Our team continuously monitors for significant mobile banking and related security threats that are lurking in the digital world.
To provide further insight on what you should be on the lookout for throughout 2022, let’s take a look at a handful of noteworthy cyber attacks — and how to protect yourself against them.
5 Cyber Attacks On Mobile Banking in 2022
1. Bazos Attack on 3DSecure
Fraudsters taking advantage of a payment system’s vulnerabilities are an ongoing issue. In this case, these cybercriminals pretend to pay for goods on classified ads platform Bazos, when in reality, they’re stealing the money of its customers who were trying to sell items on the platform.
In addition to these bad actors taking advantage of the platform, there’s an issue with the way that banks communicate the transactions to the people making them — this ambiguous messaging leads to misunderstandings, and ultimately, Bazos customers end up losing money. For example, someone seeing the message “Please confirm the payment of 500 EUR” might assume that they’re confirming an incoming payment, while instead, they’re being tricked into making a payment to a cybercriminal.
How to stay safe: We recommend that banks use clear language to aid users in properly conducting and approving e-commerce transactions. In practice, this could mean rephrasing a statement of "Confirm the payment of $500" to "You are sending $500."
2. Mobile Malware on Google Play
Mobile malware on app marketplaces is virtually always present. In various shapes and forms, malicious apps pretend to offer legitimate services, but later, they force users to install banker malware.
Recently, a malicious 2FA authenticator app on Google Play made headlines. This is one example of many fraudulent apps masquerading as an upright service.
How to stay safe: We recommend that you integrate persistent malware protection in your mobile banking app and recommend that users uninstall malicious apps as soon as possible.
3. Multi Accounting Attacks
In general, multi accounting is the act of purposefully creating multiple accounts in order to abuse a system. Multi accounting attacks on banking steal the credentials of victims while attackers pair their accounts to mobile banking on victim’s devices. After the fraudsters pair the victim’s device, they usually max out the pre-approved loans and launder the money off the bank account. Then, they focus on another victim, rinse, repeat.
How to stay safe: Fortify your process for (re)activation by adding a personal ID scan and server-side face biometrics. Implement device fingerprinting techniques to identify multi-accounting.
4. Recovery Code Account Hijacking
Banks often design new ways to make mobile banking recovery simple and fully online. One of the methods that we’ve come across was the use of the “recovery codes” that are presented to the user on their first login.
Recovery code account hijacking hacks mobile banking applications by utilizing phishing techniques. This would be nothing new, but the attackers pair an app only to rewrite the user’s recovery info. After that, they unpair the app. The bank customer may notice some suspicious activity and check their internet banking (or get in touch with the bank’s call center) in order to verify that everything’s in order. Even though the bank will assure the customer that there are no issues, the customer’s recovery codes will stay active. Because of this, the attacker can use them to silently connect to new mobile banking and steal the customer’s money.
How to stay safe: Whenever a customer calls with a suspicion of a hacked account, block their recovery codes at your call center. Additionally, it’s wise to educate your clients about the role and usage of recovery codes on an ongoing basis and proactively inform them whenever a new mobile banking registration takes place.
5. Repeated Pushes To Annoy Users
This attack’s technique is simple — attackers will repeatedly send push approval requests to eventually wear down customers until they approve the request. (No one likes to be nagged, even when it comes to applications that contain sensitive data, such as mobile banking apps.)
How to stay safe: Implement throttling on login and approval attempts on both a per-user and per-device basis. Furthermore, consider adding a QR code to the flow.
Key Takeaways from the Session
When taking each of the aforementioned threats into consideration, here are some general rules of thumb to keep in mind while navigating the modern mobile banking landscape.
1. Get Rid of SMS OTP: Use SMS as an additional security element and information channel, not as a sole possession factor in strong customer authentication.
2. Speak Clearly: In other words, use clear and sufficient product messaging. Whenever the status of strong customer authentication changes, you should inform your customers so that they have a chance to react and reclaim their security.
3. Be Proactive: Don’t rely on security measures by Apple and Google. Instead, use active in-app protection connected to a threat intelligence service to detect problematic situations or instances of malware.
4. Use Design to Your Advantage: In short, dumb design can cause you trouble. Sometimes, a clever technique or minor process adjustment can significantly improve an application’s security while having minimal impact on user comfort.
Interested in learning more? Check out our presentation below.
Protect Your Banking App With Mobile Threat Intelligence
By integrating the all-in-one solution for mobile in-app security by Wultra, you will protect your mobile banking from various threats, such as mobile malware, rooting/jailbreak, multi-accounting attacks, and more.
Subscribe to Our Newsletter
To stay in touch with us, simply fill in you e-mail address and never miss a beat.