Light Dark
May 26, 2015 By Ori Bach 4 min read
Banking & Finance
Endpoint
Fraud Protection

The Meteoric Rise of the Mobile Channel

About half the adult global population now owns a smartphone, and by 2020, an estimated 80 percent will have one. Smartphones have penetrated every facet of daily life. The average American is buried in one for over two hours every day or glances at it 150 times a day.

But while the mobile channel now touches every market and vertical, no sector has adopted mobile technology more wholeheartedly then the financial industry. Mobile banking channel development has even become the No. 1 technology priority of North American retail banks.

In fact, mobile banking has become so important that, in a recent survey, consumers voted mobile banking availability as the most important deciding factor when choosing a bank, outranking both branch location and fees.

Cybercriminals Set Their Sights on Mobile Banking

The rapid adoption of the mobile channel by consumers has not gone unnoticed by the gangs that make their living from online fraud.

A recent report by Alcatel-Lucent Motive Security Labs shows a growth of 25 percent in the number of malware-infected devices in 2014 alone, while the antivirus company McAfee puts the total number of mobile malware samples at well over 5 million by just the third quarter of the year. These security issues aren’t all minor glitches, either: In February 2015, news reports emerged of a criminal organization dubbed the Yanbian Gang stealing millions of dollars from mobile banking customers in South Korea using fake apps.

Most alarmingly of all, IBM Security Trusteer research has found an increase in the number of mobile fraud toolkits offered for sale in underground forums. These fully loaded and ready-to-use mobile Trojans typically carry an arsenal of malicious tools able to:

  • Steal customers’ banking login credentials;
  • Intercept, forward and delete short message service (SMS) alerts and calls;
  • Inject fake messages, such as requests for login credentials and credit card information;
  • Gain administrator privilege on the device, which effectively blocks attempts to remove the malware.

Toolkits, such as the Android malware-spreading kit MazelTov recently discovered by IBM Trusteer researchers, are priced at only a few thousand dollars. Affordable prices provide an easy pathway to gangs that have historically focused on the online channel and are now looking to shift their tactics to the mobile arena.

Fortunately, most financial organizations have not seen significant mobile fraud attacks. But remember: Just because you don’t see something doesn’t mean it’s not there. The rise of online banking fraud attacks started slowly a little over a decade ago and progressed quite rapidly ever since. The industry was unprepared, fraud was rampant and, in the U.S. and other regions, the banking regulators stepped in, forcing institutions to bolster their defenses.

The mobile channel is now in its early stages of fraud attacks, but current-day foes are much more capable and experienced than the early online banking cybercriminals ever were.

Security Is Critical to Mobile Users

Examining the present situation shows that the risk of fraud and unauthorized access in the mobile channel far exceeds direct losses. Are we waiting for something big to happen before we secure our data? Isn’t that what got online fraud to where it is today? To what extent would news of successful fraud attacks against a bank’s mobile application influence its customers’ willingness to use it? According to a recent survey by the U.S. Federal Reserve, 62 percent of customers don’t use mobile banking because of security concerns; reports of successful mobile fraud attacks would certainly increase that number. Additionally, an attack against a customer’s mobile device is bound to elicit an emotional response, given the high level of attachment to one’s smartphone.

Experience Is Paramount

While rightfully demanding that mobile banking should be secure, users are not willing to compromise their customer experience for its sake.

Online channel users have gotten accustomed to cumbersome authentication methods such as security questions, tokens and one-time passwords. However, these same users are unlikely to accept anything that would prevent them from using their mobile devices on the fly.

One unique challenge in securing mobile banking is the lack of credible out-of-band authentication such as SMS one-time passwords. A single malware or rogue app running on a device could steal the SMS as easily as it could steal login credentials.

If Banks Are Giving Customers an App, Why Not Make It More Secure?

Despite the many disadvantages banks face when looking to strike a delicate balance between mobile banking security and ease of use, they possess one key advantage: Users will download and install the mobile app. Therefore, the bank’s mobile app can be a soft target for a cybercriminal, or it can be enhanced to become a security tool that helps protect the user and the device.

Related: Is Mobile Banking Safe?

For any app to become a security tool, it must not only be able to detect threats, but also establish a device ID while maintaining a frictionless customer experience. Here are a few critical aspects that secure apps must have:

  • Threat awareness. The app must be able to detect all mobile risk factors such as mobile malware, rogue applications and jailbroken devices.
  • Fast-acting intelligence. Detection must be cognizant of the rapid pace at which threats evolve. To achieve that, threat intelligence must then be translated into actions such as restricting or blocking access to high-risk devices.
  • Strong device ID. The app must be able to provide identification of a user’s device. Such identification must be persistent over varying operating systems and version changes while being immune to tampering.
  • Seamless use. Threat awareness and a strong device ID must be transparent to the user and precise enough not to affect the customer experience of legitimate users, all while blocking unauthorized access.

While the war against fraud in the mobile channel is still in its infancy, one thing is certain: Those who prepare for it will be in a better position to win than those onlookers waiting on the sidelines.

 |  |  |  |  |  |  |  | 
Ori Bach
Senior Security Strategist, Trusteer

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature