According to McKinsey, the share of consumers actively using mobile for their banking needs climbed 18% between 2020 and 2023, to 57%.
Given the number of touchpoints on the mobile channel, it’s not surprising that McKinsey recommends banks prioritize apps for their consumer interactions. Especially when you consider that the banks who are leaders in mobile are also the leaders in retail banking overall.
For banks, maintaining their pre-eminence isn’t only down to making sure these mobile touchpoints are as seamless as possible, or making sure the UX is clearer than it is on rival banking applications. Security is also a vital consideration.
And it’s security that we’ll be focusing on in this article. We’ll take a look at some of the most sophisticated mobile banking security threats out there, we’ll explore the impact of successful attacks both on end users and on the banks themselves, and we’ll explain the level of security required for banks if they want to repel modern threats and maintain their hard-earned reputation in the sector.
This article isn’t about fearmongering, however. We’re not portraying mobile banking as the Wild West, rife with bandits running riot, compromizing mobile banking apps at will and making off with your funds.
Mobile banking is relatively safe for most of us, because most banks acknowledge the threats that exist and equip their applications with the robust protection mechanisms required to defend themselves.
The problem is that this isn’t true of all banks, and attacks are getting ever more sophisticated and menacing – partly as a result of AI. Some analysts would argue, justifiably, that even one customer losing their credentials or funds is one too many.
The truth is that, despite many of us using mobile banking apps for a decade or more, it still sometimes feels like security on the device is assumed more than it is prioritized or even demanded. But things are changing. In a world full of hyper-realistic forgeries powered by increasingly influential AI models, assuming anything is no longer sufficient. What is more, new regulations are setting strict penalties for banks that fail to adequately protect their customers.
Here at Licel, we’ve spent the last 14 years or so working with banks worldwide – both traditional and digital – to fortify their apps against attacks. This work has convinced us of the severity of the security threats facing mobile banking applications. But it has also reinforced our belief that there are actionable solutions to the challenges that banks face.
Let’s take a look at some of those challenges and solutions now.
Mobile banking trojans
Malware that is designed specifically to target mobile banking applications are known as mobile banking trojans. A couple of years ago Kaspersky experts detected nearly 200,000 of them. It’s an incredible and alarming number.
Mobile banking trojans often arrive on a user’s device via a seemingly innocuous – and often quite boring-looking – apps such as file managers. Once installed, these apps can then request the permission to install other packages that are vital for the trojan to operate.
Some trojans – as the name hints at – can lie in wait, dormant, after being invited inside the city walls (i.e., when the payload has been delivered and downloaded) until the time is just right for them to strike. This often means when a mobile banking app is opened by the victim.
Then there’s spyware, which haunts the end user constantly, delivering a live feed of their private activity on the device to attackers. This includes what they’re doing on their mobile banking application, of course.
Trojans are often designed to exploit Accessibility Services – on Android devices at least. This tool, designed to help people with disabilities to be able to use their mobile devices, can enable trojans to overlay fake screens made to look exactly like those in the legitimate application. It can also help them to log keystrokes – and thus discover their victims’ login credentials and card details.
Some particularly sophisticated varieties of trojan can even use Accessibility Services to override or disable security mechanisms such as antivirus applications.
The danger to end users here is clear: if they aren’t careful, then they could end up with a hidden menace on their devices capable of stealing their credentials, or worse; stealing significant amounts of money from their accounts.
Some banking customers are less cautious than others and, as a result, they might be in a position that makes a payload arriving on their device more likely. This includes rooting their device and downloading apps away from recognized platforms such as the App Store or Play Store, for example.
But others customers can just be unlucky. They might fall for a social engineering scam and click on a link they shouldn’t, for example. This is something that can unfortunately happen to any of us – even those of us who think we’re tech savvy and unlikely to fall for the mental traps that scammers set for us.
In the end, we probably need to accept that malware will continue to land on end users’ devices, and then spread quickly to others. So, what can be done about it?
Intelligence is vital. Ideally, banks should make use of a comprehensive threat and device intelligence solution capable of detecting both malware and Potentially Harmful Apps (PHAs). This will flag indicators of possible interference worthy of investigation by the bank’s security analysts.
Another incredibly effective countermeasure is called device binding. Linking a user’s account to a specific device helps to prevent trojans from stealing or modifying user data via remote access attacks (where a malware variant tries to gain remote access to a device to steal sensitive information).
Banks must also enforce UI Protection. This stops some of the go-to Accessibility Services exploits that we’ve outlined above and protects against screen capture (attackers can still attempt them, but the end result will be a black screen). It also minimizes the threat of IP theft and remote access fraud.
