The criminal activity that targets mobile banking has not yet reached the levels of web banking, mostly because the volume of mobile banking to this point hasn't made it as attractive a target.
But as mobile banking grows, that's starting to change — particularly since mobile banking is vulnerable to a wide variety of criminal threats. A new strain of crime that tricks users out of their subscriber identity module (SIM) cards has quickly emerged to threaten banks and other enablers of mobile payments such as telecoms.
"This special attack involves stealing information to generate new SIM cards," says Orem Kedem, a director at the security firm Trusteer, who described the threat in a recent interview. Kedem says the new attacks on SIM cards grew out of an earlier criminal threat that uses the victim's mobile number to redirect one-time passwords (OTPs — a method to protect electronic transfers) to the crook's phone.
A SIM card is a small smart card that can be moved from one phone to another. It can be used to store a key used for authentication purposes. SIM cards are the favored method of securing mobile payments at ISIS and other telecom-driven mobile payment schemes around the world because the telecom provider maintains more control over the technology. Other strategies, such as embedding mobile phones with NFC, would give handset manufacturers such as Apple more control.
In the new SIM card attack, a Gozi Trojan is used to steal international mobile equipment identity numbers (IMEI) from account holders when they log into the mobile banking application. Once the crook has acquired the IMEI number, he or she contacts the wireless service provider, reports the mobile device as lost and asks for a new SIM card. Once the crook gets this new SIM card, all OTPs intended for the victim's phone are sent to another mobile device that's now controlled by the crook.
Avivah Litan, a vice president and analyst at Gartner, says the SIM cards and the NFC chips that are embedded in the secure element (where the user data is stored) are highly secure. "The vulnerabilities and issues come from the business processes and applications that surround them. In this case, it's good old fashioned social engineering that defeats the strong technical security. People and processes are always the weakest links and this is no exception. Sure, mobile payments will open up the possibility of lots of new types of attacks that exploit processes, people and applications that make use of chip functionality."
Kedem says one option for the carriers is to use strong authentication — or verification in a second venue — for SIM card issuance.
"Mobile carriers are not set up to be issuers of credit cards, they don't have the processes for that. They need to set up similar password protections similar to credit card issuers. That's a whole new ballgame," he says. ISIS did not return requests for comment by Monday morning.
The mobile banking industry in general is still behind the curve in terms of security. In an earlier interview with BTN, Aaron Mcpherson, practice director for IDC Financial Insights, said the lack of attacks played a role in lagging security and antivirus technology, but that that would change soon. MacPherson predicted the growing popularity will spur breaches that will drive interest in security software.