Banking apps threaten to become money for cyber crooks
Mobile banking applications are becoming the next target for hackers, leading to security concerns as more consumers use phones and tablets to manage their money.
“With the increasing applications for smartphones, basically hackers are changing their focus on smartphones and tablets,” said Nima Dezhkam, principal consultant of Security Compass. “This is inevitable.”
This month, authorities discovered the first major security threat to mobile banking when a malware called Svpeng made its way from Russia into the United States. Once it infects a device, Svpeng looks for banking apps, then locks the device and demands $200 to $300 to unlock it.
Svpeng can steal only general information, such as the name of a bank, and not siphon money from accounts, said Dmitry Bestuzhev, of Kaspersky Lab, a Russian information technology company, with offices in Woburn, Mass., that discovered the malware.
The threat to mobile devices should put banks and consumers on notice, tech security experts say.
“Naturally, the criminals are evolving,” said J. Keith Mularski, the FBI's supervisory special agent in charge of cyber crime, who is based in Pittsburgh. “I just don't think the bad guys have figured out how to take the money from the phones yet. But it's coming, for sure.”
Personal computers are a more lucrative target, because they often are connected to networks that give thieves access to an entire organization, Dezhkam said. Mobile devices offer access to one person. Also, unless mobile users grant permission to a malicious app to access their information, there's not much the malware can do.
But the ways people use mobile phones open them to risks.
Mobile apps tend to value convenience over security. That translates to caching of sensitive information, less complex passwords and fewer authentication steps, Dezhkam said. Antivirus software is not as common on mobile devices. And as people conduct more transactions through phones, the devices attract greater interest from virtual bank robbers.
Nearly 90 percent of adults have mobile phones, and the ubiquity is changing the financial service industry, according to a Federal Reserve survey. A third of mobile phone owners used them to do banking in the past year, up from 28 percent a year earlier.
The transactions that banks allow through mobile devices are more complex — enabling customers to deposit checks, for example, or small businesses to accept credit card payments.
As competition for customers intensifies, mobile banking has become a leading way to attract business, especially young and minority customers.
Citizens Bank had 30 percent growth in “mobile-active households” during the past year, said Michael Cleary, head of U.S. Distribution for Consumer Banking at Citizens.
“Security is an important part of the development process,” Cleary said. “We have fraud detection and other security-related systems and processes in place, and continually update and refine these measures.”
No law requires banks to reimburse customers if a hacker steals money, but it is a standard practice to hold customers harmless, said Tom Crosson, a spokesman for the Consumer Bankers Association. He knew of no bank without a “zero liability” policy.
“You want to make sure consumers feel safe and secure inside the banking system,” Crosson said.
Everyone should have anti-malware protections on their mobile devices, Bestuzhev said.
PNC Bank's online and mobile applications are encrypted and have layered protections, including a personalized security image and a question to verify a user's identity, the bank said.
Yet banks can do only so much to ward off malicious programs, Bestuzhev said. Consumers need to improve their habits.
First, they should never access their accounts when using public Wi-Fi.
“No banking on Starbucks wireless,” Dezhkam said.
Erin Moran of Bloomfield hasn't paid a bill through the mail in five years, opting to settle accounts using her iPhone. She avoids banking on a public Wi-Fi network but appreciates the convenience of mobile apps.
“I think it saves a lot of time,” said Moran, 27, a PNC customer.
Consumers should stick with apps developed by banks and never use those from third-party developers, Dezhkam said. They should be wary of any app that requests excessive personal information — access to contacts, the phone's camera, or text messages.
Chris Fleisher is a Trib Total Media staff writer. He can be reached at 412-320-7854 or email@example.com. Staff writer Andrew Conte contributed to this report.