Malware Threats Rise for Mobile Banking

  • We heard it again and again from Charaka Kithulegoda and other bankers honored in our Mobile Banker of the Year package this year: simplicity and ease of use are the keys to sound mobile banking app design.

    June 3

As apps shrink the gap between financial firms and their customers, banks are coping with new and growing risks that accompany mobile devices.

Malware tailored to browsers made for miniature screens; scams aimed at duping smartphone users; hackers intent on phishing attacks meant to ensnare tablets — all the threats bankers deal with on the desktop have moved to people's pockets.

"[Security concerns] have grown with the use of mobile devices," says Ken Baylor, a research vice president at the information security research and advisory company NSS Labs. "Right now, from what I'm seeing, it's growing by a factor of four every year, it's definitely insidious and it's definitely growing and the malware is getting more and more complex."

Last year alone on Google's mobile Android platform, Trend Micro detected 350,000 "malicious and high-risk" Android app samples, according to a report by the digital security firm. That's an increase from the 1,000 samples it saw the previous year. Only 20% of Android device owners use a security app, the company has found. [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-repeating-history.pdf]

Part of the problem is that many banks have yet to develop secure mobile apps. And when banks rely on third parties for their mobile banking apps, they are sometimes insecure.

"There are companies out there selling base frameworks that we have found a number of security flaws in," says George Tsantes, a principal within Ernst & Young's information technology advisory services group.

He says building security into financial services apps is a specialty that not all developers have. In some instances, bank apps fail to incorporate updates in mobile operating systems. That means the apps are not fully tested against newer versions of mobile operating systems, like Apple's iOS 6.1.3. "These operating systems are getting patched and updated all the time, so things that might have been secure are no longer secure," says Tsantes. "So it's just making sure that you're incorporating those changes."

In addition, some bank app developers accidently leave persistent data — the kind invisible to users that lies dormant and invisible on a device, in the background. "Let's say down the line I sell the device or lose the device... [criminals] can retrieve that data, because it's stored in an insecure manner," says Charles Henderson, director of application security services at Trustwave's SpiderLabs.

He adds that the immaturity of the mobile market makes it a prime target for crooks.

"From a the sheer maturity of the industry, of the security landscape, sadly, I think mobile is really lagging behind even where desktop was several years ago," says Henderson. "I think that's largely because the concept of a closed operating system (one like Android or iOS) where you can't see [data], people think: 'If you can't see it, it can't hurt you.' has led a lot of developers to say the same."

Those concerns cut both ways.

Until bankers increase the security around their mobile apps, some customers may not feel comfortable using the software for anything more than checking a balance.

Banks also have to provide answers about what-if scenarios. For instance, they should let customers know what would happen if their account was compromised online and/or from a mobile device, and what assurances and guarantees the institutions can offer, points out Steven Lewis, a lead analyst in Ernst & Young's global banking and capital markets practice.

Still, the industry isn't to the point where mobile is accounting for a majority of financial services fraud, says Al Pascual, a senior security analyst at Javelin Strategy & Research. Right now, most hacks cyber criminals employ focus on picking up one-time-passwords sent to mobile phones. "They are not there, yet," says Pascual of digital deception. "[Hackers] are just dipping their toes in the water, attacking those one-time-passwords."

But when cyber crooks go full bore — and they inevitably will — thieves will have a field day picking apart bankers' mobile defenses.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER