ShareThis Page

Banking apps threaten to become money for cyber crooks

| Saturday, June 28, 2014, 12:01 a.m.

Mobile banking applications are becoming the next target for hackers, leading to security concerns as more con­sumers use phones and tab­­­lets to manage their money.

“With the increasing applications for smartphones, basically hackers are changing their focus on smartphones and tablets,” said Nima Dezh­kam, principal consultant of Security Compass. “This is inevitable.”

This month, authorities discovered the first major security threat to mobile banking when a malware called Svpeng made its way from Russia into the United States. Once it infects a device, Svpeng looks for banking apps, then locks the device and demands $200 to $300 to unlock it.

Svpeng can steal only general information, such as the name of a bank, and not siphon money from accounts, said Dmitry Bestuzhev, of Kaspersky Lab, a Russian information technology company, with offices in Woburn, Mass., that discovered the malware.

The threat to mobile devices should put banks and consumers on notice, tech security experts say.

“Naturally, the criminals are evolving,” said J. Keith Mularski, the FBI's supervisory special agent in charge of cyber crime, who is based in Pittsburgh. “I just don't think the bad guys have figured out how to take the money from the phones yet. But it's coming, for sure.”

Personal computers are a more lucrative target, because they often are connected to networks that give thieves access to an entire organization, Dezhkam said. Mobile devices offer access to one person. Also, unless mobile users grant permission to a malicious app to access their information, there's not much the malware can do.

But the ways people use mobile phones open them to risks.

Mobile apps tend to value convenience over security. That translates to caching of sensitive information, less complex passwords and fewer authentication steps, Dezhkam said. Antivirus software is not as common on mobile devices. And as people conduct more transactions through phones, the devices attract greater interest from virtual bank robbers.

Nearly 90 percent of adults have mobile phones, and the ubiquity is changing the financial service industry, according to a Federal Reserve survey. A third of mobile phone owners used them to do banking in the past year, up from 28 percent a year earlier.

The transactions that banks allow through mobile devices are more complex — enabling customers to deposit checks, for example, or small businesses to accept credit card payments.

As competition for customers intensifies, mobile banking has become a leading way to attract business, especially young and minority customers.

Citizens Bank had 30 percent growth in “mobile-active households” during the past year, said Michael Cleary, head of U.S. Distribution for Consumer Banking at Citizens.

“Security is an important part of the development process,” Cleary said. “We have fraud detection and other security-related systems and processes in place, and continually update and refine these measures.”

No law requires banks to reimburse customers if a hacker steals money, but it is a standard practice to hold customers harmless, said Tom Crosson, a spokesman for the Consumer Bankers Association. He knew of no bank without a “zero liability” policy.

“You want to make sure consumers feel safe and secure inside the banking system,” Crosson said.

Everyone should have anti-malware protections on their mobile devices, Bestuzhev said.

PNC Bank's online and mobile applications are encrypted and have layered protections, including a personalized security image and a question to verify a user's identity, the bank said.

Yet banks can do only so much to ward off malicious programs, Bestuzhev said. Consumers need to improve their habits.

First, they should never access their accounts when using public Wi-Fi.

“No banking on Starbucks wireless,” Dezhkam said.

Erin Moran of Bloomfield hasn't paid a bill through the mail in five years, opting to settle accounts using her iPhone. She avoids banking on a public Wi-Fi network but appreciates the convenience of mobile apps.

“I think it saves a lot of time,” said Moran, 27, a PNC customer.

Consumers should stick with apps developed by banks and never use those from third-party developers, Dezhkam said. They should be wary of any app that requests excessive personal information — access to contacts, the phone's camera, or text messages.

Chris Fleisher is a Trib Total Media staff writer. He can be reached at 412-320-7854 or Staff writer Andrew Conte contributed to this report.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.