SMS Authentication Under Siege, Banks Warned!

By Tongai Mwenje

Banks have been urged not to use text messages for two-factor authentication according to a survey that was carried recently, as cyber criminals develop advanced malicious software for Android devices to counter attack the security which banks are offering, research says.

Many banks are now using online services for easy transaction, which involves sending an SMS message with a code that’s entered into a Web-based form. The code expires in a few minutes and is intended to thwart cyber criminals who have a person’s login credentials.

This has been highly  studied by cyber criminals who have developed their own software to suit their malicious acts in order to manipulate the online banking systems. The existence of multiple mobile malware suites that work in tandem with desktop malware to defeat one-time passcodes according to a well known researcher Ken Baylor

The researcher who is the research vice president for NSS labs has warned those providing online banking services not to solely rely on SMS based authentication as this has been highly compromised.

Nearly all mobile malware is written for the open-source Android OS, which allows users to install any application, added the  said.

Apple`s  iOS is safer from the  purported mobile malware  since Apple forbids downloading applications that haven’t been vetted by the company.

“Cyber criminals use a one-two punch. Once a PC is compromised, the malware injects new fields or pop-up menus into the screen, asking a person’s phone number and their mobile operating system type and phone model.

A link is sent to the phone, which if clicked prompts for the installation of malware that sends one-time passcodes to another phone, allowing someone to log into a person’s bank account”, explained the expert

Much of the PC and mobile phone malware originates from countries that were part of the former Soviet Union. The malware developers focus on Android since it is widely used, and there appear to be few iOS specialists in those nations.

Well-known desktop banking malware programs such as SpyEye, Citadel, Zeus and Carberp all have a mobile Android component. Although Google patrols its Play store for malicious applications “a significant amount of malware escapes detection,” the report said.

The researcher has bemoaned, the financial institutions are  slow to technological adjustments hence they become  victims of these cyber criminals. As mobile banking continues to grow, their applications have security weaknesses the source says

The source has hinted that many banks are still operating merely HTML mobile applications rather than shifting to secured native applications

In conclusion to his findings the financial institutions were advised to revise their applications by including combinations of hardened browsers, certificate-based identification, unique install keys, in-app encryption, geolocation and device fingerprinting.

 

Leave a Reply

%d bloggers like this: