FBI Warns Hackers Targeting Mobile Banking App to Exploit

Banking Applications

As the Federal Investigation Bureau reports, the rise in the use of mobile banking applications is expected to lead to an increase in misuse.

An warning from the FBI’s Internet Crime Complaint Center (IC3) shows that mobile banking applications have seen broad acceptance over the past few years, and their use has increased by 50 per cent since the beginning of this year.

Thus, when downloading these types of applications to mobile devices, the FBI advises caution, since they may mask malicious intent.

Given the current coronavirus pandemic, individuals have become more likely to use mobile banking and the FBI suspects cyber actors will try to target new mobile banking customers with Trojans focused on phones, fake banking apps, and more.

Banking Trojans, the IC3 warning says, are typically disguised as other apps and will remain dormant on devices until a legitimate banking application is launched. The Trojan – overlay a fake version of the bank’s login page and trick the user into revealing their login credentials, which will then be sent to human operators who will exploit them to compromise account.

Cyber criminals in some cases create fake apps that impersonate legitimate financial software, also in an attempt to deceive users into entering their credentials. Such apps typically display an error message after attempted login, and can steal user-received security codes by exploiting requests for smartphone permission.

“In 2018, nearly 65,000 fake apps were identified in major app stores by US security research organizations, making this one of the fastest-growing smartphone-based fraud sectors,” the FBI reports.

Users should only download applications from trusted sources such as official app stores and bank websites to stay protected, the FBI says. Applications are usually checked for smartphones used within private-sector companies through internal management systems.

The FBI states that using two- or multi-factor authentication is another way to stay safe from misuse, since it is highly effective in securing accounts against compromise. Compared to email or SMS based methods, modern MFA solutions (biometrics, hardware tokens, or authentication apps) are more secure.

The FBI also suggests using multiple types of account authentication where possible, keeping an eye on where personal identifiable information (PII) is kept and sharing only the most needed information with financial institutions, and avoiding clicking on links in emails or text messages or exchanging two-factor codes over the phone.

“Cyber actors frequently take advantage of users who reuse passwords or use that or insecure passwords. The FBI recommends that strong, unique passwords be created to mitigate those attacks. The most recent guidance provided by the National Institute of Standards and Technology encourages users to make passwords or passphrases that are 15 characters or more, “reads the alert as well.

Users who find an app that seems suspicious are encouraged to contact the financial institution in order to report it. If a phone call pretending to be from the bank seems suspicious, users will hang up on their website and call the bank at their customer service number.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.