Security industry responds to FBI warning of increased mobile banking risks
Earlier this week the FBI issued an alert about the risk of mobile banking platforms being targeted by cybercriminals during the current pandemic lockdown.
More than 75 percent of Americans used mobile banking in some form in 2019, but since the start of this year, a 50-percent spike in the usage of banking apps has been observed. Security professionals have been responding to the news.
Trojans and fake apps are expected to make up the bulk of the attacks and ESET malware researcher Lukáš Štefanko points out there are important differences in the approaches.
"Banking trojans are devious -- they try to make users install them by pretending they are something fun or useful, but definitely totally harmless. Think games, battery managers and power boosters, weather apps, video players, and so on." These apps bid their time before striking when a person least expects it; sliding a fake login screen over a legitimate banking app and stealing the credentials.
Fake banking apps, however, are more straightforward -- they try to convince you that they are the real deal says Štefanko, "Once installed and launched, they lead with a login form, just like a real banking app would. And, as you probably already guessed, the credentials submitted into the form are harvested."
Sam Bakken, product marketing manager at OneSpan warns that app developers as well as consumers need to be aware of the problem.
As mobile banking activity in the US has surged during stay-at-home orders, attackers are following the money and even the FBI notes the risk. Consumers need to be vigilant, but in many cases, users are beholden to their device manufacturer, carrier, or the developers of the apps they use. The FBI recommends that consumers enable two-factor authentication, and I was pleased to see them recommending biometrics and other methods rather than known-to-be-vulnerable codes sent via SMS. It doesn't stop with users, though.
App developers also need to take additional steps to ensure the security of their apps, even in potentially hostile environments such as compromised, jailbroken, or rooted phones. Luckily, a number of companies provide security building blocks that make it easier and more efficient for developers to harden their mobile apps and integrate stronger authentication methods.
Chris Hazelton, Director of Security Solutions at mobile phishing solutions provider Lookout says he is seeing attacks increasing:
There are a large number of fake mobile apps, with many targeting the immediate payday by stealing banking credentials. However, most of these apps do not make it to public app stores. Users are often taken to websites that mirror real sites to download fake apps.
While there are a large number of fake apps, there is also the threat that comes from mobile phishing -- directing users to fake websites to download malicious apps or steal credentials directly. 45.5 percent of Lookout users encountered a mobile phishing attack in the last three months. This is up significantly from 32.5 percent in the middle of 2019.
To stay safe mobile banking users should ensure that they download apps only from official stores, pay attention to the permissions being granted, and keep their device OS and security solution as up to date as possible.