Last week, a popular Twitter user was shocked to receive a message notifying her that she’d changed the number linked to her mobile money app. The scary bit was that she didn’t initiate this change.
It was done remotely by someone unknown to her. Had she not been quick to notify her mobile money provider, her mobile money account would likely have been wiped clean.
This is not the first time something like this has happened. Every few days, you’ll find someone on the internet complaining about money stolen from their mobile money and banking apps, despite them having their phones with them at all times.
The risk of helplessly watching transaction notifications stream in as someone clears your accounts has become so big that some Kenyans are ditching mobile banking apps altogether.
With such risks, is there something you can do to keep your money safe? Should you even set up mobile banking in the first place?
Below, we explore seven tips on how to protect your money, but before that, let’s take a minute to understand the safety or lack thereof of mobile banking.
Over the last decade, mobile banking has become immensely popular, largely due to its convenience. I can’t recall the last time I set foot inside a banking hall, yet I routinely make transactions from my various bank accounts, all from the comfort of my couch.
With this convenience, however, comes significant risk. When you transact from your mobile device, your account and transaction details must travel between your phone and your mobile money provider’s servers.
This creates a potential loophole. If someone intercepts this data as it moves from your device to the financial institution, they could gain information about your account that they can use to access the account and transfer money.
Banking institutions and mobile money providers are aware of these risks, which is why they take precautions to protect your money. These include requiring a PIN to authorize transactions, using two-factor authentication to verify your identity, encrypting all communications from mobile banking apps, behavior tracking, and so on.
This means that mobile banking is generally very safe. However, the 2021 State of Mobile Finance App Security report shows that 77% of mobile banking apps have security vulnerabilities that could compromise the security of your financial information.
If you want to keep enjoying the convenience of mobile banking while keeping your money safe, you have to take extra precautions. Here are some tips that you can use to protect your mobile banking apps.
One way scammers can easily get your account details is by creating fake banking apps that look like legitimate ones. When you enter your login details, the criminals behind the app get your details, which they then use to access your account and steal your money.
To ensure you’re downloading the official apps, never download a mobile banking app you’ve found by searching on Google or any other open forum. Instead, go to the bank’s official website and download its mobile app from their website - either directly or by following a link the bank itself has provided.
Many people use their birthdays, school admission numbers, and other similar numbers as their mobile money personal identification numbers (PINs). While these numbers are easy to remember (ensuring that you won’t get locked out of your account), they are also easy for others to guess.
Think about it this way. You probably have your birthday year on one of your social media accounts. Some of your former schoolmates know your school admission number. If any person with access to these details wanted to hack into your mobile money accounts, these are the first numbers they’ll try.
To make things harder for hackers, use a PIN that cannot be easily associated with you. You should also avoid number sequences, such as 1234, 5678, and so on. The same applies to repetitive numbers, such as 0000 or 5555. The harder it is for someone to guess your PIN, the safer your money is.
Additionally, avoid using the same PIN for all your mobile money accounts. This way, even if someone gains access to one of your accounts, the money in the other accounts is still safe.
If your mobile banking app offers 2-factor authentication (2FA), ensure you’ve set it up for your account. This adds a layer of security to your account by requiring you to enter a one-time pin (OTP) sent to your phone or email in addition to the login PIN or password. Even if someone gets their hands on your PIN, they still can’t log into your account or initiate transactions without access to your phone or email, which receives the OTP.
Many mobile banking apps require internet access to log into your account and make transactions. When you need to make transactions in places like cafes, malls, and the like, it can be very tempting to use the public Wi-Fi hotspots provided in such places.
While public Wi-Fi keeps you connected while you’re out and about, it’s not very secure. Sometimes, public Wi-Fi networks do not encrypt your data before transmission, leaving you vulnerable to anyone snooping on the network.
Hackers can also easily position themselves between you and the Wi-Fi network in what is known as a man-in-the-middle attack, allowing them to intercept your data before it gets to your bank’s servers. In some cases, the public Wi-Fi network could be a malicious hotspot created by someone looking to steal your data.
To avoid these risks, it is strongly recommended to desist from using your mobile banking apps while connected to public Wi-Fi networks. If you need to transact while away from your trusted home network, always use mobile data from your network provider.
This is one of the most common tactics scammers use to find out your mobile banking PINs and details. They’ll either send you an email or text message pretending to be agents from your bank or mobile money provider and ask you to log in to your account to fix some “issue.” The message will often be accompanied by a URL where you can log in. If you click the link and enter your login details, you’ll have exposed these details to scammers.
Alternatively, the scammers will call you and deliver the same message – that there is some issue with your account that needs fixing. In this case, however, they’ll instruct you to key in some codes on your phone to fix the issue. If you do this, you’ll be shocked to discover you’ve transferred all your money to some unknown person.
So, how do you avoid phishing and other social engineering scams?
The key is to be very vigilant. If you receive an email or text message that looks like it’s from your mobile money provider, don’t take it at face value. Check the sender’s address and confirm whether it is your bank's official address. If you’re in doubt, ignore the text message or email and reach out to your bank through its official channels.
Similarly, if someone purporting to represent your bank calls you, don’t key in any codes on your phone or provide any information about you or your account. If you really have reason to believe there is an issue with your account, hang up and reach out to the bank through its official channels or visit the nearest physical branch.
Most banks and mobile money providers allow you to sign up for alerts whenever various actions occur on your account, such as credits and debits, personal information updates, and password changes.
Such alerts quickly inform you when suspicious activity occurs on your account, allowing you to take action before the thieves do any significant damage. If you receive any alerts about actions you haven’t initiated yourself, change your mobile banking PIN immediately and notify your bank or mobile money provider about the suspicious activity.
Another common tactic fraudsters use is swapping the victim’s SIM card. Here, the fraudsters replace your mobile SIM card with a SIM card under their control, thus taking over your communications. They then use the new SIM card to either access your mobile money accounts or access OTPs sent to your mobile number by your bank.
Setting up SIM swap protection is the best way to protect yourself from SIM swap fraud. For instance, Safaricom recently introduced a service that only lets you replace your SIM card by visiting one of their shops in person - to self-whitelist from SIM swap on this network, simply dial *100*100#OK. This blocks any SIM swap attempts by fraudsters since they can’t do the swap can’t remotely.
Accessing your money doesn’t need to be a tough choice between convenience and security. With these tips, you can still enjoy the convenience that comes with mobile banking without constantly worrying that someone will steal your hard-earned money at any moment.