Account Takeovers
Malware can also be used by bad actors to initiate an account takeover. After all, the user credentials they attempt to extract via Accessibility Services exploits can then be used to fraudulently access the victim’s account.
The objective of an account takeover is to take control of a user’s bank account to steal funds, make unauthorized or illegal transactions, and to open new accounts or access additional banking services such as credit cards and loans.
Malware isn’t the only attack vector open to fraudsters to achieve this aim, of course. They can also physically steal a victim’s phone and access their account that way. Or, more typically, they can carry out credential abuse by tricking their victim into voluntarily giving up their login details. This might be via a social engineering campaign, or as a result of the victim mistakenly downloading a bogus, cloned version of the app after being convinced that it is an updated version of the genuine one. Attackers can then harvest login credentials and other sensitive information from this fake application.
Whatever the attack vector, the end result is always the same for the victim; a deeply traumatic experience. As for the bank itself, the more customers suffer account takeovers, the more their reputation is likely to diminish.
So, what must banks do to prevent account takeovers from succeeding?
The anti-malware mechanisms that we covered in the previous section ring true here, too, given that malware is a key attack vector for account takeovers. As for credential abuse, there are several protection mechanisms to keep in mind:
Once again, device intelligence is vital. A robust intelligence solution can use a device or session identification mechanism to detect when an account is being accessed by a device that isn’t associated with that given user. Banks need to make sure that their apps are capable of analyzing device attributes and user behavior to spot anomalies that might be indicative of bad actors carrying out credential stuffing, brute force attacks, or session hijacking. Once detected, action can then be taken to prevent the fraudulent device from accessing the application. And binding a users’s account to a specific device can also help to stop bad actors from stealing or modifying authentication data.
Another threat to be protected against is man-in-the-middle attacks. This is where attackers hijack a network - often an unprotected one without a password - with a view to intercepting authentication data. Imagine you’re in the airport and you want to send a payment to the hotel before your arrival. So, you log onto the free airport wifi and open your mobile banking application. At this point an attacker on the network could hijack your connection and steal your credentials. It really isn’t worth the risk.
The danger of credentials being stolen in all of these scenarios also reinforces the importance of multi-factor authentication (MFA) given that, when enforced, user credentials alone aren’t enough to access the bank account. Please do make sure that you enable MFA for this reason.
eKYC fraud
Another big challenge facing banks is eKYC fraud. This is where attackers attempt to bypass or exploit the eKYC (electronic Know-Your-Customer) checks that banks carry out before onboarding new customers.
With the advent of AI, it is becoming easier for bad actors to generate fake ID documents and even photos and videos to help them pass these checks and convince the bank that they are indeed dealing with a real person.
One common approach is for attackers to use a virtual camera and faked faces in order to pass the eKYC check. Deepfakes use AI models to effectively trick the eKYC system into thinking that it’s the real person. Some people pay for a more sophisticated fake, but it’s also possible to trick some eKYC systems with a fairly rudimentary, low-resolution video based off of a passport photo. Right now, it feels like some automatic eKYC models aren’t up to the task of differentiating between real homo sapiens and bogus, AI powered versions.
This is a very big problem, because pass the eKYC checks, and the fraudster can obtain a bank account, credit card account, apply for a loan, and so on. This can then result in the bank in question losing significant quantities of money (and time) as a direct result of eKYC fraud, not to mention the time and money required to firefight and deal with the fallout afterwards.
Banks also run the risk of regulatory fines if it comes to light that they have failed to comply with KYC (and security) specifications. Banks without robust fraud prevention measures in place could find themselves facing legal action, too, given that some eKYC fraud might be linked to money laundering.
eKYC fraud can, like other attacks covered in this article, also impact end user trust and the bank’s reputation. Particularly if it emerges that an attacker has used a customer’s credentials.
Stopping eKYC fraud requires multiple layers of interconnected protection. It’s about identifying suspicious devices, stopping deepfakes and image-injection based spoofing, and preventing fraudsters from using outdated, insecure, or tempered-with versions of a bank’s application.
Because the eKYC process can be interfered with and tricked, as we explained above, ideally the checks should be carried out in an isolated and secure execution environment that cannot be tampered with. And eKYC data must also be encrypted if it is stored on the device to stop unauthorized access or modification – including by malware.
We also recommend that banks equip their applications with protections against network and man-in-the-middle attacks that target eKYC data transmission. Recommended protection mechanisms include TLS Certificate Pinning and Certificate Transparency, which both help to verify that the app is communicating with the legitimate backend server.
