Clavister launches entry-level W20 Firewall » Clavister has announced the launch of its new Clavister W20 firewall appliance. The new product is t... Tinubu Risk Management Center to go live in Janu... » Tinubu Square, the trusted source of credit risk solutions for trade credit insurers and businesses,... BAE Systems awarded £50 million contract » Photo: MoD Photo: MoD The Ministry of Defence (MOD) has awarded a £50m contract to BAE Systems t... Octavian opens new office in South Africa » Octavian Security has kicked off its ambitious 2015 growth plans by launching a new South African of... icomply partners with TIS in security overhaul of ... » icomply has recently partnered with TIS on overhauling the security system of Boots UK. The central ... Tech Trailblazers Awards announce the startup wi... » London, UK: The Tech Trailblazers Awards, the first annual awards program for enterprise information... ASIS Foundation and University of Phoenix to awa... » ASIS Foundation Opens Application for 10 Full-tuition University of Phoenix Scholarships Feb. 2 Lieberman Software reduces the risks of enterprise... » LONDON, UK: It can be almost impossible to manually discover and track all of the privileged account... Cubic Defence New Zealand ranks number one for D... » SAN DIEGO, Calif.: Cubic Corporation has announced that Australian Defence Magazine ranked Cubic Def... Blame the 'Grand Children' of the North (GCON) ov... » When people are secluded and prevented from being exposed to the trends of civilisation and enlighte...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Shopping or banking online depends on trust. Individuals interact with sites that they trust, and sites have to trust the person who is transacting with them.

Many online banking sites are turning to two-factor authentication to confirm the identity of the individual they are transacting with – typically an ‘out-of-band’ method of authentication using a token or SMS message to a mobile phones. Initially tokens were widely rolled out, but many banks faced a backlash from their consumers because tokens were too inconvenient to carry around, and they could be easily lost or damaged.

 

Customers embraced SMS messages as an authentication method, as they are much more likely to have their mobile phone with them when they need to access their online bank account. By 2014, it is predicted that 64% of all two-factor authentications sales will be mobile – making it easier for people to access the systems and websites they need to securely, wherever they are.

However, as we have seen so many times before, criminals go where the money is. So it is of no surprise that many have tried to ‘break’ the additional security provided by SMS messages, as they have tried to break many other security tools in the past.

Andy Kemshall, CTO of SecurEnvoy said, “The problem is user education. Banks have spent a lot of time telling their customers that they will ‘never ask for your account details in an email’ or to look out for anything suspicious about the ATM they are using and report it. When it comes to SMS, however, banks have rolled out these tools to their customers, but they don’t educate them about how the criminals’ tactics will change.”

He continued, “The recent Eurograbber attack is a multi-pronged approach – but it means that there were multiple points at which the consumer could, and should, have identified that something suspicious was happening. First there was a phishing email to download a piece of malware, followed by unusual instructions from the bank during the customer’s online banking session, and then a link was send to the user’s mobile phone to download a piece of malware on to the phone. Only once all of these steps had been completed, could the criminals take over the victim’s bank account.”

“All of these errors came about because the customer trusted the ‘request’ they received, believing it to be from the bank. But in fact they are giving away access to their bank account to a hacker. Consumers are too trusting. Their mobile phone is now their authentication device for their online banking, but they are willing to give out their phone number of download ‘updates’ without knowing anything about the person making the request- it’s a bit like asking someone in the street to look after your baby while you go shopping!” added Andy Kemshall.

Alan Goode, Founder and Managing Director, Goode Intelligence said, "I believe that the use of SMS to deliver 2FA one-time-passwords (OTP) is an effective way to improve authentication for organisations. However, mobile users are increasingly being targeted by fraudsters and criminals. Our research into mobile malware indicates a growing risk to mobile phone users, especially if you are using an Android device. A combination of user education - treat the mobile device as a computer not a phone - and installing effective mobile security solutions (ones that protect against the Trojans targeting banking customers) is needed to counteract targeted attacks against mobile users. Organisations, including financial institutions, that are mobilising their business by developing mobile apps and services must also be responsible for the security of their users.”

A recent insight report on mobile banking security from Good Intelligence advises banks that they should perform the following actions to ensure that their customers are adequately protected against the latest mobile threats:

Use the power of the mobile phone to create an encrypted communication channel between user and bank

Ensure that your customers are always authenticated using a trusted two-factor or multi-factor authentication solution, one that is suitable for the mobile channel

Monitor apps stores for any rogue apps that purport to represent your company - and kill them quickly

Introduce a plan for updating mobile banking apps

Ensure that mobile banking apps are security tested

Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others

Educate users about the dangers of using a mobile device for banking purposes including system hygiene when upgrading their handset, and disposing of an old one