As we continue to rely on the precarious mix of mobile banking & payments, mobile apps, and public WiFi hotspots, it’s perhaps not such a surprise that online bank fraud is escalating. Quite a bit of this fraud is perpetrated by malicious apps that users inadvertently download on their mobile devices. App developers with malicious intent have become quite adept at concealing the surreptitious nature of these apps.
According to security firm RiskIQ’s study, the number of malicious apps on the Google Play store increased by 388 percent from 2011 to 2013. The firm says it considered an app “malicious” if it did any of the following:
- Collected GPS coordinates, contact lists, email addresses, etc. to third parties.
- Sent SMS messages to premium-rate numbers.
- Subscribed infected phones to premium services.
- Recorded phone conversations and sent them to attackers.
- Took control over the infected phone.
- Downloaded other malware onto infected phones.
CNET reports on an Android user who says a malicious app found its way onto his phone:
“I had downloaded an unrelated app a few hours earlier. [Out of nowhere], I get a text message on the phone thanking me for subscribing [to a $4-a-month service]. If it hadn’t been for that message, I would have had no notice of the unauthorized charge until I saw it on my credit card bill.”
InfoSecurity points to a company called Curesec that suggests even something as simple as downloading a harmless game that neglects to ask for extra permissions can open the door for premium calling fraud, or for a malicious “nuisance” app that causes any outgoing calls to drop.
As we’ve long recommended, avoid using a debit card for online transactions or mobile payments. Why? Because most banks offer customers better protections for their credit cards versus debit cards. If your credit card is fraudulently used for mobile payments, you can’t lose more than $50. But if someone uses your ATM or debit card without your permission, you can lose much more.
It’s shocking but true. Consider that you have 60 days from the date you notice credit-card fraud to notify your financial institution. Under federal law, the institution has no obligation to conduct an investigation if you miss the 60-day deadline. But once the bank is aware – within that fairly lenient two-month window – your sensitive financial information is protected, your credit card is safe once again, and you can breathe easily.
But if you use a debit card for mobile payments – and unauthorized use occurs before you report it, the amount you can be responsible for depends on how quickly you report the loss to the ATM card issuer:
- If you report the loss within two business days after you spot the fraud, you won’t be responsible for more than $50 of unauthorized use.
- If you report the loss within 60 days after your statement is mailed to you, you could lose as much as $500 because of an unauthorized transfer.
- If you don’t report an unauthorized use of your ATM card within 60 days after the card issuer mails your statement to you, you risk unlimited loss; you could lose all the money in that account, the unused portion of your maximum line of credit established for overdrafts, and maybe more.
Remember that your best bet on unsecured WiFi, another area where a lot of sensitive information is often stolen, is to use PRIVATE WiFi to encrypt your sensitive communications, watch what you download, and more to the point, monitor your bank and credit card statements carefully.