Mobile Phishing Highlights Need for Greater Security
At least nine credit unions were subject to a mobile phone phishing attack that sought to lure credit union members into giving up their financial information to fraudsters. The attack both speaks to the appeal of mobile banking as well as the pressing need to continue to develop its security.
The thieves launched the attack using downloadable applications that they wrote and branded with logos from the financial institutions, which included a number of banks as well as credit unions. They launched the applications on Google's Android mobile phone platform that Google is using as the operating system for its own phone and that a number of different cellular phone networks have offered on their own phones as well.
The applications were all developed by a person or group calling itself "09Droid" and contained the phrase "happy banking" on the summary statement that each application uses to advertise itself to potential users.
In the attack, a mobile phone user would have seen that the application was available on the Android Marketplace and purchased it for about $1.50. The user then would have likely logged on to his or her account with the application, which would then capture their password and other information to add to the credit or debit card information that the user had already provided when purchasing the application.
The attack came to an end before it could do too much damage thanks to Scott Moeller, CEO of Mshift Inc., a mobile banking provider with about 200 client institutions, many of them credit unions. Moeller had purchased a phone that used the Android platform for his wife before the holidays and, while exploring its different features, noticed that a mobile banking application on the phone carried the logo of one of his client institutions.
"I knew they didn't have a mobile phone application and that if they had decided to go with someone else to develop one, they would have told me," Moeller said. Even though it was a Sunday, Moeller contacted his client and alerted it and contacted Google. Working with institutions with fraudulent applications on the platform, Moeller convinced Google to remove the applications from its platform later that day.
The next day Mshift began to raise the alarm about the incident which, Moeller explained, pointed to certain realities about mobile banking, starting with, in a perverse way, a kind of vote of confidence in mobile banking that the attack represented.
"One thing this says is that mobile banking is here to stay," Moeller said. "The developers of this application would not have built it unless they believed they would find enough people who wanted to use to make it worthwhile," he said.
The second mobile banking reality Moeller cited concerned the need, at least for the foreseeable future, to keep a lot of mobile banking to the security of mobile phone browsers.