The Meteoric Rise of the Mobile Channel

About half the adult global population now owns a smartphone, and by 2020, an estimated 80 percent will have one. Smartphones have penetrated every facet of daily life. The average American is buried in one for over two hours every day or glances at it 150 times a day.

But while the mobile channel now touches every market and vertical, no sector has adopted mobile technology more wholeheartedly then the financial industry. Mobile banking channel development has even become the No. 1 technology priority of North American retail banks.

In fact, mobile banking has become so important that, in a recent survey, consumers voted mobile banking availability as the most important deciding factor when choosing a bank, outranking both branch location and fees.

Cybercriminals Set Their Sights on Mobile Banking

The rapid adoption of the mobile channel by consumers has not gone unnoticed by the gangs that make their living from online fraud.

A recent report by Alcatel-Lucent Motive Security Labs shows a growth of 25 percent in the number of malware-infected devices in 2014 alone, while the antivirus company McAfee puts the total number of mobile malware samples at well over 5 million by just the third quarter of the year. These security issues aren’t all minor glitches, either: In February 2015, news reports emerged of a criminal organization dubbed the Yanbian Gang stealing millions of dollars from mobile banking customers in South Korea using fake apps.

Most alarmingly of all, IBM Security Trusteer research has found an increase in the number of mobile fraud toolkits offered for sale in underground forums. These fully loaded and ready-to-use mobile Trojans typically carry an arsenal of malicious tools able to:

  • Steal customers’ banking login credentials;
  • Intercept, forward and delete short message service (SMS) alerts and calls;
  • Inject fake messages, such as requests for login credentials and credit card information;
  • Gain administrator privilege on the device, which effectively blocks attempts to remove the malware.

Toolkits, such as the Android malware-spreading kit MazelTov recently discovered by IBM Trusteer researchers, are priced at only a few thousand dollars. Affordable prices provide an easy pathway to gangs that have historically focused on the online channel and are now looking to shift their tactics to the mobile arena.

Fortunately, most financial organizations have not seen significant mobile fraud attacks. But remember: Just because you don’t see something doesn’t mean it’s not there. The rise of online banking fraud attacks started slowly a little over a decade ago and progressed quite rapidly ever since. The industry was unprepared, fraud was rampant and, in the U.S. and other regions, the banking regulators stepped in, forcing institutions to bolster their defenses.

The mobile channel is now in its early stages of fraud attacks, but current-day foes are much more capable and experienced than the early online banking cybercriminals ever were.

Security Is Critical to Mobile Users

Examining the present situation shows that the risk of fraud and unauthorized access in the mobile channel far exceeds direct losses. Are we waiting for something big to happen before we secure our data? Isn’t that what got online fraud to where it is today? To what extent would news of successful fraud attacks against a bank’s mobile application influence its customers’ willingness to use it? According to a recent survey by the U.S. Federal Reserve, 62 percent of customers don’t use mobile banking because of security concerns; reports of successful mobile fraud attacks would certainly increase that number. Additionally, an attack against a customer’s mobile device is bound to elicit an emotional response, given the high level of attachment to one’s smartphone.

Experience Is Paramount

While rightfully demanding that mobile banking should be secure, users are not willing to compromise their customer experience for its sake.

Online channel users have gotten accustomed to cumbersome authentication methods such as security questions, tokens and one-time passwords. However, these same users are unlikely to accept anything that would prevent them from using their mobile devices on the fly.

One unique challenge in securing mobile banking is the lack of credible out-of-band authentication such as SMS one-time passwords. A single malware or rogue app running on a device could steal the SMS as easily as it could steal login credentials.

If Banks Are Giving Customers an App, Why Not Make It More Secure?

Despite the many disadvantages banks face when looking to strike a delicate balance between mobile banking security and ease of use, they possess one key advantage: Users will download and install the mobile app. Therefore, the bank’s mobile app can be a soft target for a cybercriminal, or it can be enhanced to become a security tool that helps protect the user and the device.

For any app to become a security tool, it must not only be able to detect threats, but also establish a device ID while maintaining a frictionless customer experience. Here are a few critical aspects that secure apps must have:

  • Threat awareness. The app must be able to detect all mobile risk factors such as mobile malware, rogue applications and jailbroken devices.
  • Fast-acting intelligence. Detection must be cognizant of the rapid pace at which threats evolve. To achieve that, threat intelligence must then be translated into actions such as restricting or blocking access to high-risk devices.
  • Strong device ID. The app must be able to provide identification of a user’s device. Such identification must be persistent over varying operating systems and version changes while being immune to tampering.
  • Seamless use. Threat awareness and a strong device ID must be transparent to the user and precise enough not to affect the customer experience of legitimate users, all while blocking unauthorized access.

While the war against fraud in the mobile channel is still in its infancy, one thing is certain: Those who prepare for it will be in a better position to win than those onlookers waiting on the sidelines.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…