Fraudsters Take Aim At Mobile BankingNew Phishing Schemes Target Mobile Customers with Bogus Apps
Bayport Credit Union of Newport News, VA, and First Technology Credit Union of Portland, OR, warned members about a mobile banking application that had appeared on the Android Marketplace, part of the Android mobile phone platform. Android is a subsidiary of Google. More than 50 fraudulent banking apps began appearing in the Android Marketplace in mid-December, industry experts say. The apps didn't contain malware, but instead attempted to get users to enter their passwords, account numbers or other personal information.
Google says it has removed the malicious applications, which targeted customers of Barclays Bank, Chase, Wells Fargo, Bank of America, Wachovia and Deutsche Bank, among others.
Todd Lindemann, AVP of Electronic and Card Services at Mountain America Credit Union, Salt Lake City, UT, says that the malicious applications first came to his attention when MShift, a vendor providing mobile phone banking services for the credit union, investigated reports of mobile phone banking applications being hosted on an application site for Droid phones. What was more troubling to Lindemann was that his credit union had just launched its own iPhone application in November. The alert that MShift sent to its customers in December states, "This phishing attack has been launched from the Android Marketplace and is impacting over 50 financial institutions worldwide, including those that currently do not offer mobile banking solutions, much less an Android download."
MShift advised its clients to inform their customers of this potential phishing threat and "direct any of your customers that have downloaded this application from the Android Marketplace that the Android downloadable provided by Droid09 is NOT an authorized or legitimate downloadable application of your institution."
This attempt to grab bank account numbers and passwords by phishers highlights the security concerns of many institutions that both offer mobile banking to customers and rely on mobile phones, especially smart phones such as the iPhone and the Droid, to be connected to their staff.
Best Practices for Securing Mobile
Beyond phishing concerns, there are some best practices that cell phone users should keep in mind when using their phone, whether for business or for personal use. Simon Bransfield-Garth, CEO of Cellcrypt, a cell phone encryption company based in London, offers these tips for institutions and their customers:
- Make No Assumptions - Never assume that voice calls are confidential (like fax or email), especially when calling internationally where some countries' phone operators have no encryption security in place at all. Check your signal, calls on 3G are more secure than 2G but often falls back to 2G when 3G is unavailable.
- Ensure Physical Security - Keep your phone safe and do not leave it lying around. Skilled attackers can take just a few moments to install a malicious program, compromise the security of the SIM card or install a special battery with a bug in it, all of which can later be used to help intercept calls.
- Protect PINs - Use and protect your phone and voicemail PINs in the same way as your bankcard PIN. Never leave confidential messages in voicemails or send confidential texts. Texts in particular are easy to read on the phone and mobile phone voicemails can often be accessed from any phone with the PIN.
- Be Mindful of Malware - Be vigilant to prevent malicious software on your phone. Be wary of texts, system messages or events on your phone that you did not ask for, initiate or expect. Turn off Bluetooth if you are not using it.
- Take Precautions - Consider installing antivirus/antimalware software. And if you strongly suspect your calls are being listened to, then turn off the phone when you don't need it and remove the battery as an extreme precaution. Also, use voice call encryption software on your phone to secure your sensitive calls that works worldwide and is as easy to use as making a normal phone call.
Bransfield-Garth says financial institutions are no different to any other organization when it comes to protecting valuable phone calls, and this kind of call interception could also potentially extend to the calls made to the institution by customers inquiring about their accounts. Imagine a high-value customer calls into transfer or wire funds, and the call is intercepted. Who would be responsible for the theft of that customer's money if a hacker got an account number, password or PIN? "The responsibility angle is very important, as theft of voice call data is not explicitly covered by regulatory, compliance or best practices that already exist for 'data' (which means non-voice data)," Bransfield-Garth says.