The idea of a faceless criminal making a fake copy of your mobile banking app, spying as you key in your credentials and draining your savings in front of your eyes sounds like a far-fetched dystopian nightmare.
But across Australia, it’s happening, and at an alarming rate.
Just this April the country was shocked by the story of a university student whose online banking app was remotely accessed by hackers who stole $3,000 of her savings as she watched on in helpless horror.
The victim’s numerous attempts to contact her bank proved futile, with support staff deeming the hacker’s transactions “authorised”.
Hers is, sadly, not a unique story. Online banking is a rich playground for cyber criminals, particularly in Australia: two-thirds of Australians now use banking apps to manage their finances and last year this overtook internet banking as the most popular method for the first time.
It’s no coincidence, then, that online banking scams were one of the most common attacks reported by Australians between 2020 and 2021, according to the latest Annual Cyber Threat Report by the Australian Cyber Security Centre (ACSC).
Attacks against smartphone and tablet users running banking applications are done with the clear-cut and nefarious intention of stealing login information and other personal data associated with an intended victim’s finances. And criminals who can successfully compromise a smart device gain direct access to what they’re after: people’s life savings.
How cyber attackers target banking app customers
Various tactics are employed by criminals to target banking app users, including sending people spam emails encouraging them to download bogus versions of apps, or calling and emailing targets pretending to be their bank in attempts to get them to transfer money.
If a user has spyware on their phone, which results from downloading a compromised app or clicking a malicious link, it can monitor their keystrokes so that when they enter their banking credentials, they’re directly handing this information to a criminal.
In 2018, global cyber-security company Lookout uncovered the BancaMarStealer trojan malware family, which is delivered to victims via text message and prompts them to download a custom app to steal their mobile banking credentials. The malware can be configured to target specific banks, and as of April 2021, there were 74,000 samples of it across the globe.
This followed the 2016 discovery of the SlemBunk threat, which monitors devices to determine when banking apps are being opened. This triggers the launch of a fake copy of the legitimate app, into which customers enter their credentials.
The obligation of banks
Financial institutions have long been associated with airtight security measures to protect people’s most valuable resources from physical and virtual threats.
The recent wave of cyber crime has ushered in a raft of new security regulations and protections for financial institutions.
As of this year banks are considered operators of critical infrastructure, which means the government intervenes with support in the instance of a cyber attack, and that they are subject to tighter security obligations including mandatory cyber reporting and the development of risk management programs.
Recently Australians saw the consequences of a financial institution failing to meet cyber-security obligations when the Federal Court of Australia’s gavel came down on RI Advice. Nine cyber incidents that had affected its customers were deemed evidence of its lax security systems, and RI Advice was ordered to pay $750,000 in damages.
While it’s unfair to point the finger at banks entirely – after all, there has been a renewed focus on them upping their security game – there is a crucial gap impacting mobile bankers around the country.
Currently, banking applications mostly apply security measures to support their own back-end infrastructure, which leaves the environments in which the apps operate open to attack. This means there is no protection against any malware, Trojans or spyware that are downloaded onto users’ devices, leaving them vulnerable against the types of finance-draining cyber crime discussed.
While banks can argue that their apps are secure and protected, and that a degree of user discretion is required to prevent attacks, this approach ends up costing them in the long run.
Banks commonly reimburse customers who have been defrauded to avoid backlash. In the example above of the university student, the bank reimbursed all of the money stolen, although not before its name was plastered unflatteringly across the news.
Further abroad in Singapore, in January OCBC Bank reported it had lost more than $14 million in reimbursing victims of phishing scams, with 80 per cent of this occurring over the space of a single week last Christmas.
Customers deserve proper security from their banks, and given that technology exists to ensure devices’ environments are protected, there’s really no excuse to be a laggard.
Environmental security now critical for banking applications
Banking applications need to be re-architected from the ground up, leveraging cyber protection-specific software development kits (SDKs) in the redesign phase.
If designed correctly, applications will be both secure and threat-aware, protecting the application from the environment around it, including from spyware, Trojans or malware.
Apps embedded with this “environment aware” self-protection would be able to alert application administrators that a malicious process was running on the device and employ remediation techniques, such as shutting down the application immediately, preventing a one-time password authorisation and even stopping payments.
Better still, these measures can be built into the applications themselves, ensuring this level of security is part and parcel of the app, from the moment it’s downloaded through to subsequent updates.
This means banks don’t have to rely on customers protecting the environment themselves – and they avoid doling out hefty repayments when scammers’ attempts are successful.
Likewise, customers feel safer when using banking applications and will increasingly rely on them for everyday use, free from the humming dread of potential risks.
There has been a monumental shift in the way Australians manage their finances, and banks have an obligation to protect customers in this new environment.
On-premises bank vaults may have been sufficient in the past, but considering the majority of Australians carry their banks around in their bags and pockets, financial institutions need to adapt and protect their customers at all times – or will continue suffering the consequences.
Don Tan is senior director, Asia-Pacific Japan, for Lookout.