their  banking  applications  from  attacks  and  thus  protect  their  users’  and  employees’  most  sensitive
            information?



            The battle at hand

            Before I dive into the solution, let me provide some color to the issue organizations are up against. To
            address the issue head on, we must have visibility into the scope of the problem.

            The  Zimperium  zLabs  team  last  year  discovered  10  new  active  banking  malware  families  targeting
            banking applications. The 19 malware families who persisted from 2022 showed new capabilities that
            pushed  them  into  the  category  of  evasive  and,  in  particular,  relentless  in  their  pursuit  of  financial
            exploitation. For a malware agent or capability to be characterized as highly evasive means that it shows
            an ability to sneak past traditional security tooling normally deployed by the majority of organizations. For
            example, the new trojans leveraged a tactic called Automated Transfer System (ATS Module), which
            allowed  cybercriminals  to  automate  fraud  by  extracting  credentials  and  account  balances,  initiating
            unauthorized  transactions,  obtaining  Multi-Factor  Authentication  (MFA)  tokens,  and  authorizing  fund
            transfers.

            It’s also important to consider that users are much more susceptible to mobile-based phishing attacks.
            As an IT and security leader at a bank or financial institution, you must accept the fact that you no longer
            hold the reins of employee behavior as tightly as you once did. Where once employees worked largely
            from managed work devices connected to a central data center, employees are now working remotely
            from  all  corners  of  the  earth  using  a  mix  of  managed  and  personal  devices  to  transfer  data,  share
            documents and communicate. If you provide a banking application for use by either employees or outside
            users, that is an attractive attack surface for cybercriminals looking to prey on negligent user behavior.
            And the payoff is lucrative – the breach of financial information has the potential to upend someone's
            entire life.



            Securing precious banking applications

            There are four key things that IT and security leaders can do to secure their banking or financial institution.
            I lay them out below:

               •  First, ensure that the application’s protection measures match the level of sophistication
                   of  today’s  threat  actors.  Your  application  security  team  needs  advanced  code  protection
                   techniques  that  will  fight  against  threat  actors  who  may  be  able  to  bypass  traditional  code
                   protections. These protections should aim to impede the reverse engineering and tampering of
                   mobile applications. Malicious actors have a much harder time dissecting an app when they’re
                   confronted  with  multiple  methods  of  app  hardening  and  anti-tampering.  This  multi-layered
                   architecture not only deters the creation of targeted malware but also reduces the likelihood of
                   scalable fraud. The goal is to elevate your mobile application security posture to a point where
                   attackers don’t see the value and potential gain of attacking






            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          158
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.