Consumer banks and their customers have a new reason to be extra vigilant. Cyberthieves have begun using new malicious software (“malware”) programs to steal credentials from customers of large banks who enter their accounts via Apple iOS and Android based apps. Malware programs like Acecard and GM Bot are proving so pernicious because they can morph into customized overlays to imitate 50 financial-services apps. That feature is attracting the attention of cyber-thieves, mobile phone companies, cybersecurity, and bank regulators.
What’s the situation?
As programs spread globally, the Federal Bureau of Investigation and U.S. banking regulators are stepping in with new guidelines and requirements to try to bolt the virtual doors to these Trojan horses. Apple has urged some iPhone users to update their software to repair a security flaw that could allow a hacker to take control of the operating system remotely. And the Federal Financial Institutions Examination Council is calling for banks to do their part as well, recommending that they pay attention to mobile phone malware, which can get into a phone system if a user clicks on a text message from an unknown source or opens an online advertisement.
Then it lays in wait until the user opens their banking app. At that point, the malware creates an overlay that masks the authentic banking app and gives the cybercriminal access to the user’s activities and credentials. The malware has the ability to add fields that request additional PII (e.g., date of birth or Social Security Number) and to send secondary authentication requests via text. The information goes directly to the criminal, who can use or sell the credentials.
One of the main reasons why these cybercrimes are spreading so virally is that they are hard to track. Many customers fail to notice the theft until long after they have used their phone to log onto the account – the point at which the malware invaded. By the time the breach is noticed, it is already hard at work.
Why is this happening?
Banks of all sizes are creating more and more online and app-based tools in response to their customers’ desire to perform financial tasks like checking their account balances, direct deposit, and bill pay. The effort is working – more than half (53%) of smartphone users engage in mobile banking, up more than 10% since 2011. And with multi-factor authentication measures built into most of these platforms, many users feel safe – despite news that tells otherwise.
In fact, fewer than one-third of smartphone owners use mobile antivirus or anti-malware software on their phones. That makes the banking apps on them more vulnerable (and therefore more attractive) to hackers than online banking sites. And for those users who ‘jailbreak’ their phone to run unauthorized apps, the risk is significantly higher.
What does it mean for banks?
Banks have been pushing customers toward digital channels not only to respond to their requests for flexibility and control, but also to reduce their own costs and improve efficiency. But as the scale and risk of theft rises, those savings efforts are becoming costly because most banks reimburse customers for money stolen from their accounts.
Combatting this newest cybersecurity issue is a concerted effort. With the financial risk so high, it’s hardly surprising that bank regulators and executives are scrambling to find immediate and direct measures to impede the malware and inform customers.
One of the ways they are doing this is by altering their banking applications frequently. They are also setting more sensitive security triggers to draw attention to possibly unusual customer activities (e.g., large withdrawals in atypical locations) and requiring added layers of online authentication information from users. The solutions are a good start, but like most countermeasures, they are far from perfect.
The human element will still leave banks vulnerable. Ironically, this very reason is also an opportunity for deepening customer engagement. Banks can use the risk as a reason to show their dedication to their customers. They can help customers to understand how to protect themselves and demonstrate the security measures they are implementing to stay on the forefront of the growing risk in the market.
This most current malware situation illustrates one more reason why banks absolutely must put cybersecurity at the center of their risk management, strategic planning and technological investments. The best way to do this is to partner with a specialist that is dedicated to forming customized anticipatory approaches to help you address your specific form and level of risk.
The HORNE Banking and Cybersecurity teams work in tandem to help build and test specific, proactive risk measures. Contact us to find out how we can help you keep your customers aware, secure, and willing to bank with trust.
Join the conversation and receive updates of new posts:
 SAS and Javelin Strategy & Research