Online Banking and Mobile Security
There has recently been a strong trend towards forcing the use of a modern mobile phone for authenticating to online banking.
I’ve been rather cautious about this, and currently use a dedicated “tan generator” device which my bank reluctantly offers as an alternative. The principal problem I have with using an application on a phone as an authentication mechanism is:
- a phone typically has many other apps installed on it, and
- phone operating systems have security holes (eg android and iphone)
However it appears that things are improving in this area, at least with the Android mobile OS: Android’s Trusted Execution Environment, Strongbox API, and phones with embedded security chips (eg Google’s Pixel3) make rogue apps (even with root-level access) far less of a problem.
Update 2019-12-07: Android vulnerability used to drain bank accounts