Cybercrime Goes Mobile Thanks To Insecure
Mobile Banking, mCommerce and mWallet Apps
By Mark Laich
Millions of consumers no longer visit a bank to deposit checks or conduct financial transactions. Instead they rely on the convenience of using their mobile devices to send money, view account balances and bank online.
The same is true for how they spend their money - the shift from brick and mortar to e-commerce to m-commerce is already well underway. Think about it - how many times do you use your smartphone to research a product or purchase one?
Maybe you're going out to dinner tonight and you've already filled your Apple Pay, Google Wallet or other wallet technology with all of your credit-card information. Ever wonder if you could be pickpocketed wirelessly? Could an app you trust already be stealing your personally identifiable information (PII)? Sadly, the answer is yes.
Many financial institutions and retailers have launched mobile apps in the past 18 months to respond to demands from their customers who want the convenience of 24-hour, anytime/anywhere banking and shopping. Mobile banking apps help build customer loyalty, and mobile-banking transactions are significantly cheaper for banks compared with transactions that require employee interaction.
Mobile-retail apps capture consumers' buying impulse at the moment they occur, and allow for easy comparison shopping - the potential for finding an item cheaper is a quick tap away. Because more and more banks and retailers are making the investment to develop a mobile app, having one has gone from being a competitive differentiator to a "must have" to compete for consumers' business.
And once a bank has made that investment, there is a concerted effort to encourage customers to use their mobile-banking platform. The same holds true for retail. Amazon and others will do anything to get you to shop online from your smartphone or your tablet.
But the growth of mobile banking and retail apps also means that more people are at risk for identity theft and the hacking of sensitive personal and transaction data by cyber criminals who plan to commit fraud. These apps are used on devices that often aren't safeguarded from security holes. Most people have between 30 and 75 apps on their mobile device, and of course, when apps are installed on a device, users must grant multiple permissions for accessing a device's location, SMS capabilities, Wi-Fi, Bluetooth, camera and other device resources.
Some of these resources are used for the apps to do their intended task, but often apps demand resources that can open up a device to security vulnerabilities. Unfortunately, when consumers install an app on their mobile devices, few of them read all the permissions the app requests to make sure it isn't asking to use device resources that might be suspicious.
This issue is highlighted by a report from Gartner Inc., the technology research company, which concluded 75 percent of apps in the major app stores fail basic security tests. Gartner defines this as an app using mobile-device resources that have nothing to do with the intended function of the app. Rather they can be used to eavesdrop on other apps that are running concurrently to collect data about the consumer. The rationale is that the collected information can be used for data analytics to help with targeted mobile advertising.
However, this has given cyber criminals a rather large attack vector to commit ID Fraud by using malware that looks like trustworthy apps to steal PII and financial transaction data from mobile banking apps, or to steal your credit-card information from your retail apps that reside on the same mobile device. This type of malware disguised as "trusted" apps has hundreds of millions of downloads from the major app stores.
Worse yet, this new form of malware is undetected by anti-virus and able to circumvent encryption, biometrics, tokenization, sandboxes and authentication. The result is that using mobile-banking apps to conduct transactions is similar to using an ATM to withdraw cash in a dangerous area with criminals lurking around, or handing your credit card to a stranger, in public, who is using the old-fashioned carbon copy credit card imprinter to take your order.
Another popular technique for cyber criminals is spear-phishing attacks - which take the form of email and text messages that appear to be from an official source or someone you know, usually garnered via a social-networking site. These messages can then install monitoring software covertly on the mobile device. Monitoring software can access most mobile device activity and resources, thereby stealing consumer data just like the malware downloaded from an app store.
Most consumers are unaware of these types of threats, and even when they are aware, they don't take actions to protect their security and privacy until it is too late. On the other hand, financial institutions carry the liability associated with the fraud that results from data stolen from mobile banking and retail apps. In a U.S. landscape where almost 1 billion PII records have been compromised and there is identity fraud totaling $24.7 billion in losses - according to statistics from Privacyrights.org and the Department of Justice - greater safeguards are needed to protect consumers' financial data.
At the same time, it is important not to intrude or detract from consumers' mobile banking or retail experiences. Financial institutions and retailers can't solely depend on consumer awareness and training, nor can they make it complicated for consumers to protect themselves.
For better or worse, the modern-day consumer has become enamored with using their mobile devices for apps such as social networks, location-based services, and games on the same device on which they want to do mobile banking and mobile commerce, thereby compromising their security and privacy. What financial institutions and retailers need is new, innovative security technologies that deliver an optimal balance between protecting consumer data and being un-intrusive to consumers' total mobile-device experience.
In this way, their mobile banking and mCommerce apps can operate in a safe and trusted environment even when multiple applications are running concurrently. By working with companies that specialize in these types of new security technologies designed to thwart zero-day threats and malicious eavesdropping apps, financial institutions and retailers will not only protect themselves from liabilities, they will also be successful at convincing more of their customers to use mobile banking and mobile commerce, thereby increasing the ROI of their mobile-app investment and their operating efficiency.
Finally, as we look forward to what many believe will be the rapid adoption of mWallets in 2015, you must understand that they are inherently insecure because they operate on already infected devices. It's time to take a completely radical, proactive approach to securing consumers' data as the financial, transaction-based world shifts onto our smartphones and tablets.
This year marks the beginning of a new wave of enablement, opportunity and mCrime. Where there is mobile banking, mCommerce and mWallet there will be mCrime. Assume it comes in the apps as innocent as that flashlight app you recently installed, because if you don't, you'll be left in the dark missing your identity and your wallet.
About The Author
Mark Laich, VP of Security Solutions, SnoopWall, Inc. (www.snoopwall.com)
Mark joined Snoopwall with a 30-year track record of successful sales in the high-tech industry, generating over a half billion dollars in revenues. His expertise includes successful customer and market development in the mobile, CE, and telecommunications market sectors. He has a long track record of leading successful sales campaigns and developing business at major accounts like Samsung, Microsoft, Philips, Canon, Nikon, Thomson, Cisco, Alcatel, Siemens, and Compaq.
