Digital banking's explosive growth compounds cyber risks, FBI warns
A new FBI reminder about an old cyber threat should be a code red for banks and credit unions: With so many newcomers to mobile banking, financial institutions need to protect customers from unwittingly downloading malicious apps.
To be sure, hackers have long tried to trick consumers into downloading trojans hidden in fake banking or gaming apps in order to steal their usernames and passwords to online banking services.
But the FBI, in issuing a warning to the public about such attacks last week, argued they could skyrocket along with what it says has been a 50% increase in mobile banking since the coronavirus pandemic began.
“As the public increases its use of mobile banking apps, partially due to increased time at home, the FBI anticipates cyber actors will exploit these platforms,” the warning said.
Rick Cooney, director of fraud strategy at Axcess Financial, a financial services provider that owns Check ‘n Go check cashing stores, agreed with that prediction.
“A lot of the people who are moving toward more mobile banking weren't early adopters of it, obviously,” said Cooney, who previously managed anti-fraud efforts at Citibank and Synchrony Financial. “So they may not be quite as sophisticated as the folks who have been doing it for years. In that kind of environment, it's more likely you will have an increased number of victims to those types of scams.”
The FBI did not respond to phone calls and emails seeking comment for this article.
Others questioned whether the FBI should be focused on other schemes, such as efforts to intercept people’s stimulus checks or unemployment insurance payments.
“It's not that the conditions aren't really ripe for fraudsters to increase their attacks in the post-pandemic world — it's more, how they would do it,” said Trace Fooshee, senior analyst at Aite Group. “We certainly have seen increases in phishing attacks, and there’s no shortage of bot attacks and human farm attacks. I have not yet heard of increases in trojans or fake apps.”
Still, the FBI’s warnings are useful. It's never a good idea to allow malware onto a device that could harvest mobile banking credentials.
App-based banking trojans
The FBI advised the public to be cautious when downloading apps on smartphones and tablets, as some could be concealing malicious intent.
“Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools,” the FBI said. “When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device. The trojan creates a false version of the bank's login page and overlays it on top of the legitimate app. Once the user enters their credentials into the false login page, the trojan passes the user to the real banking app login page so they do not realize they have been compromised.”
The conventional wisdom is that Apple is good at vetting new apps in its app store to make sure they’re legit, but Google not so much.
“The Android app store is notorious for letting malicious apps through, although they've tightened their security recently,” Fooshee said. “Apple has always been pretty good at weaning out the nefarious apps from the legitimate apps. I think the bulk of these kinds of threats come from downloading apps from third-party websites, whether they're fake bank websites or other sites.”
Chris Hazelton, director of security solutions at Lookout, a San Francisco provider of mobile phishing solutions, pointed out that consumers often get conned into downloading malicious apps through a mobile phishing attack that directs them to a fake website.
In one phishing campaign his company recently discovered, people were sent text messages designed to lure them to fake websites of well-known Canadian and American banks.
Fake banking apps
The FBI also cautioned that cybercriminals are creating fraudulent apps designed to impersonate financial institutions’ real apps, to try to trick users into entering their login credentials.
Digital Shadows, a San Francisco provider of digital risk protection solutions, has seen many such impersonation apps con users into coughing up sensitive information or allowing the app to perform invasive actions on their behalf like reading and writing text messages, authenticating accounts, capturing and collecting photos, requesting authentication tokens, processing outgoing calls, reading contacts and adding or removing accounts.
“By using a bank’s brand imagery and details in the app’s description, users commonly ignore an app’s requested permissions because they are keen to trust that their download is legitimate,” said Kacey Clark, threat researcher at Digital Shadows. “After the users enter their credentials into the app and attempt to log in, the credentials are harvested and security codes can be bypassed.”
In another scenario, banking trojans can be used as a “dropper” to install malware onto a user’s phone, particularly spyware (aka stalkerware), Clark said. Once installed on a device, spyware can remain undetected while managing and accessing everything on a victim’s device including the target device’s camera and microphone, text messages, passwords, contact lists, stored or typed payment card details, and geolocation.
What financial institutions should do
The FBI offered several suggestions in its announcement, including advising consumers to use two-factor authentication when they’re using mobile banking and to make sure they’re using legitimate apps.
Fooshee pointed out that financial institutions need to communicate with their new mobile users.
“There's never been a better time for banks to clarify and distill their proactive communications with their clients about security and what they can do to help better protect themselves,” he said. “This is particularly true for those new digital banking clients who are particularly vulnerable. It's not difficult for banks to identify who these people are and to proactively engage in some constructive communication in a way that's a lot more plain English and not threatening, but constructive. Most banks have shied away from these kinds of communications because they don't want to impart the notion that it could be unsafe or unpleasant in some way.”
One large U.K. bank was grappling with scams targeting its customers, according to Fooshee. In addition to checking beneficiary names against account titles at the beneficiaries’ banks and alerting of any discrepancies, the bank — which he declined to name — started communicating more sternly with its customers about security.
“Where before they were using much more fluffy language, they really distilled their message and made it much more plain English, much more to the point and concise and basically said, there are threats out there — you need to be cognizant of these threats and here's what you need to avoid doing,” Fooshee said. “They got right to the point.”