The advent of vicious new malware strains like HijackRAT and Svpeng inevitably cause bank CEOs and boards to turn to their IT and security chiefs and ask: "what have you done about this, and what do you plan to do?"
There are several defensive moves banks can make, some of which involve spending on new technology while others are simpler fixes.
There are currently 3.73 million strains of malware targeting mobile devices today, many of them Trojans like Svpeng, according to security software firm McAfee. About 97% target Android devices the open-source nature and many variations of the Android operating system leave it more vulnerable to malware than the more locked-down and controlled Apple iOS and Apple store.
But Apple, Windows and BlackBerry devices are not immune. Apple last week applied for a patent on technology that would provide location-based security the use of geolocation sensors to automatically lower or raise the security constraints on a device. For instance, while a user is at home, the need for a password to unlock the device could be dropped. Any means of automatically lowering basic security mechanisms will become an unspoken invitation to hackers.
A week ago, FireEye mobile security researchers discovered mobile malware referred to as HijackRAT that pretends to be a Google update, kills an anti-virus app on the phone and steals the user's banking credentials. Eight Korean banks have been targeted so far, but others could easily be added to the list.
And last month, mobile Trojan Svpeng was discovered operating in the U.S. Svpeng checks a user's phone for an app from a specific list of financial institutions, locks down the phone and demands money to unlock it. In later incarnations, the malware is expected to start stealing log-in/password of online banking as it does now among Russian bank accounts.
Mobile devices generally are more vulnerable to malware than PCs. For one thing, consumers are cavalier about protecting them. Parents let small children play with their phones, points out Shirley Inscoe, a senior analyst at Aite Group.
"They don't realize how important those devices are to their lives," she says. "We all rely on our contacts, calendars, email and all the other information our mobile devices contain."
Also, consumers have not been conditioned to use and update anti-virus software for their smartphones the way they have for PCs.
With all that in mind, here are five ways banks can help protect their customers from mobile threats:
Teach Customers About the Risks
The No. 1 defense against mobile malware, according to Inscoe, is customer awareness and education.
Forty-four percent of U.S. consumers said they couldn't recall ever seeing anti-fraud information from their financial institution, according to a recent Aite Group survey. About 18% said they'd received an email from their bank with anti-fraud information; 21% said they'd gotten something in the mail; and 11% said they had read about fraud on the bank's website.
"There's a huge opportunity here for financial institutions to educate consumers so they know what to do and what not to do to better protect themselves," Inscoe says. Banks can inform customers about the dangers of malware and the risks of downloading free apps that could contain malicious code, for instance.
They can warn consumers against "jailbreaking" their devices (i.e., removing operating system provider or carrier restrictions from them) which makes them less secure.
Banks could encourage consumers to download antivirus software to help protect their devices. However, they must be careful to choose an official app, and not some rogue app that contains malicious code of its own.
Every consumer should back up their phone, and the telecom and operating system providers ought to support this, says David Britton, vice president of 41st Parameter, a security research subsidiary of Experian.
"With all the technology and cool whiz-bang stuff we've got flying around, it should be a no-brainer that the platform should have that as a seamless process," he says.
If a customer's system is locked out and he has a good backup, he could ignore a ransom request from ransomware such as Svpeng, wipe all the malware from the device and restore his data.
Multifactor authentication is another effective defense, says Alphonse Pascual, practice leader for fraud and security at Javelin Strategy & Research.
"The best way to protect against the threat of compromised log-in credentials is to make them worthless to criminals in the first place," he says.
Device fingerprinting, sometimes called device ID, has potential for strengthening mobile banking security. It can be used to check if the device being used to log in is the same as the one that was registered.
"Mobile devices allow for a very unique and changing signature which makes [device ID] great for thwarting malicious attacks," says Andrew Hoog, CEO of Viaforensics. "If you apply the rich set of sensors mobile devices have and the fact that they go nearly everywhere with us, what you have is a great form of authentication."
He cautions that device ID should be used in conjunction with other techniques. For instance, when a user logs into a mobile app with a passcode, the bank could check to see if the mobile signature is consistent with the signature it has on file.
Knowledge-based authentication (sometimes called challenge questions), a once-popular way of verifying a customer's identity, is falling out of favor, Inscoe notes.
"I've had several financial institution clients tell me their legitimate customers cannot always answer these questions, but if a credit bureau report gets in the hands of the bad guys, they can answer every question," she says.
However, challenge questions are useful as one piece of a multi-layered approach to authentication.
Quickly Notify Customers of Suspicious Activity
Alerts about suspicious transactions, often based on location, can make mobile banking more secure.
"If a consumer uses an ATM in Minneapolis and then ten minutes later makes a purchase in Topeka, there's probably a problem there, and geolocation can help you identify that," Inscoe says.
More than 50% of surveyed U.S. consumers said they would like to be contacted via a phone call or email if fraud is suspected on their account, Inscoe says. Only 38% said they would like to be contacted by text message in such a case. She hypothesizes that this is because many consumers are still being charged for text messages.
Use Sophisticated Fraud-Detection Technology
Behavioral and fraud analytics can be used to create a profile for each mobile banking user and alert the bank of any unusual behavior patterns on an account, the way most banks analyze credit card use.
"For malware that steals credentials, banks and all online businesses must have a way to detect when apparently legitimate credentials are being used illegally," Britton says.
Build a Better App
Secure mobile app design is critical. It's helpful to get security experts involved early in the design of new apps, Britton suggests.
"Marketing and product folks that are setting the roadmap for mobile must invite their security counterparts to the table to ensure they've got a consistent security strategy in mobile and online," he says. The schism is wider when mobile app development work is outsourced, he says.
By and large, banks haven't invested a lot in anti-fraud technology for mobile banking. Inscoe points out that fraud prevention is a cost center. To invest in a new technology, there has to be a business case, which in the case of fraud typically requires that losses must be sustained. To date, U.S. financial institutions haven't reported any losses from mobile banking fraud.
"There are a handful of banks considering the reputation risk as well as other risks and making more strategic investments in some of these tools," she says.