Fake financial apps raise fears of e-banking accidents

Fake mobile banking apps are being used online and in transactions. Experts warn that fake apps can be used as phishing tools in stealing personal data or transferring money to other bank accounts, yet financial institutions have done little to combat this.

The Dong-A Ilbo obtained access to financial service apps through smartphones by Nonghyup Bank customers, according to whom a daily average of 700 cases have been reported on accessing banking systems through fake apps.

A Nonghyup source said, "To prevent access to fake apps, we counted the number of access attempts to fake apps from early this year and found that the daily average access attempts increased from 600 to 700," adding, "We recently build a system that blocks access from fake apps."

Other commercial banks are assumed to have been exposed to the danger, but lack information on the situation of current access.

The reason certain people use fake apps for financial transactions is their use of "jailbroken" phones, or smartphones remodeled to raise speed of use or for free downloads of premium apps. Commercial banks block financial transactions made with these phones.

A survey conducted by the Korea Copyright Commission late last year found that 10 percent of smartphone users have experienced jailbreak. Smartphone industry sources assume more people are using such jailbroken phones.

Fake financial apps can be found easily on the Internet. By inserting phrases like "How can I use a bank`s app with an Android phone" in a Web portal site, dozens of forged files and user methods appear. By using these apps, a person can access a banking system through a roundabout route to avoid security firewalls. Without having to forge an app, financial transactions can also be done by using an app that others have made .

The problem is that a serious financial accident can occur if the fake app contains an intended order. Though no such case has been reported, a person could transfer money to another account or change the transfer amount ceiling. The phone could also be changed into a zombie phone that gathers personal information including ID and bank account numbers and password, or follows a special command.

Against this backdrop, regulations on electronics financial supervisory were revised in October last year to force financial institutions to guard against fake apps by April 10 this year. The regulations came after the number of smartphone mobile banking users surpassed 10 million last year, but banks have yet to come up with effective protection.

A commercial bank source said, "More than enough employees are working on Internet banking security, but we lack staff who can work on mobile banking," adding, "Other banks must be in the same situation."

A professor who requested anonymity said, "Leaving the fake apps problem unresolved increases the risk of financial accidents. One way is for Google, which maintains an open policy on source code, to change its policy to require certification." Other experts say those using jailbroken phones should be allowed to use official apps. Banking system access is blocked by jailbroken phones, making users of these phones seek fake apps.

kyu@donga.com