Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Interviews

Posted By Gbaf News

Posted on May 14, 2019

The future of mobile security in banking

By Michael Flossman, Security Researcher at Lookout

What security challenges will the banking industry face over the next few years?

Michael Flossman

Michael Flossman

The use of mobile in all aspects of life is growing, from the near daily use of banking apps through to accessing work remotely, so it’s become a viable, and currently very profitable, channel that hackers can target in order to steal sensitive data. Over the last several years we have seen threat actors expand their traditionally desktop focussed arsenals to now include a mobile component. This was the case with the actors behind the successful SpyEye and Zeus desktop families who released Spitmo and Zitmo respectively. It isn’t just the established cybercriminal gangs that are breaking into the mobile space, we’re also seeing a number of new players deploy mobile banking trojans like BancaMarStealer / Marcher, Cron, and MazarBot. Leaked source code for an earlier banking trojan known as GMBot has meant that the barrier to entry for threat actors looking to have a mobile capability is quite low.

It’s now more critical than ever that banks upgrade their cybersecurity measures to include mobile, so end users are protected regardless of the channel they use to bank with.

How do these attacks work?

It tricks the user by introducing an overlay, essentially a fake login page which looks identical to what a user would see when browsing to the bank’s legitimate website or when using their official mobile application.

Once the device has been infected, the trojan is sophisticated enough to identify which banking applications are on that device, or what banking website a victim is currently viewing, and uses that information to display a corresponding overlay. Visually there is nothing to indicate to the end user that they are entering sensitive information directly into a malicious application.

Where are these attacks coming from?

These attacks are not always set up by experienced actors. Malware packages are often being sold as a service. More and more of these actors have no experience in creating these tools and instead  buy or rent them. This was very much the case with BancaMarStealer, also known as Marcher, which Lookout researchers first saw being used in Eastern Europe before being sold globally as a service. Since emerging its use has exploded and Lookout has seen it deployed in Russia, France, Germany, Austria, Poland, Spain, The Netherlands, The United Kingdom, Australia, Canada, and The United States.

What can banks do to protect customers that use mobile banking?

Mobile transactions authentication numbers (mTANs), require online transactions to be accompanied with a specific token that has been sent directly to a user’s mobile device. However, Lookout has  seen some banks in the West move away from mTANs in favour of physical non internet connected two-factor authentication tokens. These require users to physically enter their banking card and pin, which in return provides a short-lived code that is tied to the specific transaction they are making. This approach makes it more difficult for attackers to attempt to make fraudulent transactions from a compromised mobile phone. 

If banks upgrade security measures to include two-factor authentication, will consumers be free from hackers and safe to  handle their finances online?

This would definitely go a long way towards mitigating attacks and in the short term adversaries in this space would be more likely to first target customers of banks that didn’t provide these security controls. In the long term, it would force threat actors to invest in redesigning how they exploit targets in order to make fraudulent transactions and access their bank accounts. At this point in time it’s unclear what this would entail however, as we’ve seen time and time again in the security space this is a continual game of cat and mouse between attackers and defenders.

Over the last couple of years we’ve seen numerous applications being released that allow customers to quickly transfer money between one another. PingIt, Swish Payments, Apple Pay, Google Wallet, and even via Facebook Messenger are a few examples of this type of money transfer and there are a number of apps for handling cryptocurrencies. As banks continue to refine their security controls, we are expecting to see malicious actors expand their capabilities to go after these apps when they compromise a mobile device.

Recommended for you

  • Unlocking Investment Potential: Sucor Asset Management’s Vision for the Next Generation of Investors in Indonesia

  • RBI’s Iryna Arzner Discusses the Bank’s Award-Winning CRM Transformation Strategy

  • Transforming Digital Payments and Expense Management