Mobile Banking: What should we be cautious about?

We never, instinctively think about the dangers of mobile banking because it is something many of us do everyday. Likewise, we don’t think about whom is going to hack our cars, we don’t worry about our breaks snapping, and we surely do not worry about our smart devices being hacked. Every year, hackers are finding ways to find simple vulnerabilities in the technology we use most, so that they can use it to their advantage, and commit fraudulent activities.

Recently, e-banking has become a hot topic for many cyber security journals. E-banking makes going to bank effortless, saves time, and is ideally economical for students and those on-the-go. Through mobile technology, hackers have been able to put together systems that monitor and record account information of the target. Although security agencies have found a means to develop patches for the hacks, many more threats are beginning to emerge with newer tactics.

According to an article from Computerworld called, New ‘Hesperbot’ bank Trojan targets mobile authentication systems, there is an old virus takes on a new form. It’s called Hesperbot, or formally, “Spy.Hesperbot (ComputerWorld, 2013)”, and it is designed to monitor and log information that an e-banker would input into a mobile device. Countries that have been affected by the virus include the following: United Kingdom, Turkey, the Czech Republic, and Portugal.

welivesecurity.com provides an in-depth analysis on how Hesperbot functions, and what it can do if someone contracts the virus. Like many viruses, this malware will generally disguise as something that needs to be downloaded onto someones computer. Typically, the virus is usually initiated by downloading whatever is packaged with the phishing email. The following is an illustration from Tuicool, about how the process would take place.

Image

Image Source: <http://www.welivesecurity.com/2013/09/06/hesperbot-technical-analysis-part-12/>

After that, what is the catch? Keylogging – this can be a main method of attack, as many viruses make it simple for hackers to monitor key strokes. An excerpt from welivesecurity, illustrates how the Hesperbot keylogger would function:

“The keylogger module intercepts key strokes by hooking the functions GetMessage and TranslateMessage in user32.dll. They are then written to a log file, along with the originating process module name and window title text. [Afterward], the log gets sent to the C&C server (welivesecurity, 2013).” Hesperbot has been sighted several times over the past few months, but should still be considered something malicious.

Sources:

Dunn, John E.. “New ‘Hesperbot’ bank Trojan targets mobile authentication systems ( – Security ).” IDG News Service. N.p., 6 Sept. 2013. Web. 9 Sept. 2013. <http://news.idg.no/cw/art.cfm?id=82BDE0A0-A1EB-E1EC-46E90209BB8E95F2&gt;.

Lipovsky, Robert. “Hesperbot – Technical analysis part 1/2.” We Live Security. N.p., 6 Sept. 2013. Web. 9 Sept. 2013. <http://www.welivesecurity.com/2013/09/06/hesperbot-technical-analysis-part-12/&gt;.

 

Advertisements

6 thoughts on “Mobile Banking: What should we be cautious about?

  1. Very interesting subject and certainly this kind of attack will be much more common in the near future. Do you know if there is any specific reason for only these countries being affected?

    • This is a chart displaying the most affected countries in Europe.

      I have been trying to find a correlation between the country’s wealth vs. the intentions of the hackers, but found no proof that supports this. What I can say is, cellphones are becoming more of a commodity than computers are.

      If so, mobility is making targeting and attacking easier for hackers. More people are getting into mobile banking because it is an economical way to perform transactions. However, (dependent on the location), that person could be at risk for being hacked, for money.

  2. For those of us who use Mint or apps like it, would you suspect that we are at further risk? Further does the benefit of mobile banking outweigh the risk that someone may breach our account?

    • Interesting question. From what I know, Mint uses a banking protocol called OFX, or Open Financial Exchange. OFX uses the SSL (Secure Socket Layer) to encrypt passwords. Mint would have to request information from your bank, in order to view that information on Mint. Possibly, the attacker would have to guess what your secure access information was, in order to cue the information from your bank. Otherwise, you can block most public information on Mint, so that only you can see it.

      However, I would like to advise, that just because there is Mint (I also use Mint), does not mean it is a fail safe system. I’m sure it can be hacked, but is significantly harder to get accessible information from Mint.

  3. Would there be any difference in conducting online banking using wi-fi or your cell phone providers network like LTE? I utilize my iPhone for banking and other financial needs pretty much daily and always wondered if one is more vulnerable than the other, or if it is unsafe in general. I tend to not engage in expensive transactions through my smartphone, not wanting to take the chance. I feel like opening up e-mails on mobile devices is always risky as well since the interface is usually not suitable, or just that the website on the mobile version tends to cut out certain information and what not.

    • I suppose one would need to ask, “what is the likelihood for me to be attacked, at this instant of time?”. The chances for someone to get their bank account attacked from a mobile device are low, however we can’t say that it cannot happen. After today’s CSEC discussion, its good to understand that being 100% secure with yourself, can always lead to issues we can’t see.

      For that unfortunate businessman buying food at the restaurant, the facility that was attacked, his credit card information was stolen along with many other customers whom lost their information. In a similar fashion, we would have to think of a scenario where someone’s bank account can be hacked.

      Perhaps, someone is paying a bill at RIT. They supply information for their bank account to the clerk, for direct deposit. Somehow, someone hacks into the system, and uncovers information such as: account numbers, routing numbers, bank names, and other sensitive information.

      Attacking the bank account directly, from a different source, would most likely affect the mobile portion (I would like to think the mobile page is connected to the direct bank account – so any changes there would appear on the mobile device).

Comments are closed.