Menu
Banks shouldn't rely on mobile SMS passcodes, security firm says

Banks shouldn't rely on mobile SMS passcodes, security firm says

As mobile banking grows, malicious Android applications are increasingly intercepting one-time passcodes

A widely used security feature intended to protect access to online bank accounts is becoming increasingly ineffective, as cybercriminals develop advanced malicious software for Android devices, according to a report released Wednesday.

Many banks offer their customers two-factor authentication, which involves sending an SMS message with a code that's entered into a Web-based form. The code expires in a few minutes and is intended to thwart cybercriminals who have a person's login credentials.

But there are now multiple mobile malware suites that work in tandem with desktop malware to defeat one-time passcodes, wrote Ken Baylor, research vice president for NSS Labs.

"Do not rely on SMS-based authentication," the report said. "It has been thoroughly compromised."

Nearly all mobile malware is written for the open-source Android OS, which allows users to install any application, the report said. iOS mobile malware is rare since Apple forbids downloading applications that haven't been vetted by the company.

Cybercriminals use a one-two punch. Once a PC is compromised, the malware injects new fields or pop-up menus into the screen, asking a person's phone number and their mobile operating system type and phone model.

A link is sent to the phone, which if clicked prompts for the installation of malware that sends one-time passcodes to another phone, allowing someone to log into a person's bank account, the report said.

Much of the PC and mobile phone malware originates from countries that were part of the former Soviet Union. The malware developers focus on Android since it is widely used, and there appear to be few iOS specialists in those nations, the report said.

Well-known desktop banking malware programs such as SpyEye, Citadel, Zeus and Carberp all have a mobile Android component. Although Google patrols its Play store for malicious applications "a significant amount of malware escapes detection," the report said.

Financial institutions have been slow to keep up. As mobile banking continues to grow, their applications have security weaknesses.

"Many banks still operate mobile applications that are merely HTML wrappers rather than secure native apps," the report said.

The applications should be revised to "include a combinations of hardened browsers, certificate-based identification, unique install keys, in-app encryption, geolocation and device fingerprinting," it added.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags NSS LabsInternet-based applications and servicese-commercesecurityinternetmalware

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments