In today’s digitally-driven society, being able to access your money when you want, from any device, is no longer a luxury but a necessity. In fact, being able to quickly transfer money to your contacts or easily pay on your phone for a coffee is second nature to many consumers. These quick and easy transfer mechanisms are driving a surge in mobile banking popularity.
However, the rising demand to conduct payment processes through cashless, contactless and app based means, comes with cyber security risks – writes Michael Flossman, Lookout mobile malware analyst.
It’s critical, now more than ever, that banks and users take more caution with mobile banking — otherwise that money could end up in the hands of a cyber criminal.
Cyber criminals cashing in on mobile
Smartphone banking is booming in the UK. Just last year, 20 million Brits banked on a smartphone app, equating to around 30 app transactions per second. With the option to transfer, open up new accounts, pay for items and move money around — it’s a lucrative avenue for criminals to target. Being able to extort these payment methods, can become a profitable channel for hackers to steal from.
But this isn’t some futuristic threat, it’s happening now. Criminals are aware of these changes and over the last several years we have seen threat actors expand their traditionally desktop focused arsenals to now include a mobile component.
This was the case with the actors behind the successful SpyEye and Zeus desktop families, who moved on to release Spitmo and Zitmo respectively to allow them to target mobile and remain profitable. It’s not only established cybercriminals targeting the mobile space though, new players are entering the scene too.
Leaked source code for an earlier banking trojan known as GMBot has meant that the barrier to entry for threat actors looking to have a mobile capability is quite low. Meaning we have seen new criminals deploy mobile banking trojans like BancaMarStealer, Marcher, Cron, and MazarBot.
Surely you can spot a hack?
Unfortunately not. Many trojans trick the user by incorporating an overlay — a fake login page which mirrors what they would normally see when browsing a bank’s legitimate website or app. And these attacks are continuing to grow in sophistication, to the point that these trojans are able to identify which banking applications are on the device, or which website a user is using, so they can deploy the relevant overlay.
Visually there is nothing to indicate to the end user that they are entering sensitive information directly into a malicious application and once the trojans have been successfully installed on the device, they can be almost impossible to detect.
Given the risks to customers’ data it is very clear that in a mobile-driven world, it’s now more critical than ever that cybersecurity measures are updated to include mobile.
What can banks do?
Traditionally banks have used mobile transactions authentication numbers (mTANs) to secure mobile transactions. These mTANs require online transactions to be accompanied with a specific token that has been sent directly to a user’s mobile device.
Many banks, especially in the West, are opting for physical non internet connected two-factor authentication tokens over mTANs. The difference with this method is that it requires users to physically enter their banking card and pin into their token, which then provides a short-lived code that is tied to the specific transaction they are making.
This will help mitigate against these fraudulent transactions being made from a compromised mobile phone.
Banks should also work together with mobile service providers and mobile security solutions providers to offer mobile specific security and antivirus to their customers at discounted rates, or as part of their customer loyalty schemes. Moreover, banks should be working with mobile security vendors to ensure their own apps are as secure as possible.
What about users?
Whilst banks are investing in cyber tools to reduce likelihood of attackers breaching their services, customers must also be vigilant about the growth of these attacks. There has been an influx of applications which allow for the quick transfer of money, such as PingIt, Swish Payments, Apple Pay, Google Wallet, and even Facebook Messenger, so it is not beyond reason that we may see attackers extend their efforts to target these money transferring apps.
Therefore it’s important that users take ownership of protecting their personal and corporate devices to ensure the safety of their own money, as well as any business accounts associated with their device. Hackers are continuously evolving their methods, so it pays to stay ahead of the game when it comes to mobile security.
The post Mobile users can no longer afford to overlook cyber security appeared first on Payments Cards & Mobile.