Modern business demands that information be accessed quickly, securely, and from anywhere in the world. In parallel, there is an active development of technology;payment applications are gradually appearing on our mobile devices. Attacks on mobile banking apps are at an all-time high, and the sophistication and volume of fraudulent attacks are increasing every year.
Based on a 2021 Threat Intelligence report tracking more than 200 million devices worldwide, the number of new banking trojans attacking devices and trying to steal one-time passwords from SMS increased by 80% in the first half of 2021.
In June 2020, the FBI issued a cybersecurity alert, anticipating an increase in attacks on mobile banking customers due to a surge in banking app usage and a decline in in-person branch visits, partly caused by the COVID-19 pandemic. With more bank customers using online banking on their mobile devices and lower barriers to entry for attackers, there is an urgent need for financial institutions to deploy advanced application security to protect both their customers and their brand.
So let’s take a closer look at mobile banking applications' security and how we can improve it.
In this article:
Why are banking apps vulnerable?
The causes of vulnerabilities can be attributed to one of the following six groups.
- Insufficient elaboration of security requirements for the application being developed.
- Design errors. Insufficient control over the implementation of security requirements during development. For example, a poorly designed session management mechanism can allow mobile users in a mobile application to manipulate cookies, thereby bypassing the authentication procedure.
- Coding errors. Coding errors can be used to change the functionality of an application and perform unintended actions and commands. The implementation of attacks becomes possible due to buffer overflows and format string errors, using the time interval between the moment of checking the file access rights and the moment it is used to change the permissions (race conditions). Judging by the publications, coding errors are the most common cause of vulnerabilities.
- Malicious code. Hatches, logic bombs, and code for organizing a salami attack are typical examples of code implemented by developers for subsequent exploitation.
- Application deployment errors. Such errors are the result of insufficiently thought out and prepared installation of the application by the customer. They are connected to the fact that the characteristics of the computer infrastructure are not known exactly. Errors such as non-deleted debug accounts and passwords and application version control errors fall into this category.
- Insufficient quality control and application testing. It is impossible to get rid of vulnerabilities only at the stage of final testing. Security issues should be included in quality control and application testing programs. Regular testing of the application should be carried out not only on the assumption that the data being processed will have a normal, expected character but also to take into account scenarios of possible attacks.
On the topic
Everything you need to know in one guide by top Geniusee experts
Beware of these cyberattacks
Finding vulnerabilities is not an easy task. Although there are various tools on the market for detecting known vulnerabilities, expert analysis of the application source code remains the most effective way to identify most vulnerabilities. It should be noted that both open-source and commercial vulnerability detection tools are successfully used not only by developers but also by hackers.
1. Banking Trojans
Banking Trojans are the most common mobile cyber threat today, accounting for up to 95% of smartphone malware. Over 98% are for the Android platform, which is not surprising. Firstly, it is the most massive (occupies over 80% of the smartphone market). Secondly, it is the only one among the popular platforms that basically allows software installation from unknown sources.
There are three main methods of banking Trojans:
- They can hide bank SMS with passwords from the user and immediately redirect them to an attacker who will use them to transfer money to their bank account.
- In the same way, banking Trojans can operate automatically, from time to time, sending relatively small amounts to the accounts of criminals.
- Or the malware immediately mimics the mobile applications of banks and, after gaining access to the account details for logging into the mobile Internet bank, they do the same.
Recently, universal malware has become popular, capable of downloading updated profiles of banks in different countries: the US, Germany, and the UK.
The "grandfather" of mobile banking Trojans is Zeus, aka Zitmo (Zeus-in-the-mobile), which appeared back in 2010 (and its ancestor for PC, the original Zeus, was created in general in 2006) and managed in the US alone infect over 3.5 million devices, creating the largest botnet in history.
2. Fake banking apps
A fake banking app is an app that's designed to look like it was made by a real bank but actually helps scammers get access to sensitive data and money of a user. There are two different types of fake banking apps: phishing apps and apps that thieves use IRL.
Criminals distribute their apps in a variety of ways. Sometimes they place them in official stores, which do not always have time to track down fakes in time. But more often, they are promoted in alternative app stores and on different sites. Download links are distributed via third-party app stores, social networks, instant messengers, or e-mail.
If a person downloads a fake app and enters their details, the scammers will gain access to their real online or mobile banking. This application can also turn out to be a virus, with the help of which criminals can also hack the user's other mobile banks. As a result, fraudsters can steal all the money from the financial accounts, as well as take out loans in the name of an unsuspecting client. A person will not only lose his savings but also remain in debt.
3. Man-in-the-middle (MiTM) attacks
The meaning of the ''Man-in-the-middle'' (MiTM) attack is that the attacker ''passes'' the victim's web traffic (perhaps by changing the DNS server settings or the host's file on the victim’s machine) ''through myself." While the victim believes that he works directly, for example, with the website of his bank, the traffic passes through the attacker's intermediate node, which thus receives all the data sent by the user (bank’s login credentials, password, PIN, etc.)
MiTM attacks rely on the manipulation of networks or the creation of malicious networks controlled by cybercriminals. A cybercriminal intercepts the traffic and either passes it through their system, collecting information along the way, or redirects it to another location.
Cybercriminals essentially act as "intermediaries" between the person sending information and the one receiving it, hence the name of the "man in the middle" attack. These attacks are surprisingly common, especially on public Wi-Fi networks. Since public Wi-Fi is often unsecured, you cannot know who monitors or intercepts web traffic since anyone can log in.
Hire proven specialist in cybersecurity
Trust security to professionals. Check out why we're good.
"Clickjacking" — aka "click hijacking," aka "user interface spoofing," aka "iframe overlay" — allows a hacker to perform a click on a site on behalf of a visitor. How do they do it? The attacker creates a page with carefully placed visual elements. A transparent iframe is placed on top. The user temptingly clicks on these elements but is actually unknowingly clicking on an element on another page. The whole trick is transparency so that the "victim" interacts with a user interface element that he simply does not see.
There are many techniques. Here are some examples of how attackers can use various methods to trick a user:
- The attacker creates an invisible iframe (transparent overlay) on top of the malicious page and loads the tool page into this overlay. The malicious page contains a visual element that lures the user into clicking. For example, it could be a graphic element that looks like a video player with a play button in the middle. The user clicks on the play symbol, but because of the overlay, he clicks on a UI element on the tool page.
- The attacker creates a 1×1 pixel frame that moves with the mouse cursor. Due to its size and position, this frame is completely invisible (hidden under the tip of the cursor character). So the user, clicking anywhere, clicks on everything that is loaded and located in this 1 × 1 frame.
- The attacker cuts the snippets and pastes them on the malicious page. So you can insert an iframe of the "Submit" button and arrange everything so that it will look organically on a malicious page.
There are many options, so mobile app owners need to make sure that users and visitors are protected from such a threat.
How can financial institutions improve app security?
Given the rapid growth of security threats in the mobile banking segment, information security product manufacturers should respond by releasing appropriate products to protect users from fraud. So what can financial institutions do to improve the application's security layer?
1. Add two factor or multi-factor authentication feature
Two-factor authentication (2FA) is an authentication method that requires the user to provide exactly two verification factors in order to gain access to the bank's mobile app. Two-factor and multi-factor authentication provide an extra layer of protection against many of the most common types of cyber threats, including those listed below.
- Stolen passwords. As mentioned above, poor password hygiene makes passwords easy to steal. In a two-factor authentication system, a stolen password alone is not enough to hack an account.
- Brute force attacks (password cracking). Computing power is becoming more available, and hackers use it to generate passwords randomly until they crack the code. However, breaking the second factor in the same way, is impossible.
- Phishing. Phishing remains one of the most common and effective ways to steal user credentials. Two-factor authentication protects against unauthorized access if the username and password are stolen through a phishing attack.
- Social engineering. Clever hackers are increasingly using social media to carry out attacks by tricking users into voluntarily providing their credentials. But without the second factor, the hacker will not be able to access the account.
2. End-to-end encryption
End-to-end encryption is when messages are encrypted on your device and only decrypted on the other person's device. That is, the message travels the entire path from the sender to the recipient in encrypted form, so no one can read it except your interlocutor.
The main advantage of end-to-end encryption is that no one except the recipient can decrypt the transmitted data. It is as if you put them in a box when sending them by mail, which is physically impossible to open - neither to saw, nor to split with a sledgehammer, nor to break open with a master key. And this box can only be opened by the person to whom the message is addressed — not a single letter carrier or thief who managed to get his hands on the package can do this. That is, end-to-end encryption ensures data confidentiality.
If in the physical world such an invincible box is hardly possible to create, then it is really possible in the world of information. Very cool mathematicians are constantly developing new encryption systems and improving old ones so that they cannot be opened.
The fact that data encrypted with end-to-end encryption cannot be decrypted by anyone except the recipient has another plus: no one can get into the data and change it. Modern ciphers are designed in such a way that if someone changes the encrypted data when decrypted, it will turn into garbage, and it will immediately become clear that something is wrong here.
Thank you for Subscription!
3. Biometric Data
Biometrics is a secure and convenient way to sign in to mobile apps using data received from your own body. There is no reliable way to determine who is entering the password. The application developer can only determine if the entered password matches the password key in the back end of the system. Biometrics includes an additional trust indicator as it confirms the identity of the person offering the biometric sample for verification. Because the fingerprint, facial recognition, or iris scan is displayed in real time and connected to the user in real time.
4. Conduct digital security training
Train your team to recognize security issues and avoid different risks of mobile banking, such as risky behavior, phishing detection, and other online security strategies. Then, save your skills with unannounced test phishing emails, text messages, etc. They should look in every way like a typical phishing message. Still, if an employee clicks, they are automatically registered in the data security training module. Verizon reports that most mobile phishing attempts involve SMS and social messaging, not email, so it's important to vary the phishing environment as well as the content.
5. Ensure best security practices
Every mobile banking application should be designed with security in mind. Make sure your developers are familiar with mobile app security best practices and frameworks such as the OWASP Mobile Top 10. From there, conduct regular automated mobile banking security testing as part of the SDLC, as well as occasional deeper penetration testing. Finally, deploy an additional layer of security, App Shielding, to protect your app at runtime and in potentially hostile (legacy, insecure phone) environments that put your app at risk.
Tools for mobile banking application security
If you are the owner or developer of a mobile application, you must do everything to ensure the security of your mobile application. There are many tools for finding vulnerabilities. The information below will help you find security weaknesses in your mobile banking.
Ostorlab will allow you to test the application on Android or iOS and get a detailed report on the results of the test. Upload your application file in the Android Package Kit or iPhone application archive format, and a security report will be ready in a few minutes. It is based on open-source programs such as Androguard and Radare2. I advise you to check your mobile application for free with Ostorlab.
The maximum file size for uploading for verification is 60 MB. However, if your application exceeds 60 MB, you can contact Ostorlab to host the file via an API request.
With Appvigil you will receive not only a description of possible threats but also recommendations on how to fix the vulnerability to quickly resolve the problem. No software needs to be installed as everything is handled in the Appvigil cloud.
After you upload the APK or IPA files, a static and dynamic analysis of the application (Android / iOS) is performed, including for the presence of a vulnerability from the OWASP Top 10 list.
Quixxi is designed to generate mobile analytics, secure mobile applications, and generate revenue potential. It will take a few minutes to check. Once the scan is complete, you will have a short vulnerability report. If you need a full report, then you need to register on the site. It's free.
Akana is an interactive app analysis tool for Android. Akana checks the application for malicious code and displays details of the results. The check is free, so give it a try and see if your Android app contains malicious code.
Nviso APKSCAN is another handy online tool to scan your app for malicious code. The results may not be ready immediately, depending on your place in the queue. You can leave your email and be notified when the report is ready. You can check the following data with this tool: disk activity, virus scanning, network traffic, the ability to make a phone call, send SMS, cryptographic activity, and data leakage.
PSD2 is the Directive that regulates mobile banking services in the EU and replaces the 2007 PSD Directive. The document was adopted back in 2015 due to the high pace of digitalization in the banking sector, as well as the need to provide users with better and more modern services, including through mobile applications.
The main goal of PSD2 is to create open banking, where third parties (''Third Party Providers'' or ''TPP'' for short) can access financial information about a bank customer with their direct permission and through a system of enhanced authentication. According to PSD2, such consent can be given both for individual transactions and for TPP's full access to information about the client that is stored in the bank. However, the client must be properly aware of the scope of his consent, and it must be expressly expressed.
In Europe, PSD2 has been in force since January 2018, but the main implementation date was September 14, 2019, when technical standards for user protection began to work.
Participants in the payment services market have been preparing for this date for a long time, as technical standards have introduced rules for enhanced customer authentication and requirements for platforms for open access to banking information. The regulations stipulate that, with the exception of a number of minor transactions, strong user authentication should be performed.
If we mentioned security
How to implement Zero Trust security model: full guide
Have you ever wonder how to make a solid basis for security system in your organization? We have some tipsLet's see
Applications for mobile banking apps are exposed to both well-known old threats and new, not yet fully understood threats. Mobile banking safety threats create the risk of compromise of critical user data, data theft of funds, and damage to the bank's reputation.
Attackers have many ways to carry out attacks. At the same time, the cost of conducting an attack in a real environment can be very low compared to the possible benefits.
Modern security solutions for mobile devices —antiviruses, MDM solutions, etc. — can reduce mobile banking security risks but not solve the whole range of problems. Security should be implemented at the system design stage and be present at all stages of the program life cycle, including the development and implementation stages. It is necessary to carry out code audits, application security analysis, and penetration testing.
If you are looking for a mobile banking development team who are security experts and know all the nuances of the security of mobile bank applications — contact us.