On June 10, the FBI issued a public service announcement identifying a rising trend of mobile exploits.
Specifically, they anticipate a spike in cyber actors using app-based banking trojans, fake apps, and other financial vulnerabilities.
We’ve become so used to mobile devices being an extension of our real lives that we hardly think twice about banking or investing from the comfort of our pocket. However, even as technology has risen to prominence in the most sensitive financial areas of our lives, baseline security measures have not improved in the habits of most users.
“Monkey” is still an alarmingly common password, and many people are still using the same password on multiple accounts. If you’re cashing checks and moving funds around on your phone but you’re still using the same password you had for your Neopets account back in the day, this should be a wakeup call.
This should be a wakeup call.
The FBI reports that 75% of Americans used some form of mobile banking last year. With the lockdown, looming economic concerns, and more time on our hands, mobile banking has seen a 50% surge since the beginning of 2020.
More and more people are finding themselves more willing to bank on their mobile rather than physically visit a branch location due to social distancing policies.
Things to look out for
The most sophisticated dangers here are app-based trojans and fake banking apps.
In response to both rising mobile banking use and increased concerns about mobile security, banks nationwide are issuing new and updated apps for their mobile services. This creates something of a perfect storm, however.
Trojans might lie dormant on your phone for years, perhaps smuggled in on a dumb game or simple utility app. These trojans are designed to trigger when they detect a new version of a banking or other financially sensitive app on your device. When you’re prompted to log in, the malicious app redirects you to a fake login page. You enter your information thinking that you’re just headed to your bank account as usual, but congratulations: you’ve just handed your account information to a thief.
Fake banking apps deliberately impersonate legitimate apps. Many take advantage of smaller, local banks that are less likely to have a robust cyber security response team, but even the big banks are not immune. Alarmingly, security experts found nearly 65,000 fake apps on mainstream app stores in 2018, leading the FBI to name this “one of the fastest growing sectors of smartphone-based fraud.”
Other concerns are also raised by this trend. Even if you don’t bank from a mobile app, malicious actors are also using investing services, food delivery services, and online shopping systems in the same nefarious ways.
The FBI advises users to be particularly careful when downloading apps — not just financial apps, but all of them. This obviously isn’t fool-proof, since nefarious apps are prevalent even in the Google Play Store and App Store, but downloading from untrusted sources is just asking for trouble.
The majority of users do not use two-factor authentication even when its an option. It’s time to start taking this extra step. The FBI advises the following:
- Enable two-factor or multi-factor authentication on devices and accounts to protect them from malicious compromise.
- Use strong two-factor authentication if possible via biometrics, hardware tokens, or authentication apps.
- Use multiple types of authentication for accounts if possible. Layering different authentication standards is a stronger security option
- Monitor where your Personal Identifiable Information (PII) is stored and only share the most necessary information with financial institutions.
- Click links in emails or text messages; ensure these messages come from the financial institution by double-checking e-mail details. Many criminals use legitimate-looking messages to trick users into giving up login details.
- Give two-factor passcodes to anyone over the phone or via text. Financial institutions will not ask you for these codes over the phone.
Most importantly, the Bureau recommends getting into the habit of using strong password practices. Every single service that you use should have a unique, eight-character-minimum password that uses a mix of uppercase letters, lowercase letters, numbers, and symbols.
The National Institute of Standards and Technology actually takes this recommendation a bit further, advising a minimum password length of 15 characters.
Reusing any password creates a vulnerability since compromised accounts are commonly sold in bulk or published publicly in malicious data dumps. Fraudsters can then attempt to brute force a variety of services using the same login credentials.
If totally unique passwords for everything seems like a tall order, you might consider grabbing a password management service. NordPass is currently offering Android Authority readers 49% off, but there are many good options on the market as well. These services generate, remember, and update complex passwords and sync them throughout all your devices and platforms.