Security Remains a Pain in the App for Mobile Banking
By Roy Urrico
Mobile banking security continues to be a pain point for credit unions and members as well as other financial institutions. The FBI even issued a warning about mobile banking app safety, particularly the danger of malware.
The FBI alert spotlighted the EventBot Trojan, which appeared in April 2020 camouflaged as an Adobe or Microsoft Word application. Its real goal: steal information from unprotected mobile financial apps.
Tom Tovar, CEO and co-creator of Redwood City, Calif.-based Appdome, said EventBot does not break common security procedures. “It doesn’t overcome defenses. It does what a very smart developer would do: look for data that’s valuable and easy to get, build a minimum viable product, launch it fast, and iterate quickly.”
Tovar noted the creators of EventBot had financial gain and scale in mind. The first versions included 200 mobile banking, payment and cryptocurrency apps as its targets. “There’s no magic here. Stolen credentials for mobile banking, payment, wallet and cryptocurrency services will likely fetch a pretty penny on the dark web.”
Trojans, and other malware that capture passwords and take over accounts, are just the start of the potential trouble for credit unions. Banking apps are alarmingly vulnerable, claimed Tovar, who has worked with a number of financial institutions and examined dozens of popular banking apps, and few would he classify as secure.
Among the issues:
· Unencrypted dynamic data: These strings communicate with the financial institutions’ back-end servers and include vital information that cybercriminals can compromise.
· Security certificates stored in the clear: Hackers can decrypt all communications between customers and financial institutions, using exposed security certificates. This makes it simpler to perpetrate a man-in-the-middle attack.
· Insecure APIs: Trend Micro found 50 major financial institutions plus many startups using APIs with serious security flaws, which can expose confidential information and enable hackers to compromise apps and servers.
· Mods and fake apps: Many apps do not obscure their code or protect their binaries against debuggers, which enables hackers to understand the inner workings of the app to create Trojans or fake apps.
Tovar described how malware can hide inside a legitimate app. “It goes looking for your banking applications and starts stealing the data from those applications, because it knows it's not secure. The malware delivered out in the world today is built on the premise that there is not adequate security in the banking or fintech or other target app.”
If someone downloads camouflaged malware at a credit union, Tovar explained it could infiltrate the network, the backend and the server looking for a way into the system. “Credential stuffing is one form of backend tactic that originates in a mobile app. Another would be an account takeover, where I have your username and password from the app,” he said. Another hacker tactic reverse engineers the bad app, and tries accessing the member’s unprotected data such as the individual’s username and password.
Tovar also referred to a new breed of hackers that do not focus solely on specific apps or networks. These cybercriminals build their hacking systems at scale. They look for databases containing combinations of email accounts and passwords, per se, that could deliver thousands of accounts. “They try to put the malware inside of an app that everybody's going to download to attack everybody. These are highly distributed attacks.”
For people house-ridden during the pandemic, cybercriminals can still threaten the banking system. Tovar said, “One of the challenges out there is an increased awareness of the vulnerability to mobile banking as a class.” The challenge, he pointed out, for credit unions and other financial institutions is that it degrades user trust in digital platforms.
Tovar indicated most applications adapted to use in a remote staff setting did not come with protections for “out in the wild” or zero-trust environments. Thus, sensitive data such as account details and payment information do not have the protections, authentication, flows, virtual private network access, et cetera, built into the application that allows for conducting secure work. Financial institutions and fintechs know the situation they are in. “Organizations are moving fast to try secure mobile apps as quickly as possible, particularly banking,” said Tovar.
The most important defense credit unions can present right now is to block those automated, widely distributed, class of attack, with layered defenses to block a targeted attack. Tovar suggested, “You need to put up a basic defense mechanism to block those automated attacks. And then you can go back and add layers.”
Tovar said, “It’s a very diverse threat environment right now.” When financial institutions shifted overnight to mobile, the hackers shifted their attack mode overnight to mobile banking as well. “There's never been a more appropriate time to secure mobile apps and fintech apps.” He added, it is the right thing for all financial institutions to do, to protect users and their business.
Appdome, which provides a no-code mobile solutions platform, helps accelerate security, roadmaps, and the implementation of critical security features, according to Tovar. “Our goal is to help our customers secure their mobile apps fast and protect their mobile users as quickly as possible.”