Shopping or banking online depends on trust. Individuals interact with sites that they trust, and sites have to trust the person who is transacting.
Many online banking sites are turning to two-factor authentication to confirm the identity of the individual they are transacting with – typically an ‘out-of-band’ method of authentication using a token or SMS message to a mobile phones. Initially tokens were widely rolled out, but many banks faced a backlash from their consumers because tokens were too inconvenient to carry around, and they could be easily lost or damaged.
Customers embraced SMS messages as an authentication method, as they are much more likely to have their mobile phone with them when they need to access their online bank account. By 2014, it is predicted that 64% of all two-factor authentications sales will be mobile – making it easier for people to access the systems and websites they need to securely, wherever they are.
However, as we have seen so many times before, criminals go where the money is. So it is of no surprise that many have tried to ‘break’ the additional security provided by SMS messages, as they have tried to break many other security tools in the past.
The problem is user education. Banks have spent a lot of time telling their customers that they will ‘never ask for your account details in an email’ or to look out for anything suspicious about the ATM they are using and report it. When it comes to SMS, however, banks have rolled out these tools to their customers, but they don’t educate them about how the criminals’ tactics will change.
The recent Eurograbber attack is a multi-pronged approach – but it means that there were multiple points at which the consumer could, and should, have identified that something suspicious was happening.
First there was a phishing email to download a piece of malware, followed by unusual instructions from the bank during the customer’s online banking session, and then a link was send to the user’s mobile phone to download a piece of malware on to the phone. Only once all of these steps had been completed, could the criminals take over the victim’s bank account.
All of these errors came about because the customer trusted the ‘request’ they received, believing it to be from the bank. But in fact they are giving away access to their bank account to a hacker.
Consumers are too trusting. Their mobile phone is now their authentication device for their online banking, but they are willing to give out their phone number of download ‘updates’ without knowing anything about the person making the request- it’s a bit like asking someone in the street to look after your baby while you go shopping!
Alan Goode, Founder and Managing Director, Goode Intelligence said: “I believe that the use of SMS to deliver 2FA one-time-passwords (OTP) is an effective way to improve authentication for organisations. However, mobile users are increasingly being targeted by fraudsters and criminals. Our research into mobile malware indicates a growing risk to mobile phone users, especially if you are using an Android device.
“A combination of user education – treat the mobile device as a computer not a phone – and installing effective mobile security solutions (ones that protect against the Trojans targeting banking customers) is needed to counteract targeted attacks against mobile users. Organisations, including financial institutions, that are mobilising their business by developing mobile apps and services must also be responsible for the security of their users.”
A recent insight report on mobile banking security from Good Intelligence advises banks that they should perform the following actions to ensure that their customers are adequately protected against the latest mobile threats:
- Use the power of the mobile phone to create an encrypted communication channel between user and bank
- Ensure that your customers are always authenticated using a trusted two-factor or multi-factor authentication solution, one that is suitable for the mobile channel
- Monitor apps stores for any rogue apps that purport to represent your company – and kill them quickly
- Introduce a plan for updating mobile banking apps
- Ensure that mobile banking apps are security tested
- Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others
- Educate users about the dangers of using a mobile device for banking purposes including system hygiene when upgrading their handset, and disposing of an old one