Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:05 AM
Connect Directly

Lessons Learned from Mobile Attacks in the Middle East

A recent malware attack targeting bank customers in the Middle East offers some tips on how such attacks can be prevented.

Attention on cyber security has skyrocketed since the end of last year thanks to the data breaches that hit several of the nation’s biggest retailers. But in other parts of the world cyber security has been a hot topic for much longer. Ever since the famous Stuxnet virus was used to damage Iran’s nuclear program, the Middle East has been a hotbed of cyber attacks conducted by a range of different players. The Syrian Electronic Army, for instance, has waged a cyber campaign of targeted DDoS attacks and hacks in support of Bashar al-Assad’s brutal war against rebels in Syria.

While these politically motivated actions against nation-states have grabbed headlines, banks and businesses in the Middle East have also been at risk. In one recent example, several Mid-East banks were hit a couple weeks ago by a malicious botnet that infected Android mobile devices disguised as a banking app.

While these kinds of mobile attacks are not as widely known in the States yet, it’s reasonable to expect that they will become more prevalent here as more online activity shifts to mobile. That means banks will need to start educating consumers about being more cautious and skeptical in the mobile app stores, says John Zurawski, VP