CEP Statement on Twitter’s Suspension of Extremist... » New York, NY: The Counter Extremism Project released the following statement in response to Twitter’... RiskIQ accelerates momentum across entire extern... » London, UK: RiskIQ has announced year-over-year bookings growth of 80 percent, dominating the extern... Interserve chooses Sopra Steria to transform ... » London: Sopra Steria has recently signed a major IT managed services contract with Interserve PLC to... Arista expands to next-generation telemetry » SANTA CLARA, Calif: Arista Networks (NYSE:ANET) today announced next-generation telemetry and analyt... VIOLATION OF INNOCENCE » This poem was written in 2007 and since then has been published and republished on Vigilance many ... NSFOCUS continues Middle East commitment in partne... » NSFOCUS IB has confirmed its new partnership with MDS Computers, continuing its expansion into the M... Xceed Group prepares RFIB for IT service growth » London, UK:  London-based Xceed Group has helped RFIB Group Limited to select an Infrastructure as a... Varonis helps Miramax control and secure valuabl... » London, UK: Varonis Systems, Inc. has released details on how Miramax relies on Varonis solutions to... TDSi awards AlertSystems ‘Platinum Partner of th... » Poole: Integrated security manufacturer TDSi has awarded AlertSystems its ‘Platinum Partner of the Y... Virgin Trains welcomes decision to suspend indus... » The union suspended the walk-outs yesterday after Virgin Trains repeated its assurances to the union...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Shopping or banking online depends on trust. Individuals interact with sites that they trust, and sites have to trust the person who is transacting with them.

Many online banking sites are turning to two-factor authentication to confirm the identity of the individual they are transacting with – typically an ‘out-of-band’ method of authentication using a token or SMS message to a mobile phones. Initially tokens were widely rolled out, but many banks faced a backlash from their consumers because tokens were too inconvenient to carry around, and they could be easily lost or damaged.

 

Customers embraced SMS messages as an authentication method, as they are much more likely to have their mobile phone with them when they need to access their online bank account. By 2014, it is predicted that 64% of all two-factor authentications sales will be mobile – making it easier for people to access the systems and websites they need to securely, wherever they are.

However, as we have seen so many times before, criminals go where the money is. So it is of no surprise that many have tried to ‘break’ the additional security provided by SMS messages, as they have tried to break many other security tools in the past.

Andy Kemshall, CTO of SecurEnvoy said, “The problem is user education. Banks have spent a lot of time telling their customers that they will ‘never ask for your account details in an email’ or to look out for anything suspicious about the ATM they are using and report it. When it comes to SMS, however, banks have rolled out these tools to their customers, but they don’t educate them about how the criminals’ tactics will change.”

He continued, “The recent Eurograbber attack is a multi-pronged approach – but it means that there were multiple points at which the consumer could, and should, have identified that something suspicious was happening. First there was a phishing email to download a piece of malware, followed by unusual instructions from the bank during the customer’s online banking session, and then a link was send to the user’s mobile phone to download a piece of malware on to the phone. Only once all of these steps had been completed, could the criminals take over the victim’s bank account.”

“All of these errors came about because the customer trusted the ‘request’ they received, believing it to be from the bank. But in fact they are giving away access to their bank account to a hacker. Consumers are too trusting. Their mobile phone is now their authentication device for their online banking, but they are willing to give out their phone number of download ‘updates’ without knowing anything about the person making the request- it’s a bit like asking someone in the street to look after your baby while you go shopping!” added Andy Kemshall.

Alan Goode, Founder and Managing Director, Goode Intelligence said, "I believe that the use of SMS to deliver 2FA one-time-passwords (OTP) is an effective way to improve authentication for organisations. However, mobile users are increasingly being targeted by fraudsters and criminals. Our research into mobile malware indicates a growing risk to mobile phone users, especially if you are using an Android device. A combination of user education - treat the mobile device as a computer not a phone - and installing effective mobile security solutions (ones that protect against the Trojans targeting banking customers) is needed to counteract targeted attacks against mobile users. Organisations, including financial institutions, that are mobilising their business by developing mobile apps and services must also be responsible for the security of their users.”

A recent insight report on mobile banking security from Good Intelligence advises banks that they should perform the following actions to ensure that their customers are adequately protected against the latest mobile threats:

Use the power of the mobile phone to create an encrypted communication channel between user and bank

Ensure that your customers are always authenticated using a trusted two-factor or multi-factor authentication solution, one that is suitable for the mobile channel

Monitor apps stores for any rogue apps that purport to represent your company - and kill them quickly

Introduce a plan for updating mobile banking apps

Ensure that mobile banking apps are security tested

Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others

Educate users about the dangers of using a mobile device for banking purposes including system hygiene when upgrading their handset, and disposing of an old one