MoD to save taxpayer up to £1 billion in a new con... » The MoD has agreed a contract to update and sustain the UK’s military air traffic management which i... Lieberman Software Privilege Management Solution... » London, UK: Lieberman Software Corporation’s privilege management product, Enterprise Random Passwor... Morocco to help United Arab Emirate to combat ter... » Washington, DC: Moroccan Minister of Foreign Affairs Salaheddine Mezouar has said Morocco will provi... "Use cameras only as necessary and proportionate r... » In view of the recent warning from the Information Commissioner’s Office (ICO), it appears the days ... Creeks in Goodluck Jonathan's Niger Delta havens f... » Ogbuefi Jonathan...Nigeria's multi-billionaire President whose little corner stinks to high hea... Leadinng forensic anthropologist receives prestigi... » Vigilance can report that leading forensic anthropologist Dr Tim Thompson has been presented with ... British soldiers make last journey home after 13 ... » Can these Afghan soldiers be entrusted with the defence of democracy and their country for long? Tim... Empello’s new guardian technology protects against... » London: Empello has announced a major leap forward in its ad monitoring capabilities. The new ‘Guar... Bash Bug laughs in the face of traditional passwor... » Utrecht/Frankfurt/London: The ease with which hackers can steal sensitive login details from compani... Encap Security incorporates convenience of Apple... » Oslo & Palo Alto: Encap Security, the first in-app authentication solution to arm banks, retailers a...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Shopping or banking online depends on trust. Individuals interact with sites that they trust, and sites have to trust the person who is transacting with them.

Many online banking sites are turning to two-factor authentication to confirm the identity of the individual they are transacting with – typically an ‘out-of-band’ method of authentication using a token or SMS message to a mobile phones. Initially tokens were widely rolled out, but many banks faced a backlash from their consumers because tokens were too inconvenient to carry around, and they could be easily lost or damaged.

 

Customers embraced SMS messages as an authentication method, as they are much more likely to have their mobile phone with them when they need to access their online bank account. By 2014, it is predicted that 64% of all two-factor authentications sales will be mobile – making it easier for people to access the systems and websites they need to securely, wherever they are.

However, as we have seen so many times before, criminals go where the money is. So it is of no surprise that many have tried to ‘break’ the additional security provided by SMS messages, as they have tried to break many other security tools in the past.

Andy Kemshall, CTO of SecurEnvoy said, “The problem is user education. Banks have spent a lot of time telling their customers that they will ‘never ask for your account details in an email’ or to look out for anything suspicious about the ATM they are using and report it. When it comes to SMS, however, banks have rolled out these tools to their customers, but they don’t educate them about how the criminals’ tactics will change.”

He continued, “The recent Eurograbber attack is a multi-pronged approach – but it means that there were multiple points at which the consumer could, and should, have identified that something suspicious was happening. First there was a phishing email to download a piece of malware, followed by unusual instructions from the bank during the customer’s online banking session, and then a link was send to the user’s mobile phone to download a piece of malware on to the phone. Only once all of these steps had been completed, could the criminals take over the victim’s bank account.”

“All of these errors came about because the customer trusted the ‘request’ they received, believing it to be from the bank. But in fact they are giving away access to their bank account to a hacker. Consumers are too trusting. Their mobile phone is now their authentication device for their online banking, but they are willing to give out their phone number of download ‘updates’ without knowing anything about the person making the request- it’s a bit like asking someone in the street to look after your baby while you go shopping!” added Andy Kemshall.

Alan Goode, Founder and Managing Director, Goode Intelligence said, "I believe that the use of SMS to deliver 2FA one-time-passwords (OTP) is an effective way to improve authentication for organisations. However, mobile users are increasingly being targeted by fraudsters and criminals. Our research into mobile malware indicates a growing risk to mobile phone users, especially if you are using an Android device. A combination of user education - treat the mobile device as a computer not a phone - and installing effective mobile security solutions (ones that protect against the Trojans targeting banking customers) is needed to counteract targeted attacks against mobile users. Organisations, including financial institutions, that are mobilising their business by developing mobile apps and services must also be responsible for the security of their users.”

A recent insight report on mobile banking security from Good Intelligence advises banks that they should perform the following actions to ensure that their customers are adequately protected against the latest mobile threats:

Use the power of the mobile phone to create an encrypted communication channel between user and bank

Ensure that your customers are always authenticated using a trusted two-factor or multi-factor authentication solution, one that is suitable for the mobile channel

Monitor apps stores for any rogue apps that purport to represent your company - and kill them quickly

Introduce a plan for updating mobile banking apps

Ensure that mobile banking apps are security tested

Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others

Educate users about the dangers of using a mobile device for banking purposes including system hygiene when upgrading their handset, and disposing of an old one