intercept and alter passwords or sensitive information passing between them.
- Replay Attack: An attack in which a mobile Web session is captured and then replayed later by an attacker in an attempt to fool a computer into granting access.
Although all that may sound scary, there are many things UMB does on your behalf and that you can do to greatly minimize any perceived risks.
- Customer Education: We teach our current and potential customers about identity theft and fraud threats, instruct them on how they should protect their credentials, and recommend guidelines to ensure a secure mobile banking experience.
- Business Controls: We implement proper security policies and procedures, fraud identification and tracking systems, investigative programs, and customer-facing programs such as identity theft prevention services—based on an ongoing risk analysis.
- Real-Time Notifications: We deputize our customers in the fight against fraud and identity theft by offering real-time alerts, which will empower them to quickly spot suspicious transactions or account activities and immediately.
- Multi-Layered Technical Controls: We employ multiple layers of security to protect both UMB’s customers and our IT infrastructure. We work constantly to monitor and enhance the security of the hardware and software that comprise the end-to-end network stack and the interactions between UMB and our customers.
How do I avoid potential attacks against my Mobile Banking service and better protect myself?
There are many easy ways that you can assist to protect the security of your Mobile Banking service, to enhance in addition to the security practices UMB Bank automatically provides.
Below are the most common security tips for consumers with regard to both your mobile device and Mobile Banking:
- Use your device’s power-on password feature, if available. Do not configure auto-login.
- Never share your private information (User ID, Password, PIN, etc.) with anyone.
- You should never need to enter your PasswordPIN unless you are absolutely sure you are speaking with UMB.
- Don’t save private/confidential information on your mobile device.
- Immediately report the loss or theft of your mobile device to BOTH UMB and your mobile carrier.
- Save mobile links as bookmarks to avoid mistyping the URL.
- Before downloading any applications to your device, check UMB’s website to learn about our mobile offerings and secure download site locations.
- Add UMB’s short code to your device’s contact list with a distinctive name, so that you will recognize that incoming messages are from UMB and not spoofed. For example, instead of 50106 equaling UMB, make 50106 equal to Joe’s Bank, or even better, use something unrelated like 50106 equal to Cousin Claire. This helps distinguish between un-solicited messages or a forged caller-ID, and helps you mask our shortcode from others who may have access to your mobile device.
- Use account nicknames instead of account numbers, for example, SAV instead of 7071-12594).
- Do not include any digits from your account numbers in nicknames.
- Never enter your credit card numbers, Password, or account numbers into a 1-800 type automated voice number you have been asked to call or do not recognize.
Most importantly, if you are ever unsure if there is an issue with your account or suspect a SMS isn’t valid, call UMB directly at 888-782-4325. Our hours of operation are Monday through Friday, 8 a.m. to 10 p.m. or on Saturday from 8 a.m. to 5 p.m.