Finally, as with the other attack examples, banks should use a threat and device intelligence solution that means their application can analyze both device attributes and user behavior to detect anomalies that may point to evidence of identity fraud.
Social engineering
All three of the mobile banking security threats we’ve covered above tend to have some form of social engineering element to them.
Mobile banking trojan payloads often arrive on a victim’s phone via a link in a phishing email, or via a bogus application that they have been tricked into downloading. Account takeovers are sometimes facilitated by a user sharing their credentials (perhaps after the attacker claims to be a banking employee in order to overcome initial resistance). And eKYC fraud, too, can be made easier if banking customers share their personal information.
So, social engineering is a constant threat that can enable and expand the reach of other attacks and needs to be tackled at the same time. The difficulty, of course, is that social engineering isn’t a technical attack that can be stopped with robust, technical solutions. Social engineering targets human emotions and so it is much less predictable.
Sometimes our instincts lead us to behave in a way that might not be the safest from a security perspective. We’ve been hard-wired to react to situations almost without thinking – holding the door open for someone, for example, the desire to help people, or the instinct to rely on authoritative voices. All of these can be exploited by bad actors to trick us and steal from us.
Social engineering isn’t a new concept; it’s been with us for thousands of years. It’s just the delivery method that has changed. We’re now getting tricked via our favourite device that we naturally associate with spontaneity, fun, and trust. All in all, it’s the perfect storm.
And that’s before you add the impact of AI into the mix. At the very least, AI models have made phishing messages much more convincing and effective. Do you remember the days when it was quite easy to spot a scam message because of the quantity of grammar and spelling mistakes? Those days are over. Now you can train your AI assistant to write personalized imitations of official bank communications in the style of the world’s finest copywriter.
More complex scams that might previously have required bad actors to invest significant funds into employing and training scammers in a call center can now be done via AI-powered voice assistants, designed to trick banking users into transferring funds, sharing their account details, or revealing authentication codes.
And if the attackers think that their target banking customers might be more likely to comply if they were asked by someone with a specific accent – say a well-educated, softly-spoken English lady from the Home Counties – then that too can be arranged thanks to AI.
Without a doubt, the storm clouds have darkened as a result of AI. And it’s up to banks to calm the waters:
A secure, verified, communication channel within the app itself can go a long way in stopping end users being tricked by fake customer support scams. And repeated warnings about ignoring messages – however convincing they are – that appear to be from the bank but are actually from unverified sources, can hammer home the message.
Banks can also set some rules within the app that require additional authentication for high-risk transactions that involve large sums or a new payee. Some forward-thinking banks have even set up a sort of cooling off period of several hours before a transaction can be approved and finalized. They should also consider enforcing the ability to detect active voice calls while the mobile banking application is in use as an additional layer of protection for the user and to prevent them being manipulated.
The thing is, social engineers rely on you acting impulsively, without thinking. They’re desperate for you to embrace the instinctive, almost-tick-like behaviors that we learn from a very young age. Take the advantage of time away from the attacker, and things tend to become clearer. We’re much more likely to think logically about a given situation.
Remember, if you have even the slightest doubt in your mind about making a transaction, pause and take a step back. Speak with friends or family members, perhaps, and then ask yourself an important question: do I trust this person?
Navigating mobile banking security threats
The impact of AI on banking app attacks reminds us that nothing stays the same for very long. Technology trends are fluid. They’re always evolving. And attacks evolve with them. That means that mobile channel protection solutions also need to be updated and enhanced to counter the latest, most sophisticated threats.
This is another important reason why banks should use a reliable threat and device intelligence solution. Their security analysts can dig into the data to understand the trends around different types of attacks, which in turn can help them to create a more solid security strategy in the long run.
Here at Licel, we’re firm believers in the concept of continuous security. That’s why we have our products evaluated by external laboratories and approved by respected industry bodies like EMVCo. We want to be completely sure that our solutions are ready to deal with the latest threats – including those that have been enhanced by AI.
Banks also need to make sure that they are also alert to how attack trends are evolving and don’t get complacent that security solutions that have worked in the past will continue to be effective now and in the future.
If they’re not alert, then they’ll end up wasting significant amounts of time and resources dealing with the fallout of fraud, potentially fall foul of industry regulations, and suffer a loss of trust among their customers that will hit their business reputation hard.
The choice between all of that and making an investment in reliable mobile channel protection really should be an easy one to make.
If you’re interested in a wider view of the threats facing mobile banking applications and how Licel solutions help to stop them, check out our mobile banking use case.
