A new report released by NSS Labs, a security research and advisory company says Banks need to be more careful in authenticating the online banking customers when using SMS based passcodes for verification.
Besides the regular websites like emails and social networks, Banks have also readily adopted the two factor authentication method for security where they send a 4-6 digit code on the users registered mobile number to further verify their identity. However, the researchers suggests that it all began when the banks started to focus more on online and mobile banking services in the recent years, and the hackers followed suit. The hackers are in fact particularly targeting these services with “highly specialized financial malware“, which in turn led the banks to adopt the two factor authentication method.
And due to Android’s open source nature which allows everyone to create their own mobile application for users to download, it has become the cyber criminals favorite mobile OS. Not to forget the fact that Android OS today occupies the top position with the largest user base. The reports say 99 percent of the new mobile malware created are targeted towards Android. Apple’s iOS remains secure due to 3 reasons; very less number of users compared to Android, every app requires Apple’s permit, and there aren’t many malware developers who specialize in iOS.
The malware is mainly targeting the financial sector where transfer of high amount of money takes place. It works in way where the hacker first infects the victims desktop machine with malware’s such as ZitMo (Zeus-in-the-Mobile), SpitMo (Spy-in-the-Mobile) or CitMo (Citadel-in-the-Mobile), which takes information like their Contact number, mobile operating system and phone model. This malware works with the Android OS on the users phone. The victim is then sent a link on their phone saying its a “Security update“, clicking on the link installs the malware on their mobile.
The report suggests Banks should try to prevent these security attacks from their end by considering discarding the SMS based authentication for something more secure and by using, “hardened browsers on mobile devices with unique install keys, certificate based identification, in app encryption, geolocation, and device fingerprinting,”.
The users on the other end should take sufficient measures on their desktop to prevent such attacks and for the phone they should check the authenticity of the any app before installing it.
Via – PCWorld
Source – NSS Labs (Update Nov 11, 2015: The report by NSS Labs is no more accessible)