The advent of vicious new malware strains like HijackRAT and Svpeng inevitably cause bank CEOs and boards to turn to their IT and security chiefs and ask: "what have you done about this, and what do you plan to do?"
There are several defensive moves banks can make, some of which involve spending on new technology while others are simpler fixes.
There are currently 3.73 million strains of malware targeting mobile devices today, many of them Trojans like Svpeng, according to security software firm McAfee. About 97% target Android devices — the open-source nature and many variations of the Android operating system leave it more vulnerable to malware than the more locked-down and controlled Apple iOS and Apple store.
But Apple, Windows and BlackBerry devices are not immune. Apple last week applied for a patent on technology that would provide location-based security — the use of geolocation sensors to automatically lower or raise the security constraints on a device. For instance, while a user is at home, the need for a password to unlock the device could be dropped. Any means of automatically lowering basic security mechanisms will become an unspoken invitation to hackers.
A week ago, FireEye mobile security researchers discovered mobile malware referred to as HijackRAT that pretends to be a Google update, kills an anti-virus app on the phone and steals the user's banking credentials. Eight Korean banks have been targeted so far, but others could easily be added to the list.
And last month, mobile Trojan Svpeng was discovered operating in the U.S. Svpeng checks a user's phone for an app from a specific list of financial institutions, locks down the phone and demands money to unlock it. In later incarnations, the malware is expected to start stealing log-in/password of online banking as it does now among Russian bank accounts.
Mobile devices generally are more vulnerable to malware than PCs. For one thing, consumers are cavalier about protecting them. Parents let small children play with their phones, points out Shirley Inscoe, a senior analyst at Aite Group.
"They don't realize how important those devices are to their lives," she says. "We all rely on our contacts, calendars, email and all the other information our mobile devices contain."
Also, consumers have not been conditioned to use and update anti-virus software for their smartphones the way they have for PCs.
With all that in mind, here are five ways banks can help protect their customers from mobile threats:
Teach Customers About the Risks
The No. 1 defense against mobile malware, according to Inscoe, is customer awareness and education.
Forty-four percent of U.S. consumers said they couldn't recall ever seeing anti-fraud information from their financial institution, according to a recent Aite Group survey. About 18% said they'd received an email from their bank with anti-fraud information; 21% said they'd gotten something in the mail; and 11% said they had read about fraud on the bank's website.
"There's a huge opportunity here for financial institutions to educate consumers so they know what to do and what not to do to better protect themselves," Inscoe says. Banks can inform customers about the dangers of malware and the risks of downloading free apps that could contain malicious code, for instance.
They can warn consumers against "jailbreaking" their devices (i.e., removing operating system provider or carrier restrictions from them) which makes them less secure.
Banks could encourage consumers to download antivirus software to help protect their devices. However, they must be careful to choose an official app, and not some rogue app that contains malicious code of its own.
Every consumer should back up their phone, and the telecom and operating system providers ought to support this, says David Britton, vice president of 41st Parameter, a security research subsidiary of Experian.
"With all the technology and cool whiz-bang stuff we've got flying around, it should be a no-brainer that the platform should have that as a seamless process," he says.
If a customer's system is locked out and he has a good backup, he could ignore a ransom request from ransomware such as Svpeng, wipe all the malware from the device and restore his data.
Multifactor authentication is another effective defense, says Alphonse Pascual, practice leader for fraud and security at Javelin Strategy & Research.
"The best way to protect against the threat of compromised log-in credentials is to make them worthless to criminals in the first place," he says.
Device fingerprinting, sometimes called device ID, has potential for strengthening mobile banking security. It can be used to check if the device being used to log in is the same as the one that was registered.