NICE launches video search solution to pinpoint an... » RA’ANANA, ISRAEL: When time is of the essence, security and public safety organizations will no long... Checkpoint Systems implements RFID at Inditex Dist... » Checkpoint Systems has been selected by the Inditex Group to implement Radio Frequency Identificatio... Research reveals growing concern about fraud thr... » A new Transactis-Retail Knowledge survey of leading loss prevention professionals shows that 88% see... NICC Sets new requirements for Customer Line Ident... » London: NICC, the UK’s technical forum for telecommunications, has published its updated specificati... First all-amputee team set record with English Cha... » Four Blesma Members have become the first all-amputee team to successfully swim the English Channel.... World of tanks to get race mode » Wargaming has announced the addition of Tank Rally mode to its free-to-play online action game World... Alert Logic launches UK Data Centre » London, UK: Alert Logic has completed its European Data Centre and now available for partners and cu... 20th Anniversary of VAWA: "...the decency of the A... » JB...advancing Bidenism with respect to womenfolks Watch the Video: www.youtube.com/embed/HpL-A6Z... Lord-Lieutenant of Hampshire presents Sonardyne wi... » Lord-Lieutenant of Hampshire presents Sonardyne with Queen’s Award for 6G Sonardyne International L... Rehousing TYphoon Aircraft of Number 1 (Fighter) ... » The Rt Hon Michael Fallon MP, UK Secretary of State for Defence The Typhoon aircraft of Number 1(Fi...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Shopping or banking online depends on trust. Individuals interact with sites that they trust, and sites have to trust the person who is transacting with them.

Many online banking sites are turning to two-factor authentication to confirm the identity of the individual they are transacting with – typically an ‘out-of-band’ method of authentication using a token or SMS message to a mobile phones. Initially tokens were widely rolled out, but many banks faced a backlash from their consumers because tokens were too inconvenient to carry around, and they could be easily lost or damaged.

 

Customers embraced SMS messages as an authentication method, as they are much more likely to have their mobile phone with them when they need to access their online bank account. By 2014, it is predicted that 64% of all two-factor authentications sales will be mobile – making it easier for people to access the systems and websites they need to securely, wherever they are.

However, as we have seen so many times before, criminals go where the money is. So it is of no surprise that many have tried to ‘break’ the additional security provided by SMS messages, as they have tried to break many other security tools in the past.

Andy Kemshall, CTO of SecurEnvoy said, “The problem is user education. Banks have spent a lot of time telling their customers that they will ‘never ask for your account details in an email’ or to look out for anything suspicious about the ATM they are using and report it. When it comes to SMS, however, banks have rolled out these tools to their customers, but they don’t educate them about how the criminals’ tactics will change.”

He continued, “The recent Eurograbber attack is a multi-pronged approach – but it means that there were multiple points at which the consumer could, and should, have identified that something suspicious was happening. First there was a phishing email to download a piece of malware, followed by unusual instructions from the bank during the customer’s online banking session, and then a link was send to the user’s mobile phone to download a piece of malware on to the phone. Only once all of these steps had been completed, could the criminals take over the victim’s bank account.”

“All of these errors came about because the customer trusted the ‘request’ they received, believing it to be from the bank. But in fact they are giving away access to their bank account to a hacker. Consumers are too trusting. Their mobile phone is now their authentication device for their online banking, but they are willing to give out their phone number of download ‘updates’ without knowing anything about the person making the request- it’s a bit like asking someone in the street to look after your baby while you go shopping!” added Andy Kemshall.

Alan Goode, Founder and Managing Director, Goode Intelligence said, "I believe that the use of SMS to deliver 2FA one-time-passwords (OTP) is an effective way to improve authentication for organisations. However, mobile users are increasingly being targeted by fraudsters and criminals. Our research into mobile malware indicates a growing risk to mobile phone users, especially if you are using an Android device. A combination of user education - treat the mobile device as a computer not a phone - and installing effective mobile security solutions (ones that protect against the Trojans targeting banking customers) is needed to counteract targeted attacks against mobile users. Organisations, including financial institutions, that are mobilising their business by developing mobile apps and services must also be responsible for the security of their users.”

A recent insight report on mobile banking security from Good Intelligence advises banks that they should perform the following actions to ensure that their customers are adequately protected against the latest mobile threats:

Use the power of the mobile phone to create an encrypted communication channel between user and bank

Ensure that your customers are always authenticated using a trusted two-factor or multi-factor authentication solution, one that is suitable for the mobile channel

Monitor apps stores for any rogue apps that purport to represent your company - and kill them quickly

Introduce a plan for updating mobile banking apps

Ensure that mobile banking apps are security tested

Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others

Educate users about the dangers of using a mobile device for banking purposes including system hygiene when upgrading their handset, and disposing of an old one