Mobile Banking: The New Risks

User Behavior, Lax Security Make Mobile the New Target
Mobile Banking: The New Risks
Phishing attacks aimed at online PC users won't be the financial industry's greatest worry in the near future, says Dr. Markus Jakobsson, security expert in the field of phishing and crimeware. Malware targeting mobile devices will be.

Jakobsson, who has spent the last several months analyzing the current state of current mobile security, says mobile vulnerabilities have changed quite a bit over the last 12 months, and most mobile users and carriers have no real way to protect themselves from fraudsters seeking access to financial accounts.

"Until recently, the smartphone market has been rather small, but in a matter of months or at most a year, there will be more smartphones in the world than Windows machines," he says. "It goes without saying that the offenders will target mobile devices."

That market explosion will lead to greater and more dynamic threats than the PC world ever faced, and mobile banking and financial services will be prime targets for fraudsters.

Globally, the increasing use of smartphones spurred the European Network and Information Security Agency to publish a new report about mobile application security, advocating a baseline set of five defenses against malware. "Using malicious apps, attackers can easily tap into the vast amount of private data processed on smartphones such as confidential business e-mails, location data, phone calls, SMS messages and so on. Consumers are hardly aware of this," say Doctors Marnix Dekker and Giles Hogben, authors of the report.

"Phones are social devices, and people are more naïve when it comes to using their mobile devices," Jakobsson says. "When people interact with others on their mobile devices, they are usually interacting in a more relaxed way than from a traditional computer, and that rubs off on the way they use the device, whether for browsing, accessing and responding to e-mail, banking, or payments. Their behavior is much riskier" and could make them susceptible to fraud.

Most consumers understand the need for security on laptops and PCs. On mobile devices, the thinking is not the same. Couple that risky behavior with the speed of mobile interactions, texting and e-mail, and it's clear many mobile users could easily be caught with their guard down by a malicious link that in a traditional online environment might raise a red flag.

Besides, the security of many mobile platforms and applications themselves, such as Android apps, have raised concerns for years, as the availability of open-source apps continues to grow.

Two things are happening to create a perfect storm. "More and more people, with the development and deployment of 4G, are using their mobile devices for banking, PayPal and Square," Jakobsson says. "They use it for premium payment services, and that means money for the attackers."

The other challenge: Malware is hard to detect on a mobile device, because of the nature of mobile technology. "If you want to detect malware, you look for signatures, but you need to look for them all the time," Jakobsson says. "If you have an anti-virus or malware detection program that is running all the time on your mobile phone, that kills the battery. ...It's a structural difficulty that the existing paradigm has not overcome. It is a technical failure."

Mobile Malware: Are U.S. Institutions Prepared?

Increases in mobile smishing - phishing via text messages - and malware attacks are already evident in other parts of the world, where mobile adoption is much higher than it is in the United States.

In so-called emerging markets, such as India, China and South America, attacks waged against the mobile and online channels are growing concerns for the financial industry.

Jason Hong, founder and chief technology officer of Wombat Security Technologies, a cybersecurity training company and spinoff of the School of Computer Science at Carnegie Mellon University, says emerging markets are being targeted by phishers and smishers because of new wealth and lack of familiarity with computer technology.

"Phishing has been epidemic for the last couple of years," Hong says. "It's a plague on the Internet, and it's spreading all over the world, as the world is becoming more connected."

The mobile channel merely provides a new venue.

"Smishing is very prevalent in countries where people of all ages make heavy use of SMS, which is pretty much every country except the U.S. and Canada," says Tom Wills, an independent senior analyst of risk, security and fraud for Javelin Strategy & Research. "The reason is that incoming and outgoing messages are both, usually, free of charge. In many countries, definitely Singapore, for example, SMS is the No. 1 mode of communication, preferred over voice, e-mail, IM [instant message] and everything else. Facebook and Twitter, accessed via mobile apps, are starting to gain ground in the smartphone-heavy markets - Australia, New Zealand, Singapore, Hong Kong, Taiwan, Japan and South Korea. But a lot of people even do their Facebook and Twitter updates via SMS, just out of habit."

All of that activity makes mobile, especially SMS/texting, a prime target for scammers. "They always like to go where they can get the most bang for their buck," Wills says. It's the same reason most malicious code is written for Windows, not Mac. Malware writers target the platforms and apps that have the most market share.

Addressing Mobile Concerns

Developing markets, such as India, are the targets for now. But fraudsters' aims won't stay isolated. "It's not just India where consumers are vulnerable," Jakobsson says. "It could be in any market. People behave in a way that's dangerous, anywhere, when they use mobile devices."

So how do banks address these concerns?

Jakobsson, for his part, is developing a solution that works outside the current mobile paradigm, allowing users to run AV software only when they log on to their banking accounts or access their mobile banking apps. "It's not constant," he says. "It only kicks in when you perform a payment or when you log into your banking platform."

Hong suggests financial institutions enhance user behavior, by educating consumers and employees about how to identify phishing e-mails, whether on a PC or a mobile device. "Many of the modes of education are not very effective," he says. "Interactive training is more effective," meaning institutions send simulated phishing attacks to their customers and members to gauge how they react.

Addressing mobile online and application security is not so different. As Jakobsson says, "This is malware. Some is designed for Android, some for iPhone, but increasingly, much of the malware is cross-platform."

In general, experts say we are just on the cusp of seeing a surge in mobile attacks, and until technology for mobile device identification and anti-virus usage improves, there is little banking institutions can do. And since so much of the security concerns revolve around consumer behavior, education is the best bet.

Basic security measures, such as password-protection for mobile-device access, with passwords that are changed often, should be fundamental. Also, when browsing on a mobile device or accessing a mobile app, consumers should be warned to take the same precautions they would while browsing on a PC. They should use different passwords for different online accounts and apps. And when making purchases, they should only enter sensitive payment data on sites with hypertext transfer protocol secure, "https," URLs, rather than basic hypertext transfer protocol, "http," URLs.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 19 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network