Mobile Authentication Guide Is a Weak Half-Measure
Consumers say they consider mobile banking unsafe even as they increasingly use it, assuming they can do nothing to protect themselves from the escalating threats. Banks can't afford to be so fatalistic.
Smartphone web use is far outpacing computer-based internet surfing. More Google searches are already conducted on mobile devices than on desktops. As consumers continue to increase their engagement with smartphones, they are subjected to the same cyberscams that they were subjected to on desktops and laptops.
But mobile banking users are at much greater risk than those using online banking websites. That is because mobile security controls are failing to address issues like social engineering and mobile bot attacks — all part of the new arsenal used by hackers to gain control of mobile devices.
Recently, the Federal Financial Institutions Examination Council issued a set of guidelines for mobile security, marking an update to previous regulations issued in 2011 and in 2005. The regulations lay out expectations and specifics for entities that accept payments over the internet. While the newest guidelines address some of the more recent developments in mobile security, they still leave many issues unresolved.
Hackers targeting mobile devices, for instance, can have a field day with remote access tool attacks (known as RATs), which let them take advantage of some of the features implemented by mobile device manufacturers and app developers to make interfacing with apps and sites easier. In an era when users get dozens of notifications on their devices each day — from social media, messaging apps, SMS services and elsewhere — few people think twice before opening a notification or clicking on a link. Hackers can use either of those methods to install a remote access tool to access a device and let them independently log on to a website or open an app.
Many of these RATs are delivered via social engineering scams, where fraudsters impersonate bank representatives over the phone. Users are convinced to install standard remote access support tools, such as TeamViewer, and hand over control to the criminals to "resolve security issues" in the banking app. The new guidelines make no mention of how banks can protect themselves from this type of threat.
Likewise, the guidelines fail to make mention of a big advantage for hackers on mobile devices: many apps — including payment apps, shopping apps and even banking apps — use the "trusted device" feature to allow users to access services without having to re-enter passwords and security codes. At most, users may have to press a confirmation button in this model, which is easily accomplished by the remote hacker.
The guidelines also do not make mention of the need to detect emulator access. Mobile banking apps are designed to run on smartphones; however, the same apps can be loaded onto PCs using mobile emulator programs. In fact, emulator programs are used to develop mobile applications. While emulators are not malicious, they can be used by cybercriminals to perpetrate mobile banking fraud. It's more convenient for hackers to use scripts, robots and spoof devices through emulators as the technique increases operational efficiency.
Another issue that remains unaddressed is the harvesting of user credentials via bots. The bots (automated login programs) use brute force tactics to match up usernames and passwords, going through thousands of combinations in minutes until a successful user/password combination allows for a login. While banks generally have placed controls on bot attacks on their websites, such controls are not always in place for logins via apps.
While the latest regulations do address some of the issues unique to mobile, there are others — very pressing ones — that do not. The next round of regulations has to address more of the security issues unique to mobile, which will be no small feat.
Regulating the customer option to designate trusted devices, for instance, will be tough. Despite the security risks, app and device makers continue to offer the feature because customers want it. Here, the regulations will influence not just the technical exchanges between devices and sites, but actual user behavior. Regulators might allow this feature for nonrisky activities (e.g. viewing an account balance), but require stronger authentication for every payment or setting change.
Further, drawing up guidelines is a meticulous and rigorous process that takes time for regulators to investigate, prepare, review, approve and publish. The frequent changes in the fraud ecosystem, especially in digital channels, inevitably render guidelines incomplete the moment they are released.
Since regulators are aware of this challenge, they require banks to engage in a continual process of risk assements and mitigation. As part of the risk mitigation, banks need to identify potential threats and consider tools to safeguard against social engineering, bots, emulators and remote access attacks.
The only thing certain is there's no going back. Mobile banking is here to stay and its popularity will only increase. Regulators should continue to examine the existing risk landscape and periodically prescribe relevant security controls. In order to secure their users, banks must remain vigilant and identify the emerging threats and mitigate them.
Oren Kedem is vice president of product management at BioCatch.