If you’re a smartphone user who’s hooked on the speed and convenience of mobile banking, chances are good you think it’s safe to access your account, pay bills, and deposit checks online. Well, don’t bank on it.
According to a new report by McAfee Labs, cybercriminals are focusing their malware attacks on smartphones instead of computers because consumers are increasingly using them for activities such as online banking.
A 2013 survey conducted for the Federal Reserve Board by the online consumer research firm GfK found that, as of November 2012, 48% of smartphone users said they’d used mobile banking in the past year. But most mobile users fail to protect their mobile devices with security software like they have on their computers. And that makes their sensitive information a top target for hackers armed with banking malware.
Mobile Malware Can Make Online Banking Risky Business
This is how it’s happening: Banks using two-factor authentication require customers to log into their online accounts using their user name, password and a mobile transaction number sent to their device via a text message. This two-step verification process is supposed to add an extra layer of online security for customers. But cyber crooks have figured out a way to defeat it.
McAfee Labs identified four new types of mobile malware used to capture banking logins and passwords. Once that happens, the malware intercepts SMS messages containing account login credentials in real time. That allows hackers to access consumers’ accounts and transfer their funds.
Back in 2005, computer security specialist and writer Bruce Schneier predicted that attackers would find a way around multi-factor authentication. In his essay, The Failure of Two-Factor Authentication, he said the way they would do it is with tools that attack transactions in real time – namely “man-in-middle attacks and Trojan attacks against the client endpoint.” The only thing that would change over time, said Schneier, is how cybercriminals would do it: “Two-factor authentication will force criminals to modify their tactics, that’s all.”
Watch Out for Apps That Aren’t the Real Thing
That’s exactly what’s come to pass. Nearly all of the malware attacks smartphones using Google’s Android operating system. In addition to banking malware, McAfee Labs reported the increasing use of Trojanized apps – legitimate apps modified to function as spyware on users’ devices.
These weaponized apps compromise users’ online security by collecting large amounts of sensitive information – everything from their call logs and contacts to their location and SMS messages. Then their data is uploaded to the attacker’s server.
McAfee also found that hackers are using apps masquerading as helpful tools such as app installers. But what they really do is install spyware on users’ devices that collects and forwards their personal information.
Hackers use unofficial app stores with little or no oversight or malware checking to deliver their fake apps. So the onus is on you to secure your mobile device before you bank online.
- Make sure your device’s operating systems and applications are up to date and its security settings and software are enabled.
- Password-protect your mobile device with a strong unique password. And never store passwords for access to your accounts.
- Before you download an app, look at who publishes it and read the reviews, Terms and Conditions, and the list of permissions. Cancel installation of apps that you’re not comfortable with; or deny narrower requests such as permission to access your location or send messages.
- Only download applications from what are considered to be trusted sources: the Apple iTunes App Store and Google Play followed by Amazon and Handango for Android. This isn’t a foolproof method for steering clear bad apps. But the vast majority of mobile malware has been distributed from other unofficial app stores. So you can reduce your risk by avoiding them.
- Disable features that allow your phone to automatically connect to new WiFi networks or Bluetooth devices.
- Check with the hotspot operator to make sure you’re connecting to the real one, not a fake hotspot designed to steal your information.
- Disable any settings that allow your phone to connect to any available network. This will prevent you from connecting to any Evil Twins that could expose your sensitive information.