FBI Warns of Increased Mobile Banking Threats: Who’s Responsible — Banks or Users?
It seemed obvious that COVID-19 and associated stay-at-home orders would lead to an increase in remote digital banking. And now, we see hard data proving that assumption to be true. At the same time, law enforcement agencies, such as the FBI, warn consumers that attackers are responding to the swell in digital banking activity by increasing their investments of time and effort into defrauding people by exploiting mobile banking platforms.
Yes, we need to educate consumers on being vigilant and taking advantage of security features offered by their bank. But, they’re almost completely dependent on their bank, device manufacturer, and/or cell carrier to keep them safe. I argue that financial institutions need to take responsibility to ensure they’re also increasing their investments in the latest-and-greatest mobile app security technology to protect their users.
A Surge in Threats Can’t Be Far Behind a Surge in Mobile Banking Activity
According to data cited by the U.S. Federal Bureau of Investigation (FBI) in a public service announcement published days ago, “Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020.” A recent Aite survey of 2,413 U.S. consumers in Q1 2020 found that 86% of senior millennials, 83% of young millennials, 72% of Gen Xers, 38% of baby boomers and 17% of seniors log into banking accounts using their mobile phone at least once a week.
Even mobile corporate banking transactions are increasing in volume. Citi reports a tenfold increase in users of its corporate mobile banking app, CitiDirect BE, in March 2020 over March 2019.
Business people and cybercriminals alike follow market trends for hints about where they may find their next opportunity. Increasing mobile banking transaction volume makes the mobile channel a juicier target for attackers.
What Are the Mobile Risks the FBI Is Warning About?
In the announcement, the FBI warns consumers about mobile threats, such as mobile banking trojans and fake banking apps.
Mobile banking trojans appear to be legitimate apps but actually include malicious code within them. When a user opens a legitimate banking app, the mobile banking trojan that had been lying in wait jumps into action and places a counterfeit log-in screen over the top of the legitimate app with the objective of fooling a user into divulging their banking credentials. Android vulnerabilities, such as StrandHogg, StrandHogg 2.0, and others, make these sorts of attacks possible.
Second, attackers will create fake mobile banking apps made to look like legitimate banking apps that actually have malicious objectives. The FBI cites data that in 2018 almost 65,000 fake apps were found on “major app stores.” If a user is fooled into downloading one of these fake apps, they may expose their credentials when they attempt to log-on. In more sophisticated schemes, these apps will also ask for permissions to access SMS messages in order to bypass two-factor authentication.
Are Users Capable of Protecting Themselves?
The FBI provides a number of suggestions for consumers to protect themselves against this predicted upswing in attacks on mobile banking:
- Use strong two-factor authentication: I’m glad to see the FBI recommends biometrics, authentication apps, or hardware tokens but does not recommend SMS messages for this purpose. SMS messages are better than nothing but known to be vulnerable.
- Avoid clicking links in e-mails or text messages: Phishers target mobile users too, so consumers need to be wary. Fake banking apps are often hosted on malicious sites. Users are tricked into visiting via phishing schemes.
- Practice good password hygiene: Don’t re-use passwords. Don’t give your password over the phone, and ensure the password is as complicated as it can be in terms of number and types of characters.
All of this is good advice, but it’s all for naught if a consumers’ bank doesn’t enable them to take advantage of such security capabilities and policies. For example, there are still banks that don’t offer two-factor authentication to their customers. Some banks still include links in the e-mails they send to customers. In this day and age, I’d argue that should be avoided. In addition, how many passwords can we expect consumers to remember? And not all banks will allow the use of password managers. Stronger, more secure authentication via biometrics or push notification are available and should be used by these banks to help prevent fraud.
What Can Banks Do?
Many banks have already taken up the torch to ensure the security of their mobile banking apps and customers. Still, some do need to heed this wake-up call to ensure they can deliver services remotely through mobile devices, which is quickly becoming consumers’ preferred way to interact with their bank. In addition, financial institutions must also make sure they do their due diligence in providing secure mobile banking experiences for their users.
What banks can do to deliver secure, convenient mobile banking experiences includes:
- Upgrade their approach to authentication to offer more secure and convenient authentication methods, such as biometrics, mobile push notifications, and more.
- Give their developers the tools they need, such as proven SDKs, to secure the data handled by their mobile banking apps. This will ensure app data at rest and in transit is protected with strong encryption.
- Integrate sophisticated mobile app security technology, such as app shielding and runtime protection, that travels along with the mobile banking app to protect users against the mobile malware and threats listed by the FBI.
OneSpan helps over half of the top 100 global banks deliver secure digital experiences to their users, and through our Mobile Security Suite, App Shielding, and other products and services, we help some of the largest banks in the world ensure the security of their mobile banking experiences.