As m-commerce grows, recent research reveals that security is a major concern for consumers making payments by smartphone. The security threats against the mobile channel are growing; using the example of a recent malware attack on the mobile services of a bank in the Middle East, we analyze the techniques criminals employ, and suggest a number of lessons that organizations should take from the malware attack on banks in the Middle East with a view to preventing security incidents within their own offerings.
There is a quiet revolution taking place in the m-commerce space. The statistics highlight a major shift in the way consumers are using their mobile devices. Various recent surveys are showing that up to 27% of smartphone and tablets owners have used their device to make payments. Clearly there is a trend away from consumers using their PC to make payments. A deeper dive into the figures shows that younger consumers are the biggest adopters of m-commerce. Who makes mobile purchases in the UK? Well, 23% are aged between 35-44 and 30% are aged between 25 and 34. The consumer of tomorrow is one that expects businesses to ensure that they have the correct infrastructure in place to ensure consumers can conduct their spending and make payments via the mobile channel.
What are these young consumers purchasing using their phones or tablets? There are a whole range of goods and services being bought. For example up to 40% of people recently polled who owned such devices bought clothing and clothing-related accessories. Other significant purchases included meals, sports equipment and tickets. The biggest concern for these consumers? Security.
I am going to take a detailed look at a recent security issue affecting banks but this type of attack against m-commerce is equally applicable to a number of different sectors. The statistics above show that a diverse range of goods are being purchased via the mobile channel and all forward-thinking businesses need to have a cohesive strategy for mobile, but equally as importantly they need a cohesive and well thought out security process in place. The old adage of there being no silver bullet to solve security issues still holds true. All businesses will need to think about not only deploying technology to deal with the problem, but also making sure that the correct processes and procedures are in place to deal with a major incident on the mobile channel. Let me not exclude the public sector from security issues on the m-channel. Perhaps a little further away from fully exploiting mobile than private business, the public sector too is looking at utilizing the mobile channel in the delivery of services and payments to end users.
Recently it was discovered an specific malware sample that had perpetrated a large scale fraud against a large number of banks in the Middle East. The timeline of the attack ran from April 2013 to February 2014. That is a very significant time frame for a fraud to remain undetected. This brings to the forefront the issue of what processes and procedures were in place that should have picked up these attacks. Whatever was in place failed completely, highlighting the fact that most organizations are completely unprepared for this type of attack. Untold damage has been done to the bank’s brand and reputation, not to mention the loss of customer confidence in their mobile services.
The modus operandi of the attack was that malware was used to infect mobile phones. This malware was looking to attack the banks’ customers in particular. What the malware sought to do was to defeat the two-factor authentication process that had been implemented by the bank and which is a very common means of protection used for access to online banking channels. The malware was able to use the OTP token, which is used by the bank to authenticate transactions made by its customers. The malware was then able to send these captured tokens back to the fraudsters in real time in a secure and encrypted manner.
The second part of the attack consisted of creating a clone of the bank’s own legitimate banking application. This means that organizations not only have to address the issue of infected customers connecting to their mobile platform, but they also need to have a proactive policy in place to manage rogue versions of their legitimate applications being circulated online. In addition to this some thought also needs to be given to applications that may claim some kind of affiliation to a well-recognized brand in an attempt to appear legitimate. A detailed look at the technical aspects of the malware is beyond the scope of this article. That said there are some interesting details that I will mention briefly.
The fraudsters were able to take complete control of the phone. There was no effective way for the bank to know if it was in fact dealing with the customer or not. SMS messages were intercepted before they reached the legitimate user. The IMEI and the IMSI of the mobile device were sent back to the fraudsters, which was being used to identify individual users. All of this data was being sent back to a central data repository controlled by fraudsters using a console. Taking a deeper look at this data repository it became clear that the fraudsters had the ability to generate new malware in a very short time in order to defeat any new security features that may have been introduced to the phone. This was very successful because the malware went undiscovered for almost a year. What was also found were templates that seem to suggest that the fraudsters behind the attack were also looking to sell their services to other criminals. These templates could have been used with ease against different banks across the Middle East. The fraudsters were looking to sell the same type of attack against other institutions using the software as a service model.
The malware was in fact communicating with the fraudsters and sending back intercepted communication. Whatever security controls were on the phones were bypassed. Whatever controls the bank had in place were also bypassed.
The mobile channel is only going to continue to grow as is the threat from fraudsters. All organizations need to think carefully about how to manage the fraud issue. They need to think about a multi-faceted security policy that will identify rogue actors on the mobile channel, identify rogue applications and finally make sure the correct processes and procedures are in place to support the technology and staff tasked with protecting the mobile offering. A single breach on this channel could potentially drive existing customers away from your brand and it could act as a deterrent to new customers from engaging with your organization. All sectors need to address these issues and ensure they are on the front foot in protecting their m- channel. Waiting for something to happen and then reacting may well be too late and the last thing any organization wants to deal with is a disclosure in the press that its customers’ data has been discovered on the internet in a data repository.