The recent discovery of a new strain of Android malware that can steal the login
credentials of mobile banking users will have many financial institutions rushing to review how they protect their customers.
The malware, detected by researchers at security firm ESET security systems presents victims with a fake version of the login screen of their banking application and locks the screen until they enter their username and password. Using the stolen credentials, the thieves can then log in to the victim’s account remotely and transfer money out.
The new malware is especially dangerous because it is also able to capture SMS text messages received by the infected device. This means that any SMS codes sent by the banking application to provide a second form of authentication would be immediately accessible to a fraudster posing as the customer. Two-factor authentication based on SMS messages would be effectively be broken.
The malware currently only affects 20 banks in Australia, New Zealand and Turkey, but it clearly opens up the potential for other financial institutions, or any corporate systems, to be targeted by the malware’s authors.
This is a big blow to many companies relying on this form of communications to boost security. Up to now, SMS messages have provided a useful second channel to communicate security messages, but this new malware proves once again that the hackers are constantly making inroads into existing security measures.
One alternative would be to revert to old-style security fobs that generate one-time passcodes, but that would bring with it all the old problems associated with that approach – high cost of provision, heavy administrative overheads and the need for users to carry an extra device to do their banking.
Fortunately, SecurEnvoy can provide a couple of alternatives that would beat the new malware without extra security tags. The first is the SecurEnvoy security app which users download on to their phone, and which generates one-time passcodes each time they wish to log on remotely. This code would only be visible to the phone’s owner, and not to the hacker, and so it would prevent any fraud occurring.
Another solution is the new OneSwipe Online Push from SecurEnvoy. In this case, when end-users log in at their PC and enter their password, a notification message with “Accept” or “Deny” buttons is immediately sent to their smart phone. Click here for more about the ‘Push’ app.
All they have to do is hit the “Accept” button, and they are logged in. They don’t even have to key in a passcode. On the other hand, if they get a message on their smart phone when they haven’t logged in, then they can quickly press the “Deny” button to stop an impostor using their identity.
Andy Kemshall, CTO SecurEnvoy commented “Push uses a much higher level of security as the server creates a one time seed record, sends it to the phone which is then appended to the existing apps seed record to create a one time code that is sent across the network back to the server. This two-way communication and use of split seeds is a form of challenge and response that is much harder to hack”.
And so, although it’s worrying that hackers are designing malware that can steal the login credentials via malware, it is good to know that SecurEnvoy, which focuses its efforts on producing authentication solutions, is able to stay one step ahead of the hackers with products that are secure – and easy to use.