Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

The future of mobile security in banking

By Michael Flossman, Security Researcher at Lookout

What security challenges will the banking industry face over the next few years?

Michael Flossman
Michael Flossman

The use of mobile in all aspects of life is growing, from the near daily use of banking apps through to accessing work remotely, so it’s become a viable, and currently very profitable, channel that hackers can target in order to steal sensitive data. Over the last several years we have seen threat actors expand their traditionally desktop focussed arsenals to now include a mobile component. This was the case with the actors behind the successful SpyEye and Zeus desktop families who released Spitmo and Zitmo respectively. It isn’t just the established cybercriminal gangs that are breaking into the mobile space, we’re also seeing a number of new players deploy mobile banking trojans like BancaMarStealer / Marcher, Cron, and MazarBot. Leaked source code for an earlier banking trojan known as GMBot has meant that the barrier to entry for threat actors looking to have a mobile capability is quite low.

It’s now more critical than ever that banks upgrade their cybersecurity measures to include mobile, so end users are protected regardless of the channel they use to bank with.

How do these attacks work?

It tricks the user by introducing an overlay, essentially a fake login page which looks identical to what a user would see when browsing to the bank’s legitimate website or when using their official mobile application.

Once the device has been infected, the trojan is sophisticated enough to identify which banking applications are on that device, or what banking website a victim is currently viewing, and uses that information to display a corresponding overlay. Visually there is nothing to indicate to the end user that they are entering sensitive information directly into a malicious application.

Where are these attacks coming from?

These attacks are not always set up by experienced actors. Malware packages are often being sold as a service. More and more of these actors have no experience in creating these tools and instead  buy or rent them. This was very much the case with BancaMarStealer, also known as Marcher, which Lookout researchers first saw being used in Eastern Europe before being sold globally as a service. Since emerging its use has exploded and Lookout has seen it deployed in Russia, France, Germany, Austria, Poland, Spain, The Netherlands, The United Kingdom, Australia, Canada, and The United States.

What can banks do to protect customers that use mobile banking?

Mobile transactions authentication numbers (mTANs), require online transactions to be accompanied with a specific token that has been sent directly to a user’s mobile device. However, Lookout has  seen some banks in the West move away from mTANs in favour of physical non internet connected two-factor authentication tokens. These require users to physically enter their banking card and pin, which in return provides a short-lived code that is tied to the specific transaction they are making. This approach makes it more difficult for attackers to attempt to make fraudulent transactions from a compromised mobile phone. 

If banks upgrade security measures to include two-factor authentication, will consumers be free from hackers and safe to  handle their finances online?

This would definitely go a long way towards mitigating attacks and in the short term adversaries in this space would be more likely to first target customers of banks that didn’t provide these security controls. In the long term, it would force threat actors to invest in redesigning how they exploit targets in order to make fraudulent transactions and access their bank accounts. At this point in time it’s unclear what this would entail however, as we’ve seen time and time again in the security space this is a continual game of cat and mouse between attackers and defenders.

Over the last couple of years we’ve seen numerous applications being released that allow customers to quickly transfer money between one another. PingIt, Swish Payments, Apple Pay, Google Wallet, and even via Facebook Messenger are a few examples of this type of money transfer and there are a number of apps for handling cryptocurrencies. As banks continue to refine their security controls, we are expecting to see malicious actors expand their capabilities to go after these apps when they compromise a mobile device.