The idea of a faceless criminal making a fake copy of your mobile banking app, spying while you key in your credentials, and draining your savings before your eyes sounds like a wacky dystopian nightmare.
But across Australia it is happening, and at an alarming rate.
Last April, the country was shocked by the story of a university student whose online banking app was accessed remotely by hackers who stole $3,000 from her savings as she watched in horror and helpless.
The victim’s numerous attempts to contact his bank were unsuccessful, with support staff deeming the hacker’s transactions “authorized”.
His story is unfortunately not unique. Online banking is a rich playground for cybercriminals, particularly in Australia: two-thirds of Australians now use banking apps to manage their finances and last year this overtook online banking for the first time as the most popular method.
It’s no coincidence, then, that online banking scams were one of the most common attacks reported by Australians between 2020 and 2021, according to the latest. Annual Cyber Threat Report by the Australian Cyber Security Center (ACSC).
Attacks on smartphone and tablet users running banking apps are carried out with the overt and nefarious intent to steal login credentials and other personal data associated with a victim’s finances. And criminals who successfully compromise a smart device gain direct access to what they seek: life savings.
How Cyber Attackers Target Banking App Customers
Various tactics are employed by criminals to target banking app users, including sending spam emails encouraging them to download fake versions of apps, or calling and emailing targets claiming be their bank in an attempt to get them to transfer money.
If a user has spyware on their phone, resulting from downloading a compromised app or clicking on a malicious link, they can monitor their keystrokes so that when they enter their banking credentials, they directly transmit this information to a criminal.
In 2018, global cybersecurity firm Lookout discovered the BancaMarStealer trojan malware family, which is delivered to victims via text message prompting them to download a custom application to steal their mobile banking credentials. The malware can be configured to target specific banks, and as of April 2021 there were 74,000 samples of it across the world.
This follows the discovery in 2016 of the SlemBunk threat, which monitors devices to determine when banking apps are open. This triggers the launch of a fake copy of the legitimate application, in which customers enter their credentials.
The obligation of banks
Financial institutions have long been associated with airtight security measures to protect people’s most valuable assets from physical and virtual threats.
The recent wave of cybercrime has introduced a host of new security regulations and protections for financial institutions.
Since this year, banks are considered operators of critical infrastructure, which means that the government intervenes with support in the event of a cyberattack, and that they are subject to stricter security obligations, including mandatory reporting. security and the development of risk management programs.
Recently, Australians saw the consequences of a financial institution failing to meet its cybersecurity obligations when the hammer of the Federal Court of Australia fell on RI Advice. Nine cyber incidents that had affected its clients were considered evidence of its lax security systems, and RI Advice was ordered to pay $750,000 in damages.
While it’s unfair to single out the banks entirely – after all, there’s been a renewed focus on them to up their security game – there is a crucial gap affecting mobile bankers across the country.
Currently, banking applications primarily apply security measures to support their own back-end infrastructure, which leaves the environments in which the applications operate open to attack. This means that there is no protection against malware, Trojans, or spyware being downloaded onto users’ devices, making them vulnerable to the kinds of money-draining cybercrime in question.
While banks may claim that their applications are secure and protected, and that some degree of user discretion is required to prevent attacks, this approach ends up costing them dearly in the long run.
Banks generally reimburse customers who have been defrauded to avoid negative reactions. In the college student example above, the bank has refunded all the stolen money, but not before his name is unflatteringly displayed in the news.
Further overseas, in Singapore, in January, OCBC Bank announced that it had lost more than $14 million in reimbursing victims of phishing scams, 80% of which occurred in the space of just one week last Christmas.
Customers deserve adequate security from their banks, and given that the technology exists to ensure that device environments are protected, there really is no excuse for being left behind.
Environmental security now critical for banking applications
Banking applications need to be completely redesigned, leveraging cyber protection-specific SDKs during the redesign phase.
If designed properly, apps will be both secure and threat-aware, protecting the app from the environment around it, including spyware, Trojans, or malware.
Applications built into this “environmentally aware” self-protection would be able to alert application administrators that a malicious process was running on the device and employ remediation techniques, such as stopping the app immediately, disallowing a one-time password authorization, and even stopping Payments.
Even better, these measures can be built into the apps themselves, ensuring that this level of security is built into the app, from the moment it’s downloaded through subsequent updates.
This means banks don’t have to rely on customers to protect the environment themselves – and they avoid handing out hefty refunds when scammers’ attempts succeed.
Likewise, customers will feel more secure when using banking apps and will increasingly rely on them for everyday use, freed from the buzzing fear of potential risks.
There has been a monumental change in the way Australians manage their finances, and banks have an obligation to protect customers in this new environment.
On-site bank vaults may have been sufficient in the past, but with the majority of Australians carrying their banks around in their bags and pockets, financial institutions must adapt and protect their customers at all times – or will continue to suffer the consequences.
Don Tan is senior director, Asia-Pacific Japan, for Lookout.