© 2024 Arizent. All rights reserved.
Payment fraud
BankThink

Banks are falling behind in fighting app store payment scams

By   Samuel Bakken December 19, 2018, 12:01 a.m. EST 1 Min Read

Researchers recently revealed three apps published on the Apple App Store that purported to help users monitor their health but instead attempted to swindle them out of more than $100 each.

It shatters the notion that iOS and the Apple App Store are immune to threats typically associated with Android and Google Play.

The fraudulent Fitness Balance and Calories Tracker apps asked users to scan their fingerprint using Apple’s Touch ID sensor in order to personalize their app experience.

Apple Store queue
Customers wait in line for the iPhone 7 smartphone outside an Apple Inc. store in New York, U.S., on Friday, Sept. 16, 2016. Apple Inc. unveiled new iPhones without headphone jacks last week, embracing a wireless future and a potential new source of accessory sales. Photographer: John Taggart/Bloomberg
John Taggart/Bloomberg

While warning the user not to remove their finger from the sensor, the app quickly served up an App Store pop-up for an in-app purchase. If a user had connected a payment card to their Apple account, before they could pull their finger away the $119.99 or €139.99 transaction was verified and the money was gone.

Apple and Google keep many bad apps off their stores and remove them rather promptly when notified, but criminals only get better at finding workarounds.

Just as consumers can’t afford to count on the official app stores to immediately detect and filter out every fraudulent or malicious app (e.g., mobile banking Trojans), neither can banks or financial institutions. Banks and FIs count on Android or iOS to give their customers access to their mobile banking applications.

Unfortunately, too many FIs are mostly blind to understanding the security status of their customer’s devices. A consumer’s device may be infected with a mobile banking Trojan targeting financial services apps with overlay and other attacks in order to steal credentials or initiate fraudulent transactions. And again, it’s possible that a consumer downloaded a mobile banking Trojan that came from an official app store!

Fortunately, banks and other financial institutions can take action to protect their apps in untrusted, potentially hostile environments.

Mobile app shielding technology fortifies a mobile app, regardless of the security status of a user’s device to detect and protect against many of the most prevalent tactics and techniques used by attackers today. When it comes to mobile security, it’s usually best to assume the worst (a compromised device) and then take action to protect an app and customer data even in those hostile conditions.

Samuel Bakken
Senior Product Marketing Manager, OneSpan
For reprint and licensing requests for this article, click here.
Payment fraud Retailers Online payments ISO and agent
MORE FROM AMERICAN BANKER