Poor coding practices for mobile app cloud security put user data in peril
Intel Security, Dell, F5 Networks, and Kaspersky Lab speak up about security in mobile banking.
When McAfee Labs researchers studied how two mobile banking Trojans were able to circumvent the financial institution’s security and gain illegal access to user information, they found a disturbing loophole: The Trojans abused root privileges to silently install malicious code and enabled an SMS message scheme to steal credit card numbers and execute fraudulent transactions.
More worrying for financial institutions and their mobile banking users is data suggesting that thousands of other Trojans may be exploiting similar weaknesses in mobile apps due to sloppy programming.
A two-month analysis of more than two million legitimate mobile apps and nearly 300,000 mobile malicious software (malware) apps was able to reveal that developers often do not follow sound cloud security coding practices, according to Craig Nielsen, managing director, South East Asia at Intel Security. This vulnerability may result in leakage of personal and financial user data, and put erring financial institutions in hot water.
Poor coding practices
“Poor coding practices for mobile app cloud security, including the failure to follow back-end service provider guidance, can lead to the exposure of user data in the cloud,” says Nielsen.
“Mobile apps often rely on back-end services for secure data storage and communications. Nonetheless, mobile app developers are responsible for integrating their mobile apps with these back-end services. User data can be exposed if app developers fail to follow the back-end providers’ security coding guidelines—a possibility that is now more likely based on the increasing amount of personal and professional business conducted in the mobile cloud,” he explains further.
While Trojans and their malware kin continue to slip through security cracks to cause mayhem, retail banks and other financial institutions are not about to give up on the war, if only because there is so much at stake for the future of their businesses.
“Against the backdrop of the digital economy, retail banks around the world are facing a new reality – profitability is anchored in their ability to transform their business to meet the evolving demands of digitally-savvy customers today, yet security threats are imminent and remain to be a key concern for them,” says Han Chon, director for security and endpoint systems management at Dell Asia-Pacific & Japan.
McKinsey report has found that about 40 percent of Asian customers now prefer online or mobile banking and the number of digital-banking consumers is expected to become 1.7 billion by 2020.
But Chon says that as retail banks provisioned financial services through mobile and Internet channels, it has also opened up new doors for cybercriminals to target, leading to a number of high profile data breaches in the past few years.
Mobile and Internet banking have become arenas with no clear winner on either side.As financial institutions develop better protective measures, Chon says exploits are also evolving to stay one step ahead of security systems, with greater speed, heightened stealth and novel shapeshifting abilities.
SSL/TLS encryption
New security technology can be a double-edged sword, as seen in the growth of SSL/TLS encryption as a security measure.“It’s a positive trend in many ways, however, it also gives hackers a new channel through which they can target organizations and consumers,” says Chon.
“Using SSL/TLS, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. These attacks can be extremely effective, simply because most companies do not have the right infrastructure to detect them,” he adds.
Chon cites the Dell Security Annual Threat Report in 2015 which found that SSL/TLS encryption continued to surge but also leading to under-the-radar hacks affecting at least 900 million users.
Spear phishing
In Asia, spear phishing and other malware attacks are the weapon of choice among cyber criminals, says Lim Chin Keng, director of security solutions, APAC at F5 Networks.
Lim says spear spear phishing involves sending emails forged to look like they are from the target bank to trick users into installing malware that will compromise their account once they log in.
“The malware may simply record the username and password and then send it along to a drop zone for later pickup, or it may steal currency via hidden financial transactions,” he says.
The threat of these attacks are palpable. The Association of Banks in Singaporehas said that about 50 smartphone users in Singapore were hit by malware targeting mobile banking customers in the months of September, October and November of 2015, and warned that the number could see an increase amid a rise in mobile payments. Malware attackers then went on to make various online purchases with their stolen access, ranging from airline tickets, to electronic devices, with each transaction valued at around a couple of hundred dollars.
Financial institutions have the most high profile, high-value assets on the Internet in the form of millions of bank accounts, says Lim, which is why Asian banks are taking protection against malware attacks very seriously.
“They are taking active steps to understand how different malware types work, and new tactics being adopted by fraudsters to combine personally identifiable information data stolen by malware with social engineering to create advanced fraudulent transactions. Banks are increasingly looking at partnering with a technology providers that not only are specialised in providing malware detection capabilities, but also have focused security operation centres that monitor and analyse financial malware attacks to complement the bank's security and fraud team,” says Lim.
This means that financial institutions that are looking to enter the mobile and Internet banking game will have to commit a lot of resource investments to keep up with the pace of malware infection and attack transformations.
Protecting and empowering users
Financial institutions might bear a lot of the blame when it comes to mobile banking security breaches due to their lackadaisical approach or insufficient resource investments, but analysts are also quick to point out that the customers themselves often serve as accomplices to online thieves.
“Any security solution and process is as strong as the weakest link, in this case, it’s the customer,” says a Kaspersky Lab spokesperson. “Will she/he click on a link or open an attachment? Is his/her system up-to-date, with all patches applied?”
Facing the reality that even the best security measures are compromised due to customer negligence, financial institutions are creating more aggressive campaigns to inform and empower mobile and Internet banking users.
Some are providing information on their banking websites about current malicious activities affecting internet banking, while others are even going as far as stating that they will not provide restitution for losses if the attacked system was not fully patched or secured, says the Kaspersky Lab spokesperson.
The spokesperson further suggests that financial institutions should advise customers to use a security solution on their device, to make sure it scans files as they are downloaded and protects the device from other types of Internet attacks.
“Protection against security threats should be a joint responsibility between the bank and the consumer,” says Nielsen.
“While banks deploy security solutions within their infrastructure, consumers also need to be very careful with the mobile apps they download onto their phone,” adding that users should only download mobile apps from well-known sources and should avoid rooting their device or at least limit its rooting since malware often abuses privileged access to silently install apps without consent.