Mobile devices running iOS or Android are far from secure; the latest Kindsight Security Labs report from Alcatel-Lucent highlights that there are currently over 15 million infected mobile devices worldwide — a 20 percent increase from 2013. The Kindsight Security study also found an increase in mobile spyware. Of the 2.3 billion smartphones around the globe, Kindsight Security estimates that 40 percent of them contain spyware used to monitor the phone’s owner by tracking the device’s location, incoming and outgoing calls, text messages, email, Web browsing and history.
Unfamiliar Terrain
What makes the ground so fertile for such breaches?
The “surface area” for attackers to hit has grown immensely with the mobile computing explosion. In the past, when apps were run inside data centers, there used to be just a few “attack areas” for hackers to pursue — mainly focused on remotely exploiting flaws and defects in the application code.
Today’s mobile landscape introduces new threat vectors that typically aren’t considered in organizations’ mobile banking security approaches. Key threat vectors include:
1. Jailbroken or Rooted Devices: Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS. Recently, a variant of the PC-based Zeus malware “ZitMo” has been used to forward SMS messages to cybercriminals as a means of circumventing out-of-band authentication.
2. Outdated OSs and Nonsecure Connections: Risk factors such as dated operating system versions, nonsecure Wi-Fi network use and pharming attacks allow cybercriminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device.
3. Account Takeover: Cybercriminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. And unfortunately, they have enjoyed relative anonymity when using mobile devices that share many similar attributes, making it challenging to defend against. Server-side device ID solutions have a difficult time uniquely detecting criminal devices.
4. Cross-Channel Credential Theft: One of the prevalent enablers for account takeover is stolen credentials through phishing or malware on the online channel. In some cases, the mobile channel is not sufficient to fully execute a fraudulent transaction; fraud can either start or end on the mobile device, but most methods of attack involve at least one additional channel that fraudsters use to complete their task. To effectively protect end users and the mobile banking application, cross-reference actions need to be performed on the various channels while looking for suspicious activities. To identify mobile account takeover, one must see the entire picture — the full fraud life cycle — rather than a limited, tunnel-visioned view of just the mobile channel.
5. Attacks to the Mobile Application: When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. There are many readily available tools that can reverse an application from binary format into source code. With access to source code, hackers can gain access to sensitive data and intellectual property (IP). Also, the code can be modified (e.g., security controls can be patched out), the run-time behavior of the applications can be altered and/or malicious code can be injected into the application. Once altered, the application can be repackaged and circulated to look as though it originated from a known/safe source. These and other methods of hacking an app are outlined here.
A New Model for Mobile Banking Security
In order to deal with the changing mobile threat landscape, a new set of tools is necessary. Financial institutions should embrace a comprehensive security approach that meets these evolving threats and includes the following:
Despite the growing awareness and enormous efforts financial institutions undergo, a significant gap remains between mobile technologies and security protection mechanisms. Financial institutions have been carrying vast product sets, frequently unappreciated by their customers, often with a subsequent cost in operations, technology, service and, sometimes, risk and regulatory challenges.
The following three steps provide enhanced security against evolving mobile threats:
Build Your App Safely
Unfamiliar Terrain
What makes the ground so fertile for such breaches?
The “surface area” for attackers to hit has grown immensely with the mobile computing explosion. In the past, when apps were run inside data centers, there used to be just a few “attack areas” for hackers to pursue — mainly focused on remotely exploiting flaws and defects in the application code.
Today’s mobile landscape introduces new threat vectors that typically aren’t considered in organizations’ mobile banking security approaches. Key threat vectors include:
1. Jailbroken or Rooted Devices: Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS. Recently, a variant of the PC-based Zeus malware “ZitMo” has been used to forward SMS messages to cybercriminals as a means of circumventing out-of-band authentication.
2. Outdated OSs and Nonsecure Connections: Risk factors such as dated operating system versions, nonsecure Wi-Fi network use and pharming attacks allow cybercriminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device.
3. Account Takeover: Cybercriminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. And unfortunately, they have enjoyed relative anonymity when using mobile devices that share many similar attributes, making it challenging to defend against. Server-side device ID solutions have a difficult time uniquely detecting criminal devices.
