News Column

Facing up to a growing threat

June 30, 2014

If the recent publicity concerning the 'Sandroid' virus - which impacted Middle East mobile phone users accessing their online bank accounts - served one useful purpose it was to highlight the fact banks and their customers face an ongoing threat when it comes to security.That Sandroid targeted banks in the region shouldn't have come as any great surprise, given that unlike in the UK and US, where two factor authentication (2FA) security is still in its relative infancy, banks in the Middle East, Central and Eastern Europe, and Australia make extensive use of mobile phones as a 2FA security channel.

2FA is an authentication approach requiring the presentation of two or more of three authentication factors: a knowledge factor ('something only the user knows'), a possession factor ('something only the user has'), and an inherence factor ('something only the user is'). After presentation each factor must be validated by the other party for authentication to occur.

This explains why cyber-criminals have recently switched tactics - to take advantage of 2FA security - by bundling malware with Android apps that look like 2FA applications. Typically, Trojans such as Sandroid will create a pop-up box asking handset users to download a security application onto their phones. These programmes then intercept and relay the victim's incoming SMS messages to the hackers, who in turn use the customer's banking username and password to log in as the victim. Relatively crude, but very effective.

Yet this merely represents the tip of the iceberg. In its 'Cyber Security Trends for 2014' report, management consultancy Booz Allen Hamilton characterised cyber attacks as being the 'new normal' insofar as the financial services industry is concerned, with mobile security platform weaknesses giving rise to new threats such as the Perkele Trojan, for example.

Though Perkele has yet to significantly spread its tentacles globally, it has been present in the Middle East and is expected to expand beyond it, says the report.

Like Sandroid, crimeware kits such as Perkele and other cross-platform malware have identified large gaps in mobile device security; allowing criminals to take advantage of weaknesses in the system that allow information to be sent to a hacker who then "owns" the device.

Security applications provider Versafe found in the case of Perkele that the infection points were genuine websites that had been hacked to host the malware payload. It wasn't the first and will by no means be the last Trojan to employ this method. From a technical standpoint the user would submit a request for the bank's webpage from his or her computer, which had previously been infected by any of a variety of targeted web injection malware types.

The online banking page would then be sent to the user and opened by the web browser - the Trojan on the user's computer injecting malicious code into the webpage, prompting the user to enter his or her mobile information, including mobile number and operating system type.

The user's mobile information would then be sent to the attacker's dropzone, in which a PHP-based system would process the information and document the victim's information in the database.

PHP is a server-side scripting language designed not only for web development but also as a general purpose programming language.

According to Versafe the online banking page would then be injected with another script, asking the user to scan a Quick Response (QR) code with his or her mobile device in order to install an additional security mechanism.

The victim then scans the code, initiating download of the Perkele (or similar) mobile malware code.

The Trojan on the victim's computer would then conduct an automated transaction using the user's compromised credentials - an SMS message with the TAN/OTP (one time password valid for only one login session) then being sent to the victim's device. The Perkele malware on the mobile device then would redirect the TAN/OTP to the attacker's server.

Finally, programming language JavaScript running on the victim's computer would receive the TAN/OTP and complete the transaction.

Given criminals go 'where the money is', growing liquidity in developing countries is likely to result in further attacks on local banks, especially given states across the Middle East, Latin America and Asia Pacific are now taking significant steps to modernise their economic infrastructures.

The scale of the problem is already evident - the Saudi Arabian Monetary Agency noting last year that fraudulent operations target Saudi and GCC banks once every 14 seconds.

Helping the criminals gain an edge, according to Cisco in its 2014 annual security report, is the maturation of mobile platforms - the principal consequence being that the more smartphones, tablets, and other devices perform like traditional desktop and laptop computers, the easier it is to design malware for them.

Growing use of mobile apps is also having an impact, given that when users regularly download them they're essentially putting a lightweight client on the endpoint and downloading code.

The core issue, as security teams grapple with the 'any-to-any problem' self-evidently is how to secure any user, on any device, located anywhere, accessing any application or resource.

From the perspective of banks and other institutions the trend towards BYOD (bring your own device) - allowing employees to bring personally-owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications - further muddies the security waters.

In addition, the use of wireless channels to eavesdrop and gain access to data being exchanged through those channels needs to be addressed.

However, in the area of theft, at least, significant progress is being made with Google and Microsoft, to follow Apple in adding an anti-theft 'kill switch' to their smartphone operating systems.

In a recent report William Duckworth, an associate professor of statistics, data science and analytics at Creighton University estimated that US consumers for example, could save $2.6 billion a year if the 'kill' feature was widely rolled out across the industry. Apply this in a commercial context where sensitive data needs to be protected and the savings could be incalculable.

Noteworthy was that in New York, iPhone theft was down 19 per cent in the first five months of this year, while over the same period, thefts of Samsung devices, which only started rolling out kill switches from April 2014, rose by more than 40 per cent. It doesn't take rocket science to conclude that if a kill switch locks a device, thereby rendering it useless, the device's resale value will correspondingly plummet. If the kill switch goes some way towards addressing the BYOD issue and removes many common criminals from the equation, the challenge of keeping ahead of sophisticated hackers who have the built-in advantage of being proactive rather than reactive will prove a far greater challenge for banks and their customers until they improve their own security protocols.

The importance of being extremely vigilant cannot be overstated.

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Gulf, The (Bahrain)

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters