It doesn’t take much to guess why cybercriminals increasingly target banking applications including emerging fintech and trading as their prime targets – cybercriminals have and continue to be largely financially-motivated. Recent research found that traditional banking apps accounted for 61% of the apps targeted by 29 specific banking trojans last year, while the other 39% accounted for emerging fintech and trading apps.
What’s wrong with traditional security mechanisms employed by these apps? Tools and tactics such as Strong Passwords, Domain-Based Security, One-Time-Passwords (OTP), and Multi-Factor Authentication (MFA) aren’t making the cut because they aren’t keeping pace with the evasive nature of cybercriminal tactics. Threat actors are aware of where users and organizations spend most of their time and in today’s remote reality, that’s on mobile devices. So how can banks and financial institutions secure their banking applications from attacks and thus protect their users’ and employees’ most sensitive information?
The battle at hand
Before I dive into the solution, let me provide some color to the issue organizations are up against. To address the issue head on, we must have visibility into the scope of the problem.
The Zimperium zLabs team last year discovered 10 new active banking malware families targeting banking applications. The 19 malware families who persisted from 2022 showed new capabilities that pushed them into the category of evasive and, in particular, relentless in their pursuit of financial exploitation. For a malware agent or capability to be characterized as highly evasive means that it shows an ability to sneak past traditional security tooling normally deployed by the majority of organizations. For example, the new trojans leveraged a tactic called Automated Transfer System (ATS Module), which allowed cybercriminals to automate fraud by extracting credentials and account balances, initiating unauthorized transactions, obtaining Multi-Factor Authentication (MFA) tokens, and authorizing fund transfers.
It’s also important to consider that users are much more susceptible to mobile-based phishing attacks. As an IT and security leader at a bank or financial institution, you must accept the fact that you no longer hold the reins of employee behavior as tightly as you once did. Where once employees worked largely from managed work devices connected to a central data center, employees are now working remotely from all corners of the earth using a mix of managed and personal devices to transfer data, share documents and communicate. If you provide a banking application for use by either employees or outside users, that is an attractive attack surface for cybercriminals looking to prey on negligent user behavior. And the payoff is lucrative – the breach of financial information has the potential to upend someone’s entire life.
Securing precious banking applications
There are four key things that IT and security leaders can do to secure their banking or financial institution. I lay them out below:
- First, ensure that the application’s protection measures match the level of sophistication of today’s threat actors. Your application security team needs advanced code protection techniques that will fight against threat actors who may be able to bypass traditional code protections. These protections should aim to impede the reverse engineering and tampering of mobile applications. Malicious actors have a much harder time dissecting an app when they’re confronted with multiple methods of app hardening and anti-tampering. This multi-layered architecture not only deters the creation of targeted malware but also reduces the likelihood of scalable fraud. The goal is to elevate your mobile application security posture to a point where attackers don’t see the value and potential gain of attacking
- Second, your teams need to enable runtime visibility across various threat vectors, including device, network, application, and phishing. Many security and development teams are operating in the dark, with a limited understanding of the mobile threats targeting their applications on end-user devices in real-time. Zimperium research found that most apps are not compliant with OWASP and MASVS to a great extent. To close this gap, real-time visibility is imperative for active identification and reporting of risks.
- Third, deploy on-device protection for real-time threat response. Once you have real-time threat visibility nailed down, it’s time for real-time The whole point of visibility is to respond to threats immediately, not hours or days after. This ability to take action should be autonomous, requiring no dependency on network connectivity or back-end server communication. Of course, the response will depend on the severity and context of the threat, which could include halting the application, changing its behavior dynamically, or redirecting the user to educational material.
- Lastly, it’s vital to invest attention and training towards the consumer, educating and ensuring that they don’t remain a weak point in organizational security. As users of your organization’s banking application, it’s important they are aware of the danger of too many permissions. Granting accessibility permissions without closely looking at what they are requesting can be risky because these permissions can give apps broad control over a device’s functionalities. One of the giveaways that an app is fake is that banking trojans will usually ask for tons of permissions and then will exploit accessibility features to automate transactions, capture sensitive data (such as passwords) or overlay fake login screens on legitimate banking apps.
Attacks targeting mobile applications do share many similarities across industries, but as the security voice for your bank or financial institution, there are nuances in your industry that need to be top of mind. A truly mobile-powered business needs a mobile-first security strategy – and banking institutions that offer applications for their users or employees should remain keen to the tactics of banking trojans and financially-motivated cyber criminals at all times.
About the Author
Krishna Vishnubhotla is a seasoned professional in the SaaS industry, specializing in catalyzing startup growth through adept product and marketing strategies. With a keen focus on mobile application security products, he has a proven track record in defining and executing product visions that drive significant revenue growth. In addition to managing a global customer success portfolio, he established high-value strategic partnerships. His leadership skills extend to spearheading revenue generation efforts, serving a diverse clientele across multiple industries.
Krishna can be reached online at his LinkedIn (https://www.linkedin.com/in/krishna-vishnubhotla/) and at his company website https://www.zimperium.com/.