Cybercriminals Targeting Apps

Gone are the days when bank robbers wore face masks and carried guns and dynamite to get into safes. Now, all they need is a comfortable chair and a PC. Earlier this year, cybercriminals stole $81 million from the Bangladeshi central bank, and they also stole the trust that the SWIFT global payments network had built with its 11,000 users.

Payments networks must constantly find new ways to battle incoming digital threats. According to a study by PYMNTS in conjunction with fraud detection company Forter, fraud jumped 137 percent in the U.S. from March 2015 to March 2016.

Following the Bangladeshi central bank incident, there were also a number of attacks on banks in Ecuador, the Philippines and Vietnam, according to Financial Times. SWIFT wants its network members to tighten security, stating: “The targeted customers have, however, shared one thing in common: They have all had particular weaknesses in their local security.”

Authentication methods for payments networks, such as SWIFT, or P2P money transfer apps are still not completely secure. Even banks sending and receiving encrypted data must prove their identity to access the data, and some of these methods are weak.

According to Justin Clarke-Salt, cofounder of Gotham Digital Science, a cybersecurity company, the attackers in the Bangladeshi central bank incident exploited a system weakness, which is that institutions use different protections for SWIFT. Also, cybercriminals attack smaller financial institutions who have less complex security systems.

Bigger institutions tend to build security layers and may have automated rather than manual system controls. Some have physical barriers, such as gated rooms for secure network access. Vice president of products at Nok Nok Labs in Palo Alto, Rajiv Dholakia, thinks that the SWIFT attackers were able to access weak networks in places like Bangladesh or the Ukraine and from there pretended to be legal entities by virtue of being in the network.

Dholakia stated that attackers are growing increasingly sophisticated and penetrating existing defenses at a faster rate. “A common thread to many of these attacks is compromised or hijacked credentials that allow an attacker to pose as a legitimate entity.”

The main goal of cybercriminals is to steal money, and this can be done by stealing consumer identities. EMV payments have made it more difficult for criminals to steal using fake credit cards or by hacking into payment terminals software. But criminals are trying to find ways to take advantage of “card-not-present transactions,” where a user pays online or over the telephone.

Cybercriminals are now targeting web and mobile apps in attempts to secure stolen user credentials. Complex authentication systems for apps are a disincentive for users, and companies don’t want to resort to cumbersome authentication.

Visa Verifed tried a system whereby the user was delivered to another page for authentication by a third party, but according to Smrithi Konanur, a global product manager at HPE Security’s data security division: “That process didn’t go very well because retailers didn’t see it as a good experience for their customers, so it didn’t take off.”

Scott Clements, chief strategy officer at Vasco Data Security, said that mobile malware has increased threefold in the past year among banks and mobile apps.

“Hackers are reverse-engineering online banking apps, copying them and putting them in unofficial app stores, especially in China, to trick consumers into believing they are the real app — and so harvesting their credentials.”

But banks that are competing with FinTech startups will be reluctant to employ secure systems for apps that might detract from the user experience.