I have always been interested in how the “average Joe” defines mobile banking. Being so involved in the security world has made it hard for me to see mobile banking like many do. I asked around- my friends, their friends, various networks- and came to the conclusion that there are three distinct and often misunderstood categories of mobile banking:
- Mobile payments
- Mobile authentication
- Value of mobile data
While they each have their own differences, there are enough similarities confusing to the average Joe. There is a difference between consumer and business banking when it comes to mobile. Of course, consumer banking delivers access to the accounts at the institution and offers some convenient ways to pay bills and move money. Business banking has that, plus the additional payment processing via your mobile device and Square, Google, Intuit and others riding the mobile commerce train. Even the traditional store and forward POS systems have concerning vulnerabilities.
What businesses need to understand is that the device that they are using to take payments with is under attack! This “backdoor” Trojan, which steals data without the victim’s knowledge and malware that goes after banking login information have made up the largest portion of all new mobile malware families. McAfee Labs discovered that Android-based malware resumed the growth rate seen in 2012. This quarter nearly 18,000 new Android malware samples were cataloged.
Below are a few examples of some new Android-based threats fall into these non-exclusive categories:
- Banking malware that intercepts the SMS message containing the required token to log into one’s bank account. In doing so, the cybercriminal gangs can directly gain access and empty victims’ bank accounts. McAfee Labs researchers identified four significant pieces of malware that “forward” the required log-in token to cybercriminal gangs.
- Weaponized versions of legitimate apps that steal user data. A modified version of the KakaoTalk app collects sensitive user information (contacts, call logs, SMS messages, installed applications, and location) and uploads the data to the attacker’s server.
- Fake app installers that actually install spyware to collect and deliver user data to cybercriminals
New Android Malware Samples
Although, there are more types of attacks growing and the above concern me the most for smaller businesses. The concern I have is that we are not doing enough to protect these sensitive devices and apps from exploit.
On a personal level, my mother’s embroidery business just got a large upgrade and it now services several locations across Washington and Oregon where various embroidered wares is sold flea market style. The upgrade was a new android smartphone with a credit card reader for credit and debit transactions. It wasn’t until a customer asked about the security of their transaction that we even considered the mobile device and all it was worth. How is the credit card information stored and transmitted? How are the devices protected from bad apps attempting to retrieve or monitor these transactions? While there are a number of attacks designed to collect login data for your bank accounts I would submit to you that those attacks are not what you should be worrying about. What we need to worry about is the POS system itself. Now looking at the growth in attacks chart above it is downright scary for the business and the customers alike.
Stay tuned for mobile authentication vs. mobile banking and commerce…..