Latest Posts


Thursday, November 22, 2012

How to manage frauds that go mobile?

Since the release of the original iPhone, one billion smartphone activations and 700 million downloads of Angry Birds later, mobile devices have proliferated.

Financial service organizations are tapping into this market by moving products and services to mobiles, delivering specialized small-screen adaptations for browsing, and developing apps that supply mobile functionality and services that enable customers anywhere-anytime access to account information.

Mobile banking alone is expected to grow to nearly 900 million users by 2015.

While a majority of fraud attempts are still targeted at users in the online channel, as banking services go mobile, so are the attacks that target banking customers. Here are some of the most common attack methods being used by cyber-criminals to target mobile banking users today.

Smishing, or SMS phishing, sends a text message to a user's mobile phone in an attempt to get her to divulge personal information. As is the case with phishing, a smishing attack usually has a call to action for the intended victim that requires an immediate response.

Smishing has become easier to do and is becoming an attractive alternative with higher success compared to phishing as consumers are not conditioned to receiving spam on their mobile phone, so are more likely to believe the communication is legitimate.

Furthermore, whereas a majority of phishing emails get stopped by spam filters and often never reach their intended targets, there is no mainstream mechanism for weeding out 'spam' text messages.

Some mobile malware is programmed to conduct man-in-the-middle attacks, capable of forwarding SMS messages with a user's Mobile Transaction Numbers (mTANs) to an attacker. These mTANs are often used as a way for banking customers to confirm that they initiated a transaction.

By intercepting the code, cyber-criminals can initiate a transaction and then use the unique code to verify the transaction as though they were the legitimate user. Examples of man-in-the-mobile threats have been most commonly found within well known banking Trojans such as Zeus and SpyEye.

Rogue applications are becoming plentiful in most online app stores. Today, Android is the most common platform being exploited by cyber-criminals. Recently, a new Android Trojan was discovered that displays a video downloaded from the net — only if some sensitive information is previously sent to a remote server.

Today, RSA's Anti-Fraud Command Center is witnessing an average of about 3 per cent of all fraudulent transactions originating in mobile channels or devices. While this hardly compares to the percentage of fraud in the online channel, mobile threats continue to emerge and, in time, that number will rise.

Here are some expected mobile threats and developments in the coming year.

Smishing will continue to increase. Many financial institutions have been successful in getting standard phishing attacks under control. However, smishing presents a whole new series of challenges.

Phone flooding services increase in popularity. Out-of-band authentication via SMS or phone call is being used across the financial industry as a step-up authentication method for high-risk transactions.

To overcome this additional security, cyber-criminals flood an intended victim's phone with calls, ultimately rendering the phone useless and interfering with bank's attempt to alert a user to a high risk transaction.

Banking Trojans continue to be developed for mobiles. There have been several attempts at coding SpyEye variants for mobile platforms (mainly Android). These custom codes are designed to attempt intercepting SMS codes sent during transaction authentication by forwarding the content of the text message to the attacker's server.

The code is still young and its presence on mobile phones is limited. However, cyber-criminals are focusing their efforts on the mobile platform.

New Trojan plug-ins are targeting the mobile phone. Many banking Trojans available for sale in the black market offer plug-ins that enable HTML injection. When an infected user attempts to access her online banking site, the Trojan automatically injects extra fields in the login page. Most often, the extra details cyber-criminals attempt to obtain are credit card numbers and ATM PIN codes.

Portable nature of mobile devices — and information that is stored or accessed on them — is what makes them so vulnerable (when was the last time you misplaced your desktop?).

Also, if a mobile device is lost or stolen, it is typical for consumers to call their mobile provider to report it, but they don't usually call their bank to report it. If the user engages in mobile banking, all financial information stored on the device could be easily accessed.

Attacks are evolving in the mobile channel and as the popularity of mobile banking grows, financial institutions are challenged with how to translate the success they have had in managing fraud risk in the online channel and applying those same best practices to the mobile channel.

Understanding how to secure your customers against mobile attacks is the first step in turning the tide on fraud — and taking full advantage of the opportunities that this channel presents. 
Source :

No comments:

Post a Comment