Cybercriminals Migrate to Mobile Banking

We live in a connected world. Life without our mobile devices providing us with constant, easy access to a wealth of apps and services is scarcely imaginable.

For all this convenience, however, there is a price to pay. Cybercriminals are fast finding so many new avenues of attack that businesses are struggling to contain them.

One of the primary targets is banking. Mobile banking services are proving very popular. The lure of easy money is irresistible to threat agents of every description.

The banks recognize this and are working hard to place robust security and customer data protection measures at the heart their mobile offerings.

Working equally hard, however, is a whole underground industry dedicated to finding new and inventive ways to take control of customers’ smartphones.

Acutely aware of this, many businesses are deploying a range of security measures, particularly on company-owned devices.

One of these is to ensure mobile devices automatically activate virtual private network (VPN) software whenever they connect to remote services over the Internet. In this way digital communications remain encrypted – on device, in transit and at rest – at all times.

Cracking the Code

Last month, the FBI issued a security notice to commercial organizations about the increasing dangers of attacks that circumvent two-factor/multi-factor (2FA/MFA) protection methods.

In its statement, the FBI referenced a number of cases where US banks were targeted. Earlier this year, for example, attackers took advantage of a website flaw to evade 2FA security measures.

In phase one of the attack, cybercriminals used stolen credentials to log in to a victim’s account. Part two involved injecting some lines of code to the Web URL. The system was fooled thinking the fraudsters’ device belonged to a genuine customer. This allowed the imposters to skip the PIN/security question element of the process and start making transactions.

SIM swapping is another way to beat banks’ 2FA/MFA security measures.

First, the fraudster collects as much information about the victim as possible. It may start with a phishing mail that tricks them into divulging personal information such as dates of birth, addresses and phone numbers.

Alternatively, they might harvest the data from public websites, social media or Dark Web data dumps.

Armed with this information the scammer creates a false identity. They then call or visit their mobile network service provider to say their SIM card has been lost or damaged.

Then, with unwitting help of the customer service representative, the victim’s SIM card or number is activated for the scammer to use.

Breaking into Banking Apps

Around the world, criminal gangs are also developing mobile malware to capture personal banking data.

According to a recent report from Crowdstrike the popularity of mobile banking has given birth to a hidden market where developers offer mobile malware-as-a-service to support criminal campaigns.

The latest banking malware employs a variety of insidious and sophisticated techniques to capture the credentials of unsuspecting users.

One particularly pernicious threat to mobile devices is the remote access Trojan (RAT). A mobile device infected with a RAT can provide attackers with comprehensive access to a victim’s data as well as control of microphones, cameras and GPS’s.

Popular methods for persuading users to install malicious apps include sending spam with links to fake websites or enticing them to download a fake app.

Regardless of how the personal data is gathered the aim is always the same. To try to use the stolen IDs to bypass banking security.

Safe Practice

As cybercriminals migrate to mobile banking, users need to adopt a safety-first approach to prevent devices from compromise.

Some common sense everyday practices are a good start. For example, only download apps from official app stores and other trusted sources, know how to recognize phishiing spam and never click on embedded links.

Just as importantly, ensure software patches and operating system updates are applied regularly.  Adding strong passwords and biometric authentication measures such as fingerprint or facial recognition also helps.

The use of mobile devices in the workplace adds a further dimension.

Under data protection regulations like GDPR, corporations have a duty to keep sensitive customer information safe. This means adopting measures to secure company-owned mobile devices.

One method is mobile device management (MDM). MDM protects against mobile malware by restricting which applications are available for download. It also ensures security patches are deployed automatically.

Other solutions include mobile endpoint detection and response as well as centrally managed VPN.

A professional, enterprise-grade VPN allows an organization’s IT administration team to manage and anthenticate many hundreds of mobile devices remotely.

All digital communications between remote workers and corporate networks/cloud applications is encrypted as it passes over the public Internet.

IT support engineers can set remote VPN connections to “always on” or to activate automatically whenever an unsafe environment – a coffee shop or airport for example – is detected.

In summary, mobile banking apps are growing in popularity as users discover the convenience of being able to manage their day-to-day financial needs on the go.

However, mobile devices are generally less-well protected than traditional computers and there is a greater chance that individual consumers will not be security savvy.

There is now concrete evidence that cybercriminals have wasted no time following the money.

Corporations need to do all they can to ensure workers with corporate-owned mobile devices do not succumb to the efforts of mobile banking scammers and fraudsters.

An enterprise VPN allows organizations to provide end-to-end encrypition for workers’ mobile devices and ensure company confidential data remains secure and private at all times.