Experts Ponder Which Security Threats May Gain Speed
Wake up and smell the hack.
“Mobile banking, I would argue, presently, is significantly more secure than is online banking,” said Kevin Travis, a partner with Novantas, a New York-based management consulting firm.
For skeptics, that may be the shocker. Some financial IT consultants insist that, although online banking is 20 years old and mobile is younger, maturity has not necessarily produced a safer banking platform when users log into their accounts, typically via a Windows PC or laptop. Windows claims about 92% of computers versus 6% for Apple and 2% for all others.
“There is less fraud on mobile,” said Jay McLaughlin, chief security officer at Q2ebanking, a financial services technology developer in Austin, Texas.
“Fundamentally, the mobile phone is a lot more secure than many people believe,” said Kumail Tyebjee, senior principal of Mobility & Digital Transformation Practice at IT consulting firm Infosys.
Surprised by the endorsement of the comparatively new mobile banking platform? Recent research from consulting firm KPMG found that security concerns, cited by 39% of those asked, stood as a primary barrier to mobile banking adoption. Similar anxieties have surfaced in other research reports that asked consumers why they are not using mobile.
There also have been recent bumps in the road to mobile banking; notably a Citibank iPad app that apparently charged at least some users twice for some transactions.
Other than acknowledging the problem, which apparently persisted for six months after the app’s launch, Citibank has been closed-mouth about the extent of the double charging.
Newly revealed concerns have also emerged about Google Wallet, the near field communications-powered payments tool, which hackers have been able to break into under certain circumstances. Both stories won big headlines that probably provoked more fears about mobile banking, some experts have noticed.
Still, some advocate that mobile banking, in many ways, is safer.
“At the moment mobile is more secure,” said Steve Durbin, global vice president of the Information Security Forum, an association of security professionals based in London. “Fewer people are accessing banking via mobile. As more do, it will become more attractive to fraudsters.”
That, more than any other factors, may be among the main reasons why mobile is more secure, proponents have said.
“People have put in a lot more time figuring out how to hack into PCs,” Travis said.
Indeed, there are plentiful toolkits for sale to assist would-be cyber crooks in stealing from unwitting Windows users, no matter how paltry the thieves’ computing skills are. Industry watchers have coined the phrase script kiddie to refer to those who use shelf exploit programs such as Zeus.
The Windows attack surface, which is a phrase used by security experts to describe the field of vulnerabilities, is vast. That may be less a comment on the flaws of Windows than it is on the millions of hours spent by hackers hunting for ways to rob Windows users.
The good news is some surveys predict vigorous upticks in mobile banking usage in the U.S. over the next half decade. Javelin Strategy & Research said within the next five years, it is projected that over half of mobile phone consumers will be using mobile banking, up from 29% in 2011. This percentage represents an additional increase of 54 million new consumers who will be accessing their bank accounts from their mobile devices.”
The bad news is that, “As the stakes get higher, we can expect mobile exploitation to rise exponentially,” predicted John Viega, an executive with Perimeter E-Security, a security consulting firm headquartered in Milford, Conn.
Simple mathematics may be at work here. The more users who adopt mobile banking, the more attractive the medium is to crooks. That day, suggest many experts, is getting near.
“Mobile, mobile, mobile-that is the chatter you hear from cyber crooks,” said Steve Santorelli with security researchers Team Cymru, an Internet security research firm in Orlando, Fla.
Tune into hangouts for cyber crooks, as Team Cymru does, and the word will likely be mobile.
“They are all looking for tools to exploit mobile,” Santorelli said.
Right now, however, the threats to mobile are nascent, said Rick Moy, CEO of NSS Labs, a research and testing firm in Austin, Texas. Headlines about mobile malware may well have outnumbered the actual exploits, say some experts. For the most part mobile malware, which is primarily found on Android devices, with a scattering of cases on older Symbian phones, has been an aggravation more than a large scale problem for some users.
Rogue apps may have placed calls to premium numbers or sent off small payments to unwanted SMS recipients. For the phone owner, this may be worrisome but in the scheme of financial services, it is likely to be considered a nuisance more than anything else, experts have said.
Partly, too, mobile devices may have particular built-in protections, such as with iPhones, which uses a design structure in which applications are sandboxed and third-party software cannot run in the background of others. However, some Apple signature items can. Sandboxing is the practice of limiting what any application can do; in a sandboxed environment how apps can interact with each other is severely limited.
That may be important, according to some security experts. Traditional Windows key loggers are designed to operate in the background, recording each tap of the keyboard in other programs and then sending that information to a cyber crook. That operation does not work on iPhones or iPads, users have noticed.
In Android, by default, apps are sandboxed, too, but in installation, users frequently are asked to modify permissions. That may nullify the sandboxing by giving an app access to the contacts list or the dialer, for instance. To date, some security experts note there are no known significant breaches of sandboxing that involve mobile banking.
Meanwhile, there may also be new ways to exploit iPhone users, too, because there is no overestimating the clever persistence of cyber crooks.
For now, experts pinpoint a more immediate mobile banking worry and that is the doctored app, said Durbin, who describes it as a mobile app that looks much like an authentic credit union app but it is not.
That is because it began life as an authentic app but then a cyber crook added bad code–perhaps emailing passwords to the crook–and uploaded the app to a download site to be discovered and put to use by the unwary.
That probably would not work with iPhone, some experts have noticed. Apple said it scrutinizes apps before making them available through its Apps Store.
Although Google recently announced it had implemented security screening of apps distributed via the Android Marketplace, with Android, the vulnerability is that any site can make available apps for download and installation.
Apple, by contrast, essentially allows only Apps Store downloads. That is why experts said the doctored app is an emerging Android vulnerability.
“It’s exactly the way these guys will go,” Durbin said.
Security experts, speaking off the record, said that the nation’s big banks already employ teams tasked with prowling the Web in search of doctored apps. How many have they found? That figure is unknown but the suspicion is that there would not be so many hunters if there were no game to find.
Either way, the take away for credit union executives, who today are mulling mobile banking and what it means from a security perspective, is that the user is the weak link, said McLaughlin.
“There needs to be a fair amount of customer education,” Tyebjee at InfoSys added.
Educate members about where to safely download banking apps, how to securely edit app permissions, and what to look for in terms of warning signs of fraud and those are big steps towards a safe expansion of mobile banking.The bottom line may be as mobile banking expansion continues to expand, so will the fraudsters.