MOUNTAIN VIEW, Calif. — Credit unions should partner with members to battle all the mobile banking attacks that will likely strike the United States following
The Svpeng mobile malware was first detected in the U.S. on June 11 and may only be a warning shot from fraudsters, according to experts who say the virus is not yet attempting to steal banking credentials.
That gives credit unions time to step up mobile fraud strategies. But they need to get started now.
Those strategies include delivering member education on how to protect their smartphones and also avoid malware traps; creating apps better suited to ward off mobile threats; and providing members with more fraud alerts and the ability to take action on suspicious activity themselves.
"It's time credit unions take a hard look at their mobile security strategies because it will soon become a fire fight," said Chris Silveira, manager of fraud intelligence for Guardian Analytics.
Until June, no major security event had directly threatened U.S. mobile banking users — encouraging a great deal of debate about the security of mobile banking.
However, when Kaspersky Lab discovered that the Svpeng malware targeting mobile devices had made its way from Russia to the U.S. earlier this month. The malware looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.
"This is troubling," said Avivah Litan, vice president of Gartner in a previous report. "Financial institutions "cannot cleanse their customers' smartphones and have no control over this type of Trojan. All they can control is customer interactions with their bank applications. Even securing mobile bank applications and strengthening authentication processes for mobile users won't stop this type of Trojan from operating."
'Opportunity to Prepare'
The good news, according to Tiffany Riley, VP of marketing at Guardian Analytics, is that the Svpeng attack so far appears not to be a direct attack on mobile banking, just ransomware. "There is opportunity to prepare for what at some point will be a full-scale attack on mobile banking — whether it's this piece of malware or another."
Experts have also argued that it may not be the wisest move to spend a great deal of resources to specifically fight Svpeng, as there have been no reported victims of this malware in the U.S. since it was discovered a few weeks ago.
Bill Nelson, the president and chief executive of the Financial Services Information Sharing and Analysis Center, is one of those who sees little cause for concern over Svpeng.
"We haven't seen any reports of [Svpeng]," said Nelson, whose Washington organization gathers security incident information from 4,700 member financial institutions, aggregates it and sends it back to them in anonymous form.
But what the Svpeng attack does do, according to Riley, is underscore the "shared responsibility" between credit unions and their members in fighting mobile threats.
She advised CUs to add more sophisticated behavioral analytics to detect fraud attacks, and give members the ability to monitor and respond to threats. "Both parties play a role in doing what they can do to mitigate risk here," Nelson noted.
Analysts say a critical step is letting members know they should be taking the same security precautions on their smartphones as they do on their PCs and laptops.
"Consumers know they have to have antivirus protection on their PCs, but that's about as far as many of them go," said Stu Sjouwerman, founder and CEO of IT security firm KnowBe4 in Clearwater, Fla.
While Svpeng outside the U.S. has been used to steal online banking credentials, stateside the malware breaks into a mobile device through a social engineering campaign using text messages, and is almost impossible to remove, experts have stated.
Once it's wormed its way into a device, the malware looks for apps from a specific set of financial institutions: USAA, Citigroup, American Express, Wells Fargo, Bank of America, TD Bank, JPMorgan Chase, BB&T and Regions Bank.
No credit unions appear to be on the target list yet.
The malware then locks the screen of the mobile device with a fake FBI penalty notification letter and demands $200 in the form of Green Dot MoneyPak cards. It also displays a photo of the user taken by the phone's front camera.
Increasing Member Training
Sjouwerman recommends credit unions increase member training programs. "Get everyone trained on looking out for those funny little text messages about something silly or scary and not clicking on them."
At GTE Financial in Tampa, Fla., that's part of the strategy, explained Chad Burney, CIO and SVP of virtual banking, who said the $1.6 billion credit union is also adding videos to its fraud-fighting library.
The CU's "security center" for online banking may soon house a YouTube video that shows members how to possibly stop a Svpeng attack before the virus infects their phones' operating systems.
"We like to show our members, instead of just telling them," said Burney. "There is no way to stop the Svpeng virus once it infects the phone's operating system, but you may be able to intercept it. If members suspect their phone has just been infected, they can reboot in the safe mode and delete the malware file before it has had a chance to attack the phone's operating system."
"While we will certainly educate our members about how to safely use their phones and have them protected, education can only do so much. It is not a cure-all, and it takes time," said CIO Joe Riccardo.
He explained that the $180 million-asset Aspire is working to increase mobile security with new apps designed to withstand cyber threats "as best as they can. This fight is a partnership for sure with members, but we think more of the responsibility falls on the credit union."
Burney believes it's time to step up mobile monitoring and alerts, and give members the ability to limit their own losses or stop them on their own.
"A large part of our mobile fraud strategy is to give our members greater ability to monitor their accounts and take quick action," said Burney.
Analysts reiterated that the U.S. Svpeng attack apparently does not steal mobile or online banking credentials and does not target credit unions — but it's only a matter of time before it, or another piece of mobile malware, goes after both.
"The number of mobile banking transactions is rapidly increasing, and unfortunately the bad guys approach this as a business," said Sjouwerman, who reminded that the U.S. mobile fraud target is growing, with more than 100 million Americans using mobile banking.
"Cybercrime is a thriving business in Eastern Europe with office buildings filled with people who arrive at eight and leave at six, take lunch breaks and receive healthcare from organizations that are nothing but criminal enterprises," he said.
Sjouwerman suspects crooks are taking a "step-by-step" approach to attacking mobile, and that possibly the current Svpeng virus — which has the capability of stealing account credentials — could be setting up a bigger attack.
"They test the market, the malware, phishing and e-mail... They start small and then roll out these criminal campaigns," he said.
They also target big banks first and then work their way down the financial food chain.
"The criminals know the medium to small credit union does not have a big security budget and are often easier to get into," said Sjouwerman. "Cybercrime will move into mobile at a rapid clip, and FIs of all sizes better be on top of this before it bites them in the behind."
--Penny Crosman contributed to this article.
