FBI Warns of Increased Hacking Risk if Using Mobile Banking Apps
23rd June 2020
The U.S. Federal Bureau of Investigation (FBI) today warned mobile banking app users that they will be increasingly targeted by hackers trying to steal their credentials and take over their banking accounts.
The alert, published on the agency’s Internet Crime Complaint Centre (IC3), says that the increased usage of such apps during the pandemic could lead to more exploitation attempts targeting their users.
The FBI is anticipating that threat actors will focus their attacks on mobile banking customers since most Americans are using such services for making payments, transferring funds, and cashing checks.
“US financial technology providers estimate more than 75 percent of Americans used mobile banking in some form in 2019,” the FBI says. “Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020.”
Banking Trojans and fake apps
The FBI anticipates that malicious actors will try to exploit new mobile banking customers using a wide range of techniques, including but not limited to fake banking apps and app-based banking Trojans.
Mobile banking users who download an app-based banking Trojan onto their tablet or smartphone are usually asked to give it the permissions it requires to steal their information.
Such malware does not go snooping around the victim’s Android or iOS device but, instead, it will stay dormant and will only surface when the user opens a legitimate banking app on his device.
At that time, the “Trojan creates a false version of the bank’s login page and overlays it on top of the legitimate app.”
“Once the user enters their credentials into the false login page, the Trojan passes the user to the real banking app login page so they do not realise they have been compromised.”
According to a February 2020 Kaspersky report detailing the mobile malware evolution during last year, the average number of attacks by mobile banking Trojans in 2019 was of approximately 270,000 per month.
Monthly mobile banking Trojan attacks in 2018 & 2019
Fake banking apps, on the other hand, are impersonating the banks’ real mobile apps and, once installed on a victim’s device, will collect the users’ credentials when they try logging in.
“These apps provide an error message after the attempted login and will use smartphone permission requests to obtain and bypass security codes texted to users,” the FBI explains.
“US security research organisations report that in 2018, nearly 65,000 fake apps were detected on major app stores, making this one of the fastest-growing sectors of smartphone-based fraud.”
Mitigation measures
The FBI says that users and organisations can easily defend against such attacks by taking several measures that will thwart the hackers’ attempts.
First of all, you should always download mobile banking apps straight from your bank’s website or official apps stores such as Google’s Play Store or Apple’s iOS App Store since all apps included are scanned for and checked for malicious behaviour and content.
Users are also advised to enable two-factor authentication (2FA) or multi-factor authentication (MFA) if available since it will protect you against the vast majority of attacks.
Director of Identity Security at Microsoft Alex Weinert said that “your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
Weinert also added that “use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
Using strong and unique passwords is another way of preventing your banking account from being hacked as it will block hackers from brute-forcing their way into your account by trying passwords you used for other online services.
Last but not least, the FBI urges users to immediately call their banks whenever they spot any suspicious behaviour while using a mobile banking app.