At least nine credit unions were subject to a mobile phone phishing attack that sought to lure credit union members into giving up their financial information to fraudsters. The attack both speaks to the appeal of mobile banking as well as the pressing need to continue to develop its security.
The thieves launched the attack using downloadable applications that they wrote and branded with logos from the financial institutions, which included a number of banks as well as credit unions. They launched the applications on Google's Android mobile phone platform that Google is using as the operating system for its own phone and that a number of different cellular phone networks have offered on their own phones as well.
The applications were all developed by a person or group calling itself "09Droid" and contained the phrase "happy banking" on the summary statement that each application uses to advertise itself to potential users.
In the attack, a mobile phone user would have seen that the application was available on the Android Marketplace and purchased it for about $1.50. The user then would have likely logged on to his or her account with the application, which would then capture their password and other information to add to the credit or debit card information that the user had already provided when purchasing the application.
The attack came to an end before it could do too much damage thanks to Scott Moeller, CEO of Mshift Inc., a mobile banking provider with about 200 client institutions, many of them credit unions. Moeller had purchased a phone that used the Android platform for his wife before the holidays and, while exploring its different features, noticed that a mobile banking application on the phone carried the logo of one of his client institutions.
"I knew they didn't have a mobile phone application and that if they had decided to go with someone else to develop one, they would have told me," Moeller said. Even though it was a Sunday, Moeller contacted his client and alerted it and contacted Google. Working with institutions with fraudulent applications on the platform, Moeller convinced Google to remove the applications from its platform later that day.
The next day Mshift began to raise the alarm about the incident which, Moeller explained, pointed to certain realities about mobile banking, starting with, in a perverse way, a kind of vote of confidence in mobile banking that the attack represented.
"One thing this says is that mobile banking is here to stay," Moeller said. "The developers of this application would not have built it unless they believed they would find enough people who wanted to use to make it worthwhile," he said.
The second mobile banking reality Moeller cited concerned the need, at least for the foreseeable future, to keep a lot of mobile banking to the security of mobile phone browsers.
Mshift's mobile banking has remained entirely secure, Moeller noted, in part because credit unions using it have their members access their accounts through the secure browsers that all the major mobile phone platforms provide. This has downsides because using the browsers to access a credit union's site can be more complicated and involve more steps than using a downloadable application. But, Moeller pointed out, using the browser also offers a degree of security that downloadable applications, particularly on the Android platform, have not been able to so far.
The problem with Android is that it is a so-called "open platform." An open platform provides the greatest degree of freedom for outside developer to come up with applications that expand the phone's usefulness, a positive. But that same freedom can mean that there is no one to check on which applications are legitimate and which can contain potential fraud or other risks.
By contrast, Apple Inc. uses a so-called "closed platform" for its iPhone. It's closed platform means that developers of applications have to go through a significantly difficult vetting process in order to be accepted and has opened Apple to the charge that is does not allow applications that would seem to compete with its own products and services. But that same restriction tends to mean that Apple can keep a higher degree of security on the applications it allows on its platform than Android can.
Moeller reported that Mshift's first mobile banking application for the iPhone will roll out by the end of January and that it took Mshift months to get approval for it. Apple wanted to see many of the firm's documents and put it through a vigorous vetting process, he recounted. It was a hassle, but it also lent a greater assurance of security.
"In the end Google has a pressing security problem that they were going to have to get a hold of, or their phone maybe something people for restaurant reviews and games-free games-but little else," Moeller said.
This was a view shared by Javelin Strategy and Research, a market consulting firm as well. In a January 2009 paper about Android, Javelin analyst Tom Wills wrote:
"I am a big supporter of open source, but with freedom comes responsibility. So there needs to be a mechanism for Android applications to be officially vetted and even certified for use in payments and banking so that mobile users can trust them-trust being an essential ingredient for mobile commerce to take off."
For its part, a Google spokesperson said that "the Android market content policy clearly states that we don't allow applications on Android Market to identify themselves with third-party marks without permission. If an application violates the content policy, we will remove it from Android Market, and developer accounts will be terminated for repeated violations."
But the company also pointed out it removed the applications that were using the names of banks without permission, in-line with its policy. The company also said it investigated the applications and didn't find any malicious activity such as attempts to misuse or steal user information or passwords.
Google also maintained that during the download process, users are prompted with a clear list of permissions that they can choose to accept or decline. Users are also able to flag content that they deem inappropriate or that causes problems with their device. This information helps users to decide what to download and what not to download, the company added.