I often get asked about my thoughts on banking from mobile devices. There’s no doubt about it: increasing demand for banking on mobile devices has become a critical component of most financial institutions’ (FIs’) offering. But my concern is that I don’t think FIs or account holders fully appreciate the potential risks of banking on mobile devices. Risks that as a CSO, I see or hear about every day.
I know a lot of industry folk claim that security professionals often hyperbolize about mobile banking threats. But here is the reality: surprisingly many mobile banking applications are often designed without proper security controls built in. Even worse, perhaps the underlying mobile operating system has flaws in its design. Look no further than the recent Apple iOS security vulnerability as an example (oh by the way, make sure to get the latest iOS update for you iPhone users). And even when the apps have proper built-in security, it may not be enough. Why? Well, as we deploy more sophisticated controls, fraudsters also adapt their techniques. Couple insufficient security with the proliferation of malware attacking mobile devices, and you have a threat that is very real and will continue to grow, evolving from running up bogus charges from cellular carriers—which is minor in comparison—to the potential of credential-stealing and theft of financial data.
Theft of financial data from mobile devices, you ask? You bet. One of the methods we are beginning to see it is through the use of malicious quick reader (QR) codes. For example, fraudsters create fake ones to convince account holders to download “new security software” from their FI. What really happens is the account holder downloads malware onto their mobile device, which then waits to intercept an out-of-band (OOB) SMS one-time-password (OTP). Once obtained, fraudsters can login as the account holder or potentially use to approve a financial transaction. Yep, from the same out-of-band SMS OTPs that we all believe to be a secure method for countering attacks. And this is just one example.
But with the right approach, I know we can defeat fraudsters. This is why I’m so passionate with FIs about establishing a multi-layered security strategy, which focuses on the entire banking session, from login and authentication thru transaction submission. In the face of a myriad of threats, layered controls should be deployed to ensure a secure banking experience. Examples include the use of OOB OTPs and tokens, behavioral modeling to detect and prevent anomalies, multi-factor authentication, and the use of dual controls.
Why layered controls? This approach ensures the weakness of one control is compensated by the strength of another. And of course, these controls cannot be set and forgotten. They must be revisted as the attack landscape changes. My question to you: Is your FI investigating or using a multi-layered security approach? Implementing such a strategy will go a long way towards mitigating threats.
Check out the most recent issue of Credit Union Magazine where my fellow security colleagues and I further discuss combatting mobile threats.