From emulator attacks to malware, SIM-swapping, and phishing, mobile banking attacks are at an all-time high. In fact, the last year saw a 25% increase in malware between Q1 2020 and Q1 2021, and 36 billion records stolen by attackers. With more data being taken, more customers banking on their mobile, and lower barriers to entry for attackers, financial institutions urgently need to adopt advanced app security to protect both customers and their brand.
In this video interview with Finextra, Greg Hancell, Director of Data Strategy – Product Management, at OneSpan, discusses what financial institutions can do to help protect customers, their devices, and transactions. He recommends removing static passwords, applying advanced application security and malware detection, and ensuring that banks use strong customer authentication.
Video Interview Transcript
Hannah Wallace: Hello, I'm Hannah Wallace, and welcome to FinextraTV. Kindly calling into our virtual studio now is Greg Hancell, Director of Data Strategy - Product Management at OneSpan, and we're going to be talking about the urgent need for banks to protect mobile banking with advanced app security. So Greg, without further ado, welcome back, it's good to have you on again.
Greg Hancell: Thank you, Hannah. It's a pleasure to be back and a pleasure to talk to you today. Thank you.
Hannah Wallace: It’s really good to have you on. This is an increasingly pressing topic, isn't it? Because as recent reports have highlighted, mobile banking fraud is actually on the rise. So, I think that's a good place to start, can you tell us a bit about why this is and why we are seeing that?
Greg Hancell: Yes, absolutely. Year on year, we have seen a 25% increase in malware between Q1 2020 and Q1 2021. And with this increase in malware, there's greater risks to users on their device - be that in the form of adware or be that in the form of the capability to extract their data. On top of that, the majority of interactions over the web are through mobile (91% of internet traffic is through the mobile), and many companies were put into a position of having to go digital due to the pandemic - so you have people rushing to go digital, and you have a high interaction through mobile and increasing malware and an increase in new types of advanced automated attacks.
Plus, Crime-as-a-Service is taking off and lowering the barrier for would-be attackers to start creating these attacks, as there are now more products that are available to them on that Crime-as-a-Service marketplace to construct their attack. So rather than having to build the attack, they can simply go and buy it. As well as that, we had a record year in the number of identity breaches in 2020. 36 billion records were taken last year, and I calculate that is around 10% of the world's population. So, when you look at the amount of data that has been taken, the way it has been used, the security and the advanced attacks increasing, well, that's why mobile banking fraud is increasing, and it is becoming more lucrative for the attacker as well.
Hannah Wallace: Okay, so following on from that, can you talk us through the types of attacks that we're seeing on the rise?
Greg Hancell: A brand-new attack last year, which was identified by Trusteer, was the evil emulator attacks. An attack was being observed previously whereby Trusteer identified that it was actually a genuine scenario; however, they were able to code into their solution to identify if an attack were to make use of that, and what they were able to do was emulate mobile devices. They were able to make it look as though they were coming from your device or my device through different types of client-side characteristics on that device. And in doing so, they were able to bypass the security of the banks that were trying to protect against these kinds of attacks because they do client-side analysis to look at the device, and they were making use of SMS one-time passwords which were being sent out to the mobile devices. Unfortunately, those mobile devices have malware, so you have a worst-case scenario where the second-factor authentication is being sent and that is being obtained without the victim knowing it, and their device is also being emulated. So these attacks could be created on a huge scale in an automated way to exfiltrate millions of dollars.
It was a big deal, and it is likely to only increase. As I said earlier, malware up year on year 25%, and SIM swap is on the rise again, and of course, phishing as well. SIM swap is whereby you would overcome the security of somebody that would be making use of a 2FA by taking over their phone itself, by swapping out that SIM card through attacking a network operator, for example. If you have second-factor authentication in play via SMS in that scenario, that SMS is going to the attackers' mobile device now, not to yours, so that removes that. Malware can silently obtain those one-time passwords, and phishing attacks are getting more advanced. So phishing typically meaning where you will deploy a malicious payload in an SMS or in an email, someone will click onto it, that will download malware, or they will visit the site thinking they are interacting with a genuine site, when actually they are interacting with the attackers' site, which is then performing the attack in the background without the user knowing.
Hannah Wallace: It's very interesting looking at how the attacks have evolved over the years - so what about the consumer then? What impact are these types of attacks having on them, and the banks themselves?
Greg Hancell: Yes, it is a problem because you can’t expect a consumer to have a level of knowledge about these attacks and how they could be targeted or made vulnerable. It's healthy to have a good understanding of a digital environment to understand that, but we can’t expect that consumers would know of this. Customers lost money, there were account takeovers performed, loss of their identity, their physical attributes about them. Generally, there could be a loss of confidence. However, what I would say is that in the mobile channel, there is an expectation of a greater user experience. So, it can be that perhaps consumers are saying, "Well, I don't trust this mobile channel now, and it delivers that user experience, but I don't have the same trust in it." When actually, if you apply the right type of security, you can increase the confidence and the trust in your digital channel through mobile.
Greg Hancell: As for the banks, I would extend my answer to the Fintechs as well, because it's impacting all. To give some numbers from the US (United States), financial cybercrime in 2020 was up to $4.2 billion from $3.8 billion. And what does it mean to these banks? Well, literally in a day it can wipe out millions of dollars from the bank and put them into a panic mode, whereby they are under attack, they do not have the technology to react to that attack. So, what do they do? Do they turn off the channel in a worst-case scenario and stop people banking, or do they try and react to that? That is why it is really important you put yourself in a good position to be able to identify that you are being tested, people are trying to identify an attack that will work with you, so you can already react to that as well. From a banking perspective as well, the impact there is that, with these advanced attacks, the banks need to think about not just having client-side security, because that was overcome. So, think of more advanced techniques to secure the user and the device as well.
Hannah Wallace: Right. So, that leads me on to my next question, and by no means a small one, but what do you think can be done about all of this?
Greg Hancell: Well, if you are using static passwords, move to second-factor authentication. So, remove static passwords. If you are using SMS for second-factor authentication, then move to strong customer authentication. If you are using strong customer authentication, move to dynamic linking and contextual authentication. So, those are generally what you should do from an authentication space. And then from a mobile banking space - make use of advanced application security. There are vendors, like us, that specialize in white-box cryptography, hardening, anti-tampering, malware detection, and ensuring that you apply strong customer authentication with secure channel.
That means that only the user's device can see the one-time password and the detail relating to that, plus the context. So, it is really important you bring the context to the user and to the bank. The worst case is a user simply executes something without realizing what they are doing. The best case is they know, "Oh, I am signing this transaction for this reason on this device and that is securely going to my bank." What I would also say is you want to apply behavioral analysis. So you want to be able to understand what the user typically does, when do they normally connect, what types of devices do they have? And make sure that you can really understand their interactions on that device and from a financial perspective as well.
Hannah Wallace: Fascinating. As always, Greg, you have explained it very, very well there. Thank you so much for calling in and sharing your insights. I have learned a lot, but we will leave it there for now. Thank you very much, and I look forward to speaking further down the line.
Greg Hancell: Thank you. A pleasure.