By @. Latest guest post from Misys.com (see also last week’s piece on ‘HOW AUGMENTED REALITY IS MAKING ITS PRESENCE FELT IN MODERN BANKING‘). See more here from MisysFS ,aiming to to transform the global financial services industry, through making financial institutions more resilient, efficient and competitive.
Malware capable of stealing mobile banking passwords and sensitive data has been detected on Android smartphones in Australia, New Zealand, and Turkey. Is this a setback big enough to spell the end of the mobile banking revolution? What can you do if you think your phone may have been affected?
After Apple first began to change the way many of us interact with brands and institutions thanks to their iPhone and its App Store, it was perhaps only a matter of time before the banking industry -eager to reduce costs without reducing the number of customers- took note.
Somewhat inevitably, the first apps launched by retail banking chains weren’t far behind, replacing the somewhat cumbersome and not altogether user friendly approach of using push and pull SMS messages that were such a formidable part of mobile banking’s infancy.
For the most part, these apps were met with much acclaim; finally, retail banking customers had a simple, well-designed user interface that they could put to work in managing their money on the go. Yet for every word of praise, there were as many naysayers who predicted that an individual keeping their financial and security information stored on a smartphone would only serve as a green light for cybercriminals to do their worst.
The banking software specialists argued that yes, the threats were real, but so too were the solutions they were creating –and that retail banks were investing heavily in– to keep customers’ and their data safe.
For the longest time, this worked well. Despite scammers repeatedly coming up with more and more sophisticated ways to hack into mobile banking apps, the industry security experts were more or less always ahead of them.
Until just recently.
Back in March, experts at Internet security firm ESET discovered malware (malicious software used specifically to gain access to, or otherwise damage, a computer device such as smartphone) which is capable of stealing users’ mobile banking passwords, and even bypassing two-factor authentication, the ultimate gatekeeper in the online security world.
How it works
The virus makes its way onto a user’s Android phone (iPhone and other smartphone users are unaffected) through the Flash Player video application either via an infected website or a text message. Once installed, the rogue app requests administrator rights to the phone and, if granted, then places a fake login screen in any mobile banking apps that may be installed.
When a customer goes to use that app, they unwittingly enter their passwords into that fake login screen, ultimately sending them straight into the arms of criminals, who can use that data to access bank accounts and transfer money.
According to ESET, the malware can even intercept text messages sent by banks as part of greater security checks. Issuing a statement about their discovery, Lukas Stefanko, the company’s malware researcher, told the media that ““This allows SMS-based two-factor authentication of fraudulent transactions to be bypassed, without raising the suspicions of the device’s owner,”
Who is affected
The software is so far known only to have affected mobile banking customers in Australia, New Zealand and Turkey, and only those customers who access mobile banking via Android devices, taking advantage of the fact that apps on these devices be installed from anywhere, unlike iPhone users who can only use Apple’s dedicated App Store to download apps.
Big name banks known to be affected include the Bank of New Zealand, Bankwest and Kiwibank, as well as the Bendigo Bank, St George Bank, and US-based Wells Fargo.
If you think you may have been affected, experts suggest heading to the security settings on your phone, then going to device > administrators > Flash Player and clicking deactivate. With that done, users simply need to uninstall the malware app from their phone.
What about the rest of us?
Thankfully, ESET caught wind of the virus before it could spread any further, and customers of other banks in countries like the United States and the United Kingdom should largely be unaffected.
But whilst we may have had a lucky escape this time round, does the Android attack spell the end for mobile banking? Should we all now be deleting our apps and returning the branches?
Despite this, mobile banking continues to grow
Innovations in digital banking, such as those developed by mobile banking specialists Misys, continue to find new ways to thwart security risks, whilst banks themselves continue to push forward in the development of new mobile app features. Back in New Zealand, the country’s Westpac bank became the first in the world to offer a new mobile bank using augmented reality technology, suggesting that retail banks still have every faith in their ability to deliver banking-on-the-go safely.
It’s also worth noting that UK customers are reported to have logged into banking software to move £2.9 billion a week in 2015. Compare such figures with the increasingly low number of reports about security threats to mobile banking, and it’s probably safe to say that money management on the move shows no signs of letting cyber criminals like those responsible for the recent Android attack ruin things for the rest of us.
— Misys (@MisysFS) March 22, 2016