4. Cross-Channel Credential Theft: One of the prevalent enablers for account takeover is stolen credentials through phishing or malware on the online channel. In some cases, the mobile channel is not sufficient to fully execute a fraudulent transaction; fraud can either start or end on the mobile device, but most methods of attack involve at least one additional channel that fraudsters use to complete their task. To effectively protect end users and the mobile banking application, cross-reference actions need to be performed on the various channels while looking for suspicious activities. To identify mobile account takeover, one must see the entire picture — the full fraud life cycle — rather than a limited, tunnel-visioned view of just the mobile channel.
5. Attacks to the Mobile Application: When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. There are many readily available tools that can reverse an application from binary format into source code. With access to source code, hackers can gain access to sensitive data and intellectual property (IP). Also, the code can be modified (e.g., security controls can be patched out), the run-time behavior of the applications can be altered and/or malicious code can be injected into the application. Once altered, the application can be repackaged and circulated to look as though it originated from a known/safe source. These and other methods of hacking an app are outlined here.
A New Model for Mobile Banking Security
In order to deal with the changing mobile threat landscape, a new set of tools is necessary. Financial institutions should embrace a comprehensive security approach that meets these evolving threats and includes the following:
- Device risk level detection
- Jailbroken devices
- Outdated OSs
- Malware infections
- Rogue apps
- Account takeover detection
- Persistent device ID
- Mobile application protection
- Harden app to protect the confidentiality of the code
- Protect the integrity of the app at run time
Despite the growing awareness and enormous efforts financial institutions undergo, a significant gap remains between mobile technologies and security protection mechanisms. Financial institutions have been carrying vast product sets, frequently unappreciated by their customers, often with a subsequent cost in operations, technology, service and, sometimes, risk and regulatory challenges.
The following three steps provide enhanced security against evolving mobile threats:
Build Your App Safely
- There are several factors to consider while designing an app — risk mitigation, security management, compliance and Web-based/mobile application source code vulnerabilities, just to name a few.
- IBM® Security AppScan® can enhance Web application security and mobile application security, improve application security program management and help app developers meet regulatory compliance obligations. By scanning your Web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities, generate reports and remediate recommended issues.
- First, deploy a dedicated library designed to enable application security services for mobile applications. This library can be used to build custom apps with various advanced security features.
- IBM Security Trusteer’s Mobile SDK protects organizations’ native mobile applications by performing device risk factor analysis while providing a persistent mobile device ID. The SDK can be used to build custom applications with advanced security features with the following functionality provided:
- Device risk detection based on indicators such as Jailbroken/rooted device detection, malware infection detection and Wi-Fi network security state.
- Active protection of IP and SSL.
- Unique and persistent device ID creation.
- IBM Security Trusteer’s Mobile SDK protects organizations’ native mobile applications by performing device risk factor analysis while providing a persistent mobile device ID. The SDK can be used to build custom applications with advanced security features with the following functionality provided:
- Second, leverage protection that detects attacks at run time.
- Arxan guards can verify the integrity of the application, its data or the app environment at run time. In addition to detecting hacking attempts by malicious actors, guards can also detect another seemingly innocuous but malicious application from performing a drive-by attack at run time. Another app can compromise your app via run-time method swizzling or function/API hooking to steal information or gain control.
- Third, establish a formal mechanism to react to attacks.
- With Arxan, you can define how the app should react upon attack detection. For instance, the app can shut down or not start to prevent the use of a compromised application. Also, self-repair capabilities can replace tampered code or data with original correct code. Finally, the app can alert and phone home to your back-end system of choice.
- This involves real-time fraud detection via evidence-based, cross-channel intelligence. As threats become more sophisticated, stopping fraud requires more decisive action, such as putting the transaction on hold and manually reviewing high-risk/high-value transactions. This can impact staff who investigate fraud and, ultimately, affect the customer experience. Several tools are specifically designed to prevent misuse:
- IBM Security Trusteer Pinpoint Criminal Detection™ is designed to protect against account takeover and fraudulent transactions by combining traditional device IDs; geolocation and transactional modeling; and critical fraud indicators. This information is correlated using big data technologies to link events across time, users, activities and platforms, whether they’re mobile or PC-based. Phishing, malware and other high-risk indicators are used for evidence-based fraud detection. By matching new and spoofed device fingerprints, real-time phishing incidents and malware-infected account access history can be detected. Trusteer can identify account takeover attempts, minimize customer burden and help eliminate IT overhead.
- Arxan Application Protection is designed to protect binary code. Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering the code within a mobile app. All too often, an adversary will steal code and recycle it within another app for resale. Arxan protection defends applications against compromise by obfuscating or scrambling the code and encrypting or pre-damaging some or all of the application statically or at run time.