need alt text

Fighting Malware in Mobile Banking

An Old Threat Enters a New Era of Financial Crime

Malware, or malicious software, is a catch-all term for any program that’s designed to damage computers, servers, networks or mobile devices. While the technology has been around for decades — first circulating on infected floppy disks in the 1980s that targeted Apple and PC users — the innocuous consequences have by no means diminished over time. In fact, it is quite the opposite.

Malware techniques and attack vectors have hugely evolved, overwhelming organizations across the globe with monetary and reputational loss. This is particularly real for banks and financial institutions — where valuable data and money reap a high reward for hackers.

The objectives of modern malware attacks are a far cry from when it all started.  The first computer virus, which displayed a poem on individually infected machines, appears comical in contrast to the magnitude of attacks we see today, where malware can intercept the one-time password (OTP) used in two-factor authentication (2FA) protections and can even trigger a mobile phone screen lock to disguise their operations.

Let’s take a closer look at mobile banking, and how mobile malware particularly threatens the financial services industry.

Mobile Malware: Sizing the Threat

For many, our mobile phones are virtually an extension of ourselves. So it’s no surprise that mobile banking adoption is continuing to explode, and that cybercriminals are continuing to follow the money. 46% of companies have experienced fraud in the past 24 months, which explains the prediction that cybercrime costs will reach 10.5 trillion dollars by 2025 globally. But how exactly does mobile malware infect new devices?

It usually starts with phishing: victims are lured into downloading a malicious app that, in many cases, poses as real antivirus software. After the malware has stolen a victim’s bank log-in and OTP information, it reports back to cybercriminals, who impersonate them and drain their accounts.

Mobile malware is evolving constantly, and many newer capabilities are alarming. In addition to stealing victims’ financial log-in data, it can also uninstall applications, block notifications and prevent uninstallation. Other types of malware can gain superuser privileges that enable them to take full control of the device. Some are even pre-installed on low-cost mobile phones.

As mobile malware has grown more sophisticated, the threat it poses has also increased.  The total losses caused by internet crime grew from 1 billion to 6.9 billion dollars between 2015 and 2021.

An African Perspective

Some regions, such as Africa, face particular challenges when it comes to cybersecurity and bank fraud. Only 29 of 54 African countries assessed in the Global Cybersecurity Index (2021) have introduced cybersecurity legislation, while a painful 90% of businesses on the continent are operating without necessary protocols.

Though efforts are being made to educate and raise awareness on the protection of bank fraud, by the Central Bank of Kenya for example, the boom in economic activity and record growth in e-payments are making it even more attractive to hackers. And when it comes to mobile banking specifically, countries such as South Africa have seen a 100% increase in mobile banking application fraud — suffering 577 malware attacks an hour. It’s clear that banks must ramp up their security efforts and leverage solutions to protect their customers and their reputation.

Fighting Malware in Financial Institutions: Here’s How

Preventing malware in mobile banking requires combined action from end-users of digital banking — who must be ever-vigilant about suspicious links and applications — and banks, which have a responsibility to provide the most advanced security measures to their customers.

Verifying identity with a limited combination of factors like passwords, OTPs and IP address checks is no longer sufficient to protect digital bank accounts.

Instead, institutions must incorporate fraud solutions like HID Global’s Risk Management Solution (RMS), which solves a vast array of use cases where a mobile phone may be exposed to bank fraud. Let’s take a look at a few examples.

Scenario 1: A fraudster shows different behaviors while using the mobile phone, compared to the legitimate user.

How HID RMS reacts: RMS checks behavioral patterns, such as the way the user interacts with the device (i.e., how they navigate websites, how they tap on a phone, how they hold a device), to identify suspicious behavior and stop fraudsters from completing transactions.

Scenario 2: A fraudster installs a suspicious, fraudulent app that spoofs location information, such as GPS or VPN, on the same mobile phone.

How HID RMS reacts: RMS analyzes all installed apps to check their hashes and observe their permissions and IP. Acting as a “server-side antivirus,” it actively looks for signs of attacks to prevent fraud.

Scenario 3: A bank request is made from a suspicious IP or an anonymized and unstructured data center.

How HID RMS reacts: RMS analyzes the IP of a device and compares it with a database, revealing its possible anonymization context and risk to fraud.

Scenario 4: The mobile device used for online banking appears to have a malicious app installed.

How HID RMS reacts: RMS extracts a complex dataset from each installed application and looks for signs of attacks, such as SMS hijacking, accessibility abuse and more.

These examples only begin to show the potential of an effective risk management solution, one which works to protect your customers from all angles — even if fraudsters get past the log-in and 2FA stage. Solutions such as HID Global’s Risk Management Solution can help to increase security and meet regulatory requirements without negatively impacting the customer experience.

To learn more about next generation fraud detection based on deep behavioral profiling and machine learning, read the eBook, The Ultimate Guide to Risk Management Systems. Or check out HID’s Fraud Prevention Hub.

Sebastien is a Senior Security expert with extensive experience within the fields of IT, specializing in the area of Identity and Access Management (IAM) and Consumer Identity and Access Management (CIAM). As a Senior Pre-Sales Consultant at HID Global, he has led many major security projects and enabled enterprise, financial services, and government customers to meet their security and compliance requirements.