Security threats continue to bug mobile users

By Pawel Bulat | 9 May 2019

There are three things we usually don’t leave home without: keys, wallet and phone. The first two can be easily replaced by the third one. But to manage money using a few-inch screen is not a small task by any measure.

Granted, we can deal with managing access to the device itself quite efficiently. However, it is much harder for us to protect it from malicious software.

The amount of malware not captured by Google Store security mechanisms is still quite large. According to McAfee, 2017 was a breakthrough year: a total of 4,000 threat types with dozens of varieties were identified. The total number of malwares in the crypto currency segment increased by 70% and in mobile banking – by 60%.

This is where it gets complicated. First, the market is dominated by two mobile operating systems. Second, our own habits make us reluctant to update and expand security mechanisms, which most often extend the time of a given operation, such as logging in.

Stealth and effective

There are risks that are essentially impossible to defend ourselves against. The ones whose occurrence we have no control over. One of them is SIM card cloning: an effective procedure ran in a “stealth” mode. You’re being tracked for weeks, and struck upon when you least expect it. And even then, you remain in blissful ignorance.

First, a hacker installs spyware on your phone to intercept your bank login data. Then, knowing enough, they make a false ID card and, upon presenting it, obtains a duplicate of your SIM card from the operator.

All it takes now is to log into the GSM network to order a transfer and receive an SMS with an authorization code. A newly logged in card (duplicate) will cause problems with your network connection, so sudden range loss, or logging out of the network is the first signal for you that something wrong may be happening.

The scale of this procedure indicates that it simply pays off. Hundreds of thousands of euros are often siphoned off at once, which quickly migrate to crypto currency markets (where they disappear without a trace), or are withdrawn in a massive and coordinated manner at ATMs, in different locations at the same time.

The alternatives

In the financial industry, a mobile token for authentication and authorization seems to be a good solution. An even better one would be a dedicated cryptographic device compliant with PSD2.

Such solutions record every attempt to activate a new phone. With the right "pairing" procedure, you are guaranteed that nobody else will impersonate you – even if you have a duplicate of your SIM card.

This process is entirely controlled by a bank and there is no concern that the mobile operator will cause a loophole in banking procedures by changing their own.

There are solutions (such as tPro ECC) equipped with mechanisms to protect against remote attacks when the user is not at their workstation (HPD - Human Presence Detection).  It is also possible to pair such mechanisms with popular services such as Gmail or Facebook. Thanks to this, apart from the bank account itself, you can also control access to other resources important for the user.

The best mobile tokens for transaction authorization also provide an attack detection mechanism and a WYSIWYS (What You See Is What You Sign) model. Transaction data must be re-entered on a separate device, where the user makes the final decision whether to accept or reject the transfer. This avoids changing the amount and account number without the user's knowledge in the transaction already accepted by the user. Very rarely do we finally check whether the data in the SMS concerning the recipient and the amount is correct.

Bye bye SMS

We slowly forget about text messaging: it’s being replaced by chat rooms and instant messengers. The time has come to forget about SMS in the context of the authorization mechanism for banking. The last scale of attacks proves that this mechanism is flawed - and that the procedure of phishing duplicates of SIM cards and user login data allows for full control over the user's bank account. The attacker can dispose of the funds collected there as - and when - they please.

This is the best moment to start using modern, secure authentication and authorization mechanisms such as hardware tokens and mobile applications.

If the latter support asynchronous cryptography to protect communication with a bank server (think tPro Mobile), we gain additional strong data protection, which makes it impossible for the attacker to read the data. Support for biometrics (fingerprints, face recognition) allows for quick and convenient authentication, which significantly reduces the time needed for data authorization. 

Find out more about tPro ECC - https://www.comarch.com/finance/cyber-security/comarch-transaction-protection/tpro-ecc/

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development