Financial Industry Mobile Threats: How Banking Opportunity Meets Attack Liability
Financial companies see mobility as a competitive frontier for their business, and rightfully so. A superior mobile experience now does more to differentiate a bank than 1000 physical branches. As we’ve said before, killer banking apps are valuable assets to financial institutions, as customers expect to handle almost every aspect of managing money on the go — both US and Europe estimates for 2016 showed near 50% adoption of mobile apps among banking customers, with that number expected to surge to over 70% in the next two years.
Unfortunately, all the value in developing these apps, and the time-saving convenience they offer, goes out the window when a financial institution loses trust due to a cyberattack. A recent US Federal Reserve report revealed 73% of people had concerns about the security of mobile banking technology. Clearly, mobile bank app adoption is not going to slow down due to incredible utility and convenience for everything from faster withdrawals and deposits to transfers, personal budgeting and account management. Financial institutions need to step up to retain customer confidence and to keep from introducing mobile banking vulnerabilities. If a bank’s app exposes customers to fraud or identity theft, customers may never trust mobile banking or trading again.
Recently, a mobile attack was initiated with a bank’s own mobile app they offer to customers via public app stores. In November 2016, cyber criminals broke into Tesco Bank’s computer system and stole £2.5 million from over 9,000 customer accounts. It was later identified the attackers reverse engineered the Tesco mobile banking app and withdrew the money without the need of users’ credentials. As of today, the individuals conducting the attack remain anonymous.
Smartphones conduct hardware-level commands to do some of the work of banking — most notably, check scanners for instant deposit, and “cardless ATM” mobile transactions which are starting to gain favor because they save one more hassle of handling debit cards at the machine. When banks started rolling out this feature in 2016, the cybercriminals were not far behind and chose cardless ATMs as a great opportunity to make quick cash on stolen passwords.
In early 2017, the Chase Bank mobile app was used to compromise a device at an eATM to remove $3000 from an account after the user in the US found out he was locked out of his account. The bank later advised him he had been “hacked” and he was offered $3000 while they investigated.
Often, the heads of IT in banking fail to address mobile threats because, architecturally, they are thinking in terms of websites and corporate data centers, and “there’s no data stored on the phone” anyway. There may not be a hard drive but we know this is not true — there is current and expired session data and key logs, a clipboard and notes, and most importantly, the app’s user credentials and identity information which can unlock everything the customer owns.
The first line of defense is protecting the mobile device itself — starting with the financial firm’s own employees and associates, whether on company-issued or BYO devices. We recommend installing a Mobile Threat Defense platform like Zimperium’s zIPS app on the phone to detect both known and unknown threats to mobile devices. If your firm uses an MDM or secure container on devices, you can integrate all of these systems so the bank’s InfoSec teams get total visibility into the ever-evolving threat landscape their employees are operating in and the risk their devices introduce into the bank.
As we discussed earlier, iOS bank apps have shown certain vulnerabilities when used over Wi-Fi networks, which can allow a third party to intercept details about the user’s device, and possibly the user’s credentials and session details. That is why we also recommend that developers embed MTD within the app itself using a solution like our zIAP (In-App Protection) SDK— so it can detect threats coming from the devices, networks and other apps on that device.
Read more about Zimperium Mobile Threat Defense Solutions for Financial Industry Companies or contact us for a custom mobile risk assessment workshop.