Pierluigi Paganini August 12, 2012

Article published on The Malta Indipendent

Ron Kelson,

Pierluigi Paganini, Fabian Martin,

David Pace,

Benjamin Gittins

Many people are inclined to leave the responsibility for personal banking security entirely with the banks. However, this is not a good strategy for many reasons, including:

1. You don’t want malware of ANY sort on your computing device(s)
2. Even if you are reimbursed after you have been attacked, resolving an incident can be both inconvenient, and stressful.

In this article we begin by introducing various mobile banking techniques and their security rationale. We then explore various attacks against mobile banking systems, and what you can do to minimise your risk.

Mobile banking refers to any system that enables regular banking services through a mobile phone. A popular misconception is that we need a smartphone and a bespoke application to access bank services. In the most general case, the mobile phone is simply used as a type of computer terminal to access various banking services through wireless communication services, such as Simple Message Services (SMS), USSD, Near Field Communications (NFC is similar to RFID), and 3G Data (Internet over mobile).

Some of these services (Pull Services) are explicitly requested by the customers, while others (Push Services) are sent by the bank to users under specific conditions, e.g. Alerts.

The types of service that can be securely delivered depends on the mobile phone’s features, the available channels provided by the telephony operator, the technical characteristics of the channel provided, and the desired balance between usability, reliability and speed of execution of operations. In this article we will explore four different ways mobile phones can perform banking transactions.

Some banks offer simple banking services through regular SMS. Let us imagine a user wishes to perform a Bank Account Balance Enquiry for the account ending in 981 that is associated with this registered mobile phone. In this case, the user sends an SMS with the message “A 981”, and receives an SMS with the account balance. This simple type of banking service can pose security problems for users because the account balance is transmitted in the clear, and because the account Identifier is stored in an SMS message that leaves itself open to exploitation if that user’s mobile phone is lost or stolen. So regular SMS can be useful for very simple query services, but may not be well suitable for making transactions such as money transfers, because this should also involve some form of secure authentication of the user.

In some countries, such as Africa, USSD (Unstructured Supplementary Service Data) is a popular method for providing mobile banking transactions. USSD is essentially an unauthenticated service that employs the SIM card in the phone, and the voice channel on mobile phones to exchange data with a banking server.  It is frequently accessed via a predefined number like *144#  that you can type in your mobile phone. The user interface is rendered as plain text on the screen of all mobile phones, even the simpler ones.  USSD uses the GSM infrastructure and, technically, it is possible for an insider, working for the telephony operator, to intercept the communication when the data is travelling between the USSD gateway and the information server, and to fake transactions. To try and manage this risk, banks limit the value of transactions that can be performed over USSD. However, attacks have been known to occur.

Today, many banks are exploring the use of wireless Near Field Communication (NFC) for fast and convenient micro transaction services. NFC technologies are found in some bank smart cards, and some mobile phones. NFC banking transactions assume that proximity of the card to the Point Of Sale Device confirms intent to buy. Unfortunately, these technologies can be very easily abused. White-hat hackers (the good guys) have demonstrated that it is easy to communicate with NFC devices from “far away”. A person a few metres away can buy items using your NFC card/smart phone without your consent, and you are unlikely to have your account reimbursed.

To get the best mobile banking experience, some banks deploy user-friendly graphical applications designed specifically to run on selected mobile phones. This includes Java applications designed for simple mobile phones, or advanced applications designed for advanced smartphones like Android, iPhone and Windows Phone. Advantageously, with these types of applications, the bank provider can employ more secure communications using encrypted SMS (or encrypted Internet data) that cannot be “sniffed” by the telephony operator/attackers. In this case, the mobile banking experience can be a complete substitute for e-banking from your desktop.

As we can see, the security aspects to be considered depend on how a particular banking service has been implemented, and the ways in which it uses your mobile phone. The majority of banks in developed countries aim for reasonably good levels of security, up to the extent required by regulatory and legal requirements. Unfortunately, this is not uniformly the case (e.g. RFID/NFC enabled credit cards in America).

Of course, even when banks do a good job, you can completely undermine your security by giving out your username and password to family members or friends. In these cases you can be directly responsible for all fraudulent transactions, and rightly so.

Unfortunately, even if you keep control of your passwords, new generations of malware are now targeting the e-banking sector, and for this reason it is necessary to adopt a comprehensive banking security solution that can also be deployed to mobile phones and tablets. As discussed in our previous article, some of these new malicious agents are able to compromise user banking authentication processes on desktop computers with sophisticated techniques that are able to replace the human operator, masking their operations with mechanisms for hijacking the flow of information between banks and clients. Because it is unlikely that both your desktop computer AND your mobile phone will be compromised at the same time, the use of both devices together provides much higher assurances of security.

We explore briefly two mobile phone approaches frequently employed to prevent desktop banking attacks from succeeding:

1. The first approach relies on the bank sending a one-time-use authentication code through SMS that you will use to authenticate / authorize a transaction initiated on your desktop.
2. The second approach uses some application stored on your phone that manages an electronic credential (in the form of cryptographic secrets) stored on your mobile phone to authorise transactions. This approach has two variations:  a) One variation is for the application to display the transaction to be authorised on the screen, along with a one-time password the mobile phone generates that the user should type into the desktop if they agree with the transaction.  b) A more secure variation is for the mobile phone to display the requested transaction and then, on your approval, electronically sign the transaction to authorise the transaction.

In our opinion, given the security controls built into smartphone operating systems are now stronger than the security controls in desktop computers, at the moment, and in general, mobile banking applications on smart phones are probably more secure than regular internet banking over your web-browser.

However, as we discussed in our previous article “Smartphone Monitoring and Malware… Up close and personal…” the malware threat on mobile devices is starting to grow rapidly. You can trivially undermine mobile banking security by “Jailbreaking” your iPhones and “rooting” your Androids. Your mobile phone will then be at risk to the same type of advanced (banking) malware risks found on desktops…

However, even if you don’t jailbreak your phone, there are other risks. As regular readers of our articles know, cyber criminals are starting to exploit security vulnerabilities present in all mainstream smartphone operating systems. Today, we are observing the emergence of malware on “factory standard” smart phones designed to steal sensitive information, such as banking credentials. Some of these attacks deduce user interaction on the touchscreen by reading data from the accelerometers, or by exploiting other vulnerabilities in the smartphone operating system. However, for these rare attacks to be successful: a) they require you to have inadvertently installed some malicious applications on your phone, b) the mobile banking system that is being attacked has been designed in a very careless way and c) the attack must be very specialised against a specific bank.

Right now, it is much more likely that attacks against mobile banking in the short term will be similar to the simpler low-tech attacks against regular e-banking on your desktop. This means that you may be subject to phishing SMSs, you may receive a false e-mail with a QR-Code requiring you to install a new application or a new security feature provided by your bank, or a malware will require that you type your account number and password in order to steal it. Be Smart, and don’t fall for these simple tricks!

Today, you will likely be protected by laws that require banks to ensure there are adequate security measures in place in order to access their systems via mobile devices, even against phishing attacks. However, as happens with providers of any kind of service, some banks are more secure and have more sophisticated and comprehensive security measures in place than others. In particular, some advanced banks are beginning to actively monitor the health of the device that is accessing banking services. This means that if your device is not reliable, the bank may choose to restrict the portfolio of services you can use through it, or block your access through that device until it becomes healthy again. These monitoring systems are audited to ensure that the bank is not capturing personal private information, and that they only work to protect you.

So it’s sensible and recommenable that you keep the device you are using for banking in good health. Do not leave the responsibility of banking security only with the banks. Banking security is also your problem. After all, even if you are reimbursed in the event of fraud, resolving a security incident can be inconvenient, stressful and consume a lot of your time. Inform yourself, and if in doubt about any potentially fraudulent email or SMS, contact your bank.

Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of

Security Affairs (http://securityaffairs.co/wordpress)

Prof. Fabian Martins, (http://br.linkedin.com/in/fabianmartinssilva) is a banking security expert and Product Development Manager

at Scopus Tecnologia, (http://www.scopus.com.br/) owned by Bradesco Group.

Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited  [email protected] .

Ben Gittins is CTO of Synaptic Laboratories Limited. [email protected]

David Pace is project manager of the ICT Gozo Malta Project and an IT consultant

Tel::  +356 7963 0221

ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT professionals to register on the ICT GM Skills Register and keep abreast of developments, both in Cybersecurity and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at [email protected] .