Hackers are accessing smartphone users’ bank accounts through an increasingly inventive array of malware attacks, ranging from text messages to gaming apps, according to www.nbcnews.com.
As many as three per cent of Android users have encountered a mobile threat in the past year, according to the Vice-President of United States-based Security at Lookout, a mobile app security firm, Mike Murray.
“While that number may seem relatively low, consider a business with 1,000 employees who use their phones for work and personal matters. That means 30 of them are potentially exposing the business to a threat, making this an even more serious problem,” Murray explains.
An estimated 43 per cent of smartphone users in the United States who have a bank account used some form of mobile banking, according to the most recent Federal Reserve Consumers and Mobile Financial Services.
Yet, “I know almost no one who has security software on their phone,” Murray says.
Of the 781 data breaches tracked in the United States last year, 71 were banking-related, according to the Identity Theft Resource Center. Though that might appear to be a fairly low incidence, it is double what was reported the previous year.
People just aren’t taking the same precautions to secure their phones the way they would their computers, leaving them in a vulnerable position, Murray says.
New names, old tricks
Hackers’ tricks include places you wouldn’t expect, such as the Black Jack Free App in the Google Play store.
While the app, which has since been removed, promoted a fun game, researched have shown it has a hidden agenda.
“Apps from this malware family silently download a secondary app that displays overlay windows over legitimate banking apps and some other popular apps such as FaceBook and Skype to trick people into entering their online banking credentials and credit card information,”
In another instance, a security researcher in Sweden found just a few lines of code exposed a vulnerability that could have allowed a bad actor to steal as much as $25bn from an Indian bank, according to Motherboard.
While banks in the United States all have levels of fraud protection, a digital heist can create a major headache and even raise questions of liability if a phishing attack is used, according to Alex Rice, the founder of HackerOne, a bug bounty firm.
One common phishing tactic involves posing as a company and sending a user to a site that appears legitimate, prompting them to enter their account credentials.
“Anytime someone is asking you do something online or take an action, you should be extremely skeptical,” Rice told NBC News.
Trading the password for a selfie
As hackers continue to repackage the same tricks and find new vulnerabilities to exploit, one company is trading passwords for selfies.
“It takes half a second. You would hold the phone the ordinary way and you would take a selfie. If it is really you, you are logged in,” the Executive Vice-President of Sales and Marketing at EyeVerify, says.
The selfie technology has about 1 in 50,000 odds of not letting the right person in or being fooled, Barnett said. “If I left my phone at a football game, everyone at the stadium would have to try it,” Barnett said, noting that this method addresses something he calls “password pain.”
“When I am on a mobile device, I have to use my thumbs to type the password, and most password managers don’t work in apps,” he said. “Speed and convenience is also so much more important on mobile.”
Three things you can do now to stay safe
The experts talked to all agreed that mobile banking is a convenience we should continue to enjoy. However, they noted it’s crucial to take a proactive approach to your security.
The Chief Executive Officer of IDTheftSecurity.com, Robert Siciliano, recommends people stay vigilant by asking their bank to alert them any time a transaction is completed that is above a certain amount.
“They all provide some level of notification in regards to transactions,” he says. “You can get a text, an email every time there is a charge, withdrawal, deposit — these are all options. I think that is such a great thing so you can know if something is happening in real time.”
The second action experts recommend is making sure you are running the latest version of any apps, and that your operating system is up to date. This will ensure you’re working with the most secure versions available.
The final action is one Murray says most people haven’t done: Download an anti-virus app on your smartphone.