Consumers have gotten used to using mobile banking, but that doesn't mean they trust it. Nor should they, given the escalating security threats.
In a recent survey, MyBankTracker, a personal finance and bank ranking platform, found that only 6% of respondents trust mobile technologies for financial transactions. When you think of how many people in this country use mobile banking — a Verizon study found that in 2015, 55% of American smartphone owners made a mobile bank transaction — this 6% is astonishing.
Another consumer study, commissioned by the security software company Arxan, found that although the vast majority of consumers — 86% — think their banks are doing enough to protect their apps, 41% expect those apps will be hacked.
"Consumers and businesses feel it's the bank's responsibility to keep them safe," said Ross Hogan, global head of fraud prevention at the security vendor Kaspersky Lab. "Many of them feel the bank is actively doing something, but just don't feel ultimately secure. They're responding out of emotion — 'I don't have any information or evidence as to what my bank is doing, but I would hope they are doing something.' At the same time, they feel vulnerable because they don't understand what steps the banks are actually taking."
Consumers don't seem to have specific fears, such as that their devices will be stolen or that mobile malware will steal their mobile banking credentials. They have a general sense that nothing passing over the Internet is safe, fed by news stories about governments and retailers like Target suffering data breaches.
"It's a perception thing," said Alex Matjanec, CEO and co-founder of MyBankTracker. "They look at Target, Netflix, Time Warner Cable, they assume there's nothing they can do."
Banks can't afford to be so fatalistic. The have to be hyperaware of the threats to mobile banking, and keep them at bay.
For years now, the common wisdom has been that banking on a smartphone is safer than using a laptop or desktop. Device identity technology that many banks use can check whether the smartphone in use is the one originally registered with the account. Geographic location data can be monitored to see whether the consumer's phone is in a logical place relative to her recent transactions, and patterns of behavior on the device can be monitored and compared against the current user's taps.
Yet, a growing body of evidence is undermining this argument, and vulnerabilities are turning up even in Apple's famous "walled garden."
Cybercriminals are stepping up their production of malicious apps that target phones and tablets — especially malware strains aimed at mobile access to bank accounts. Kaspersky Lab researchers found 39% more strains of mobile banking Trojans were developed in 2015 than in 2014, for a total of 25,000 (the number of mobile malware programs overall rose 188% during the same time period).
Most of these are Android apps, but not all.
"When you hear of mobile banking Trojans that are extending beyond the Android operating system, it gets people's attention," Hogan noted. "There's this false sense that the Apple operating system is so secure."
Faketoken.AndroidOS is a mobile app used to redirect mobile transaction authentication numbers to a second device without the victim's knowledge. It was one of the leading actors in mobile malware in 2015, according to Vicente Diaz, principal security researcher at Kaspersky Lab, and it's the most prevalent threat to mobile banking today, according to the company. Faketoken ranks seventh on Kaspersky's list of the top 10 banking malware families.
"This is the first time we've seen mobile malware crack the top 10," Diaz said. There's also a second mobile malware family on the list, called Marcher, at No. 8.
Many of the new strains are ransomware, which locks the user's device and presents a demand for money to unlock it. Consumers are more likely to fall victim to ransomware on their mobile phones than on their desktop computers, Hogan said.
"If we're online and we see something that seems suspicious, we're all trained to try and circumvent it in any way possible," he said.
Many people, tethered to their phones at almost all times, may cave in to the demand for money out of frustration. "They don't care if it might be suspicious, they just want to get it over with so they can keep doing whatever they're doing," Hogan said.
Other types of malware include Trojans and rogue apps, which I'll address in more detail in my next post.
Another threat to mobile banking is that fact that banks' legitimate apps are not as locked down as you might think. Some bank app developers have simply Googled other banks' code and put the results in their mobile banking application, Hogan said. "It's happening more than anyone would care to admit."
Arxan recently tested 55 mobile finance apps for security vulnerabilities. Thirty-three of these apps are run by banks. Almost all contained two types of vulnerabilities.
One is lack of binary protection — the absence of a means of protecting code from being reverse-engineered. It appeared in 98% of the apps.