Considering mobile malware safeguards
By Katie Kuehner-Hebert
Information is the new currency. For that reason, of course, personal financial information has become intensely more valuable. That also makes today’s mobile communication environment the new lucrative frontier for cyber-thieves.
Indeed, mobile malware attacks jumped 614 percent in 2012 compared with the previous year, reflecting the more than 276,000 malicious mobile apps now in circulation, according to a report by Juniper Networks, an Internet networking equipment manufacturer in Sunnyvale, Calif.
“Banks creating their own mobile applications need to treat the development of a mobile app just like they treat the development of a normal piece of software or online application,” offers Josh Pauli, an associate professor of cyber security at Dakota State University in Madison, S.D. “It’s easy to get really excited and push the app out too quickly, but security standards should be followed and testing of the mechanisms should be put in place before they roll out their mobile application to make sure the app is secure.”
Mobile devices can become infected with malware when users click links to emails or visit websites. Malicious mobile apps are typically on third-party sites, but sometimes they also can be on iTunes or Google Play. Once someone downloads such an app for a game or a free ring tone, the malware behind that can activate any functionality on the phone, such as the camera to capture the user’s debit card PIN or bank login information.
Similar to malware on desktops and laptops, mobile malware steals information through cyber-infections, known as worms or Trojans, says Kurtis VanderWal, senior manager, information technology consulting at Plante Moran in Southfield, Mo. “Worms spread automatically and without user interaction,” VanderWal says. “Trojans require some initial user interaction and employ an edge of social engineering to trick the user into regarding the app as harmless and potentially useful or fun.”
There are two primary ways mobile malware attempts to steal money—through premium-rate SMS and through hidden banking malware. Premium-rate SMS fraud involves the software sending messages to premium-rate numbers without the user’s consent or knowledge. Malware attempts to capture authentication data—such as transaction authentication numbers, called mTANs on mobile devices—sent via SMS from a bank to a user. These SMS messages can be forwarded without the user’s knowledge and used to gain access to a bank account.
While developing requirements of a mobile banking app to allow for some functionality, such as account transfers or check imaging, security steps by users should be incorporated into each step or function taken in a mobile environment, Pauli says. Those security steps can involve a multifactor authentication or strong encryption, he says.
Al Pascual, senior analyst, security, risk and fraud at Javelin Strategy & Research Inc. in Pleasanton, Calif., says the largest concern for banks is the SMS-grabbing malware, which are extensions of desktop programs, such as ZitMo for Zeus, CitMo for Citadel and SpitMo for Spyeye, all designed to intercept one-time passwords sent via SMS text to a customer’s smartphone.
“Banks should encourage consumers to adopt traditional anti-malware software on all of their devices,” Pascual says. “They can also use client-side browser protection software, such as Trusteer, which is very popular.”
Because so much vulnerable behavior and risks are created by customers outside a bank’s control, educating consumers is a major first step in mobile banking security, IT security experts say. “Users neglect the security regimens they may follow for their conventional computers because they don’t consider their phones and PDAs to be ‘computers’—but they are just as vulnerable,” Pascual says.
Pascual says take advantage of transaction analysis to know the typical withdrawal transfer behavior of their customers, and then keep an eye out for anomalies. Also be wary of giving out one-time passwords through SMS; instead, offer customers mobile apps that give one-time passwords, such as PhoneFactor by Microsoft.
Criminals can also deploy “rogue apps,” such as reverse engineered versions of mobile banking apps that will appear legitimate to unwitting consumers, Pascual says. These apps can be used to collect the customer’s credentials to later commit fraud, while still facilitating the customer’s transactions. Some specialty software service providers can help protect a bank’s mobile app from such reverse engineering attacks.
“As mobile banking becomes more popular, then criminals will begin to develop mobile malware to actually compromise legitimate mobile banking sessions,” Pascual says. “We’re not there yet because there is not enough money in it for the criminals. Once it becomes worthwhile to write those programs, they’ll do it, but now they’re making boatloads by targeting online banking customers through their PCs.”
Katie Kuehner-Hebert is a financial services writer in Running Springs, Calif.