The future of mobile security in banking

By Michael Flossman, Security Researcher at Lookout

What security challenges will the banking industry face over the next few years?

Michael Flossman

The use of mobile in all aspects of life is growing, from the near daily use of banking apps through to accessing work remotely, so it’s become a viable, and currently very profitable, channel that hackers can target in order to steal sensitive data. Over the last several years we have seen threat actors expand their traditionally desktop focussed arsenals to now include a mobile component. This was the case with the actors behind the successful SpyEye and Zeus desktop families who released Spitmo and Zitmo respectively. It isn’t just the established cybercriminal gangs that are breaking into the mobile space, we’re also seeing a number of new players deploy mobile banking trojans like BancaMarStealer / Marcher, Cron, and MazarBot. Leaked source code for an earlier banking trojan known as GMBot has meant that the barrier to entry for threat actors looking to have a mobile capability is quite low.

It’s now more critical than ever that banks upgrade their cybersecurity measures to include mobile, so end users are protected regardless of the channel they use to bank with.

How do these attacks work?

It tricks the user by introducing an overlay, essentially a fake login page which looks identical to what a user would see when browsing to the bank’s legitimate website or when using their official mobile application.

Once the device has been infected, the trojan is sophisticated enough to identify which banking applications are on that device, or what banking website a victim is currently viewing, and uses that information to display a corresponding overlay. Visually there is nothing to indicate to the end user that they are entering sensitive information directly into a malicious application.

Where are these attacks coming from?

These attacks are not always set up by experienced actors. Malware packages are often being sold as a service. More and more of these actors have no experience in creating these tools and instead  buy or rent them. This was very much the case with BancaMarStealer, also known as Marcher, which Lookout researchers first saw being used in Eastern Europe before being sold globally as a service. Since emerging its use has exploded and Lookout has seen it deployed in Russia, France, Germany, Austria, Poland, Spain, The Netherlands, The United Kingdom, Australia, Canada, and The United States.

What can banks do to protect customers that use mobile banking?

Mobile transactions authentication numbers (mTANs), require online transactions to be accompanied with a specific token that has been sent directly to a user’s mobile device. However, Lookout has  seen some banks in the West move away from mTANs in favour of physical non internet connected two-factor authentication tokens. These require users to physically enter their banking card and pin, which in return provides a short-lived code that is tied to the specific transaction they are making. This approach makes it more difficult for attackers to attempt to make fraudulent transactions from a compromised mobile phone. 

If banks upgrade security measures to include two-factor authentication, will consumers be free from hackers and safe to  handle their finances online?

This would definitely go a long way towards mitigating attacks and in the short term adversaries in this space would be more likely to first target customers of banks that didn’t provide these security controls. In the long term, it would force threat actors to invest in redesigning how they exploit targets in order to make fraudulent transactions and access their bank accounts. At this point in time it’s unclear what this would entail however, as we’ve seen time and time again in the security space this is a continual game of cat and mouse between attackers and defenders.

Over the last couple of years we’ve seen numerous applications being released that allow customers to quickly transfer money between one another. PingIt, Swish Payments, Apple Pay, Google Wallet, and even via Facebook Messenger are a few examples of this type of money transfer and there are a number of apps for handling cryptocurrencies. As banks continue to refine their security controls, we are expecting to see malicious actors expand their capabilities to go after these apps when they compromise a mobile device.