-
New strains of malware are targeting online and mobile banking applications and existing threats continue. More banks' IT and security teams are taking a proactive stance.
March 1
Security firm viaForensics has been working a lot lately with the Department of Defense's Defense Advanced Research Projects Agency, which develops new technology for the military, to detect all malware targeting Android devices (the government is a big user of Android devices). "Last time I checked there were 400 or 500 types of mobile malware," says Andrew Hoog, chief investigative officer of viaForensics. "We're seeing a tremendous overlap in the current malware for Android and iOS," suggesting that cybercriminals are starting to get lazy and repurpose programming work already done. The DARPA/viaForensics team has also observed growth in malware for Windows operating systems.
"I think the biggest threat we'll see down the road is a growing up in the sophistication of attacks against mobile devices," Hoog says. "We've said for some time that as mobile devices combine personal and enterprise data, they become a more lucrative target. They're constantly connected to the internet and they're updated a lot. Mobile has all the information they're looking for in one spot."
Apple's iOS has some fundamental weaknesses, Hoog says. "What we always say about iOS is it's a monoculture," he says. "In the Android world, you can slice and dice things different ways. Because Apple controls their environment strictly, when you find a vulnerability in the iOS space, once you've got it, you've got it everywhere."
viaForensics today
Some of these tips are points viaForensics has made before when it's exposed security vulnerabilities in mobile banking and mobile wallet apps. For instance, the first tip is, "Avoid storing sensitive data on the device"; the second is, "avoid caching app data on the device." These are mistakes for which the security firm has "failed" applications in the past.
Some of the suggestions seem to run counter to newer things banks want to do with mobile banking. For example, tip 18, "use geolocation carefully," could seem at odds with some of the specific location-based mobile coupons and reward programs banks such as U.S. Bank are piloting — knowing that, say, the customer is in the paint department of Home Depot, that customer might be sent an offer for 30% off Sherwin Williams paint.
"Our point is not, 'don't use it,'" Hoog says. "In fact, use it at the granularity you need, there are several levels of granularity you can do with geolocation." For instance, a bank might want to know the customer's phone is in Chicago for fraud detection purposes, but might not need the street address. And geolocation data doesn't necessarily need to be saved, on the phone or anywhere. "Geolocation is valuable to the consumer and to the bank in a very specific time and instance, but there's no value to saving that information on the phone itself," Hoog says. "That's where we see a lot of people making mistakes. It's one thing to say I give you permission to find out if I'm in Home Depot, But don't save where I was when and store it on my phone. If you really need to save it, tell the consumer and save it on your server in a secure fashion."
Developers tend to want to grab information and store it. "We say, don't do it just because you can, ask yourself why you're doing it and if you should," Hoog says. If you should, make sure you do it in a secure fashion."
viaForensics' main point is that developers have to write secure code for mobile apps. "They're not writing secure code today, that's why we have different issues," Hoog says. "The fundamental problem with writing secure code is education. In the mobile space there's a lack of understanding, education and knowledge that needs to be done to inform people on best practices."
