Banks Face New Threat
Banks have been caught off guard by what experts say is the first major mobile banking security threat to hit the United States.
It is a modification of the mobile Trojan called Svpeng, which has been used to steal money from Russian mobile bank accounts, said Dmitry Bestuzhev, head of global research and analysis team, Latin America, at Kaspersky Lab, a Woburn, Mass.-based antivirus software company that discovered the malware.
The malware, which emanates from Russia, has been termed “ransomware,” because the hackers demand a payment in exchange for not destroying the victim’s reputation, claiming there is child pornography and other prohibited content on the cell phone.
“Nobody wants to be a victim of such image reputation damage.” — Dmitry Bestuzhev, head of global research and analysis team, Latin America, at Kaspersky Lab.
“It takes a picture of the victim and then says it will send it with the child pornography findings to all of the victim’s contacts,” Bestuzhev said. “Nobody wants to be a victim of such image reputation damage.”
Cyber criminals are already taking steps to steal online banking credentials from mobile devices, Bestuzhev said.
Previous versions of Svpeng were used to steal money from several banks in Russia, by displaying a fake log-in window in front of the real one, which asked users to input their credentials.
This new malware is deeply integrated and is almost impossible to remove from an infected device, he added. His company found Svpeng through “proactive Internet exploring.”
Better software is needed to protect against malware, said Chris Keegan, a managing director at Beecher Carlson, in New York.
For now, banks rely on warning their customers against social engineering attempts by fraudsters, and usually that means, “Don’t press the button or answer the email.” Banks must warn their customers not to download any applications not found on the iPhone store, Google Play or other verified websites, he said.
Banks Ran Out of Time
Avivah Litan, a Gartner Inc. vice president and analyst in Potomac, Md., said the malware should serve as a wake-up call for many banks, as a fair number of them have not developed security measures for mobile banking that are as robust as those used in online banking.
Ensuring that customers use secured browsers doesn’t apply when they use mobile apps.
Giants like Chase Bank and U.S. Bank and others are developing tougher measures specific to mobile, but the industry has a whole need to step it up, Litan said.
“Everybody knew it was coming, but they thought they would have had more time.” — Avivah Litan, vice president, Gartner Inc.
“They’ve just been slow to put measures in place specific to mobile because there hasn’t been any mobile malware,” she said. “Everybody knew it was coming, but they thought they would have had more time. But now it’s here and they have to think about it now.”
Matt Krogstad, head of mobile banking at Bank of the West in San Francisco, said the bank’s fraud prevention department works with his department to combat mobile malware and other types of mobile banking fraud.
“It’s an ongoing process since the mobile security space is constantly evolving,” Krogstad said.
Bank of the West also tries to protect customers against unofficial third-party services that try to access apps or put themselves between the customer and the apps, after customers download them, he said.
Bank of the West also diligently educates customers about the latest threats, Krogstad said.In cases like Heartbleed, communications to customers were to reassure them that the bank had done its due diligence to ensurethat their accounts were safe.
“With other malware like this randomware, it’s more about reinforcing certain behaviors, such as not downloading apps from unofficial app stores or not clicking on links from people you don’t know,” he said. “Don’t jailbreak your phone or put your banking passwords in your contacts.”
Keeping up with all types of cyber crime continues to challenge the industry. Indeed, computer crime and malicious codes ranks as No. 5 as a top risk for banks, according to Aon’s 2014 U.S. Industry Report: Financial Institutions.
However, there is a disconnect at most banks that hampers risk mitigation, said Michael O’Connell, managing director, financial institutions practice at Aon Risk Solutions.
The disconnect occurs because one group traditionally is responsible for purchasing insurance, while another group is responsible for assessing exposures, including technology that may pose an operational enterprise risk, said O’Connell.
“We strongly recommend linking the two groups together, to assess ‘what-if scenarios’ and develop mitigation strategies that include insurance,” he said.
Kevin Kalinich, Aon’s global practice leader for cyber/network risk, said that recent court decisions have ruled that if fraudsters are able to steal customer identities or money, it is the bank’s obligation to help their customers, even if the fraud is out of the bank’s control.
“So if a customer gets fooled on their mobile devices, then the bank has the responsibility to monitor usage of their bank accounts,” Kalinich said.