Mobile devices running iOS or Android are far from secure; the latest Kindsight Security Labs report from Alcatel-Lucent highlights that there are currently over 15 million infected mobile devices worldwide — a 20 percent increase from 2013. The Kindsight Security study also found an increase in mobile spyware. Of the 2.3 billion smartphones around the globe, Kindsight Security estimates that 40 percent of them contain spyware used to monitor the phone’s owner by tracking the device’s location, incoming and outgoing calls, text messages, email, Web browsing and history.
What makes the ground so fertile for such breaches?
The “surface area” for attackers to hit has grown immensely with the mobile computing explosion. In the past, when apps were run inside data centers, there used to be just a few “attack areas” for hackers to pursue — mainly focused on remotely exploiting flaws and defects in the application code.
Today’s mobile landscape introduces new threat vectors that typically aren’t considered in organizations’ mobile banking security approaches. Key threat vectors include:
1. Jailbroken or Rooted Devices: Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS. Recently, a variant of the PC-based Zeus malware “ZitMo” has been used to forward SMS messages to cyber-criminals as a means of circumventing out-of-band authentication.
2. Outdated OS’s and Non-secure Connections: Risk factors such as dated operating system versions, non-secure Wi-Fi network use and pharming attacks allow cyber-criminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device.
3. Account Takeover: Cyber-criminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. And unfortunately, they have enjoyed relative anonymity when using mobile devices that share many similar attributes, making it challenging to defend against. Server-side device ID solutions have a difficult time uniquely detecting criminal devices.
4. Cross-Channel Credential Theft: One of the prevalent enablers for account takeover is stolen credentials through phishing or malware on the online channel. In some cases, the mobile channel is not sufficient to fully execute a fraudulent transaction; fraud can either start or end on the mobile device, but most methods of attack involve at least one additional channel that fraudsters use to complete their task. To effectively protect end users and the mobile banking application, cross-reference actions need to be performed on the various channels while looking for suspicious activities. To identify mobile account takeover, one must see the entire picture — the full fraud life cycle — rather than a limited, tunnel-visioned view of just the mobile channel.
5. Attacks to the Mobile Application: When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. There are many readily available tools that can reverse an application from binary format into source code. With access to source code, hackers can gain access to sensitive data and intellectual property (IP). Also, the code can be modified (e.g., security controls can be patched out), the run-time behavior of the applications can be altered and/or malicious code can be injected into the application. Once altered, the application can be repackaged and circulated to look as though it originated from a known/safe source.
A New Model for Mobile Banking Security
In order to deal with the changing mobile threat landscape, a new set of tools is necessary. Financial institutions should embrace a comprehensive security approach that meets these evolving threats and includes the following:
Device risk level detection
Account takeover detection
Persistent device ID
Mobile application protection
Harden app to protect the confidentiality of the code
Protect the integrity of the app at run time
Financial institutions are constantly looking for the right mix of technologies that can securely support multiple use cases and enable productivity while keeping enterprise data protected on mobile devices. Although the offer of technologies that address mobile security is broadening and maturing, the larger portion of enterprises are still looking for basic tools to provide protection against physical loss or the use of improper applications.
Despite the growing awareness and enormous efforts financial institutions undergo, a significant gap remains between mobile technologies and security protection mechanisms. Financial institutions have been carrying vast product sets, frequently unappreciated by their customers, often with a subsequent cost in operations, technology, service and, sometimes, risk and regulatory challenges.