Mobile Attacks Pose Increasing ThreatMalware, Out-of-Band Compromises Get Banks' Attention
Malware attacks against mobile devices are on the rise. As a result, institutions offering mobile banking need to focus in the year ahead on implementing stronger authentication for transactions and users, better defenses to prevent out-of-band compromises and improved mobile malware detection.
A recent study from software and security firm Trend Micro found that mobile malware attacks hit record numbers in the third quarter, with Android devices as the primary targets. Malicious or potentially malicious mobile applications totaled 175,000 in the third quarter, up from 28,000 the previous quarter.
Alphonse Pascual, a financial security and fraud analyst with consultancy Javelin Strategy & Research, says mobile malware is growing exponentially. And while Android devices have been the most frequent malware targets so far, Apple devices are at risk, too. In fact, according to a recent Javelin study, iPhone users are becoming more attractive targets to fraudsters because Apple users make more and higher monthly purchases via browser and app than do Android users, and they also tend to have larger bank accounts.
"What that means from a security standpoint is that while Android presents a larger target profile, iPhone users should be a high-profile concern because they represent a substantial portion of the mobile payment volume," Pascual says.
Compromised mobile devices can expose a whole host of financial and personal information, says George Tubin, a malware and financial security expert at anti-malware vendor Trusteer. That means more risk of online-account takeovers and circumvention of out-of-band authentication methods that rely on mobile SMS/text messaging.
Vendors' Mobile Protections
New technologies that can protect mobile devices are needed, says Keith Gordon of Bank of America, a pioneer and in mobile banking with more than 11.5 million users. Unfortunately, banks and credit unions don't have many options.
Gordon, who oversees security, fraud and enrollments for BofA's mobile and online banking channels, says BofA is asking vendors to pay more attention to developing effective mobile anti-virus software. "We've partnered with McAfee to begin offering a first-gen mobile anti-virus solution to address the needs we see among our customers," he says.
BofA expects to go live with its new anti-virus solution, which will provide coverage for all major mobile platforms, during the first quarter.
Preventing smishing - fraudulent SMS-messaging attacks - is BofA's priority right now, Gordon explains. These attacks have been difficult to combat because they exploit common mobile user behaviors.
"We see customers more willing to click a link that comes to a mobile phone rather than one that comes to a PC," Gordon says. "And on the user device itself, we've seen lower acceptance of password protections on mobile than on a PC."
The Next Mobile Vulnerability?
Gordon's concerns are justified. In October, the Federal Bureau of Investigation raised mobile malware concerns when it issued an alert about two new Trojans designed to compromise Android devices (see FBI Warns of Mobile Malware Risks).
The Android Trojans, known as Loozfon and FinFisher, not only compromise transactions but also the data stored on mobile devices. The FBI discovered instances in which the Trojans were able to hack Android devices through mobile applications and browsing and circumvent out-of-band transaction verification methods that rely on the mobile channel to authenticate online-banking transactions.
If the online account of a mobile user is compromised, then a hacker can easily bypass out-of-band authentication, Trusteer's Tubin says. That's because SMS messages containing one-time passcodes for authenticating transactions scheduled online can then be intercepted by hackers. And Tubin points out that hackers already have succeeded in such interceptions.
Out-of-band compromises are what made the Eurograbber attack that hit some 30,000 retail and corporate accounts in Europe so successful. In August, online identity theft protections provider Versafe identified the multistaged attack and pulled CheckPoint Software Technologies in to assist with its analysis of this newly identified Zeus variant (see Eurograbber: A Smart Trojan Attack).
Eurograbber allowed hackers to steal more than 36 million euro ($47 million U. S.) from online bank accounts targeting dual-factor authentication that relies on the texting of one-time passcodes to mobile devices.
And more circumventions of mobile out-of-band authentication are on the horizon, says George Waller of security and authentication solutions provider StrikeForce Technologies.
Waller says simulated malware attacks run on smart phones have revealed that cached files containing keystrokes are readily viewable. Ultimately, he says, every mobile touchscreen entry is keylogged and saved by a mobile device's operating system.
As a result, if the mobile device is hacked, hackers have access to anything the user has entered, Waller explains.
"When you type your password, it's saved," he says. "That's what makes auto-fill [the feature common on most mobile devices that automatically completes a word or phrase as it's entered on the touchscreen] work so easily."
The best solution is ensuring keystrokes and stored data are encrypted. But mobile devices don't have that capability today, Waller adds.
Mobile attacks that aim to gain access to cached keystroke files will be the next big threat, Waller adds. "This is how they are really going to start stealing credentials, so this is the area that we are focused on right now."
The best defense is for banking institutions to address mobile security the same way they address online security - with layers of protection, experts say.
"Layers of security are built into the [Federal Financial Institutions Examination Council's updated authentication] guidance and should be applied to any channel where transactions are conducted," says Tiffany Riley of Guardian Analytics, which provides online security and fraud-prevention solutions. "Layers of security mean addressing user behavior, too. It's not just about malware."
- Educating mobile users about safe behavior, following the same guidelines outlined in the FFIEC's authentication guidance for online transactions.
- Addressing the scope of mobile threats beyond malware. "You have vishing, phishing and a whole host of accounts that have already been taken over," Riley says. "If all you're addressing is how to fight mobile malware, you're not appropriately addressing those credentials that have already been taken over."
- Investigating new solutions that address mobile-device keylogging and virus detection.