The first shots are being fired in the next major battle in the war on data security -- the mobile channel. Even at this early stage, we have seen cases of malicious applications found in mobile-application stores, some purporting to be from legitimate financial institutions, such as HSBC Holdings plc. and United Services Automobile Association (USAA). In fact, Google removed a number of malicious applications from the Android marketplace in December.
It's a dangerous new take on phishing: Instead of being directed to a fraudulent URL, the device owner will have voluntarily downloaded a malicious application from a reputable app store run by Google, Apple Inc., Research in Motion Limited, Palm Inc. and others. From there, the application can overtly collect personal and financial information entered by the mobile subscriber, or covertly collect names, addresses, and any other sensitive data that resides on the mobile device. While app stores are working hard to perform the necessary due diligence on applications, demand for offering the broadest range of applications to the widest audience of users may cause rogue programs to go unchecked. The problem threatens mobile banking security and is likely to get worse before it gets better for a number of reasons.
First, financial institutions are keen to enhance mobile banking services beyond balance checking and bill pay. As mobile banking transitions from an informational service to a transactional service, banks will introduce applications that facilitate payment to third parties. Until now, the worst a fraudster could do with mobile banking services was capture a user's bank balance and the previous five transactions. As banks bring more transactional services to market, rogue applications that mimic these functions could provide fraudsters with the ability to extract funds from accounts.
Second, fraudsters are acutely aware of mobile channel capabilities. Sensitive data capture via a rogue application could go unnoticed for weeks or months. And given the decentralized nature of attacks (voluntary downloads to tens of thousands of devices), getting each end user to uninstall malware could prove difficult even after fraudulent applications have been removed from app stores.
Finally, end users are simply not prepared for mobile application fraud. Criminals will exploit the naivety of mobile subscribers who have no reason to be suspicious of apparently legitimate applications that have gone through stringent checks. Further compounding this will be the high degree of differentiation between devices; while banks could educate customers about nuanced differences between an online banking session with their actual institution and one with a phishing fraudster (typos, SSL session indicators, etc.), mobile devices present so many permutations in terms of operating systems, visual displays and icons that education of end users for each and every device on the market would be an unmanageable undertaking.
The key to prevention of this type of mobile fraud will be stringent checks by app store providers to ensure authenticity of financial institution applications. Application stores need to be trustworthy entities, but in a competitive environment where quantity trumps quality, the stringency required to mitigate this type of fraud may not be possible. It will also be up to financial institutions to remain vigilant about the products bearing their brand in application stores since the app store providers may have other priorities. While mobile application fraud may not be widespread at this time, the threat to mobile banking security is undoubtedly on the horizon.
About the author:
Nick Holland is a senior analyst at Aite Group, LLC specializing in mobile banking, mobile payments, NFC technologies, as well as security and fraud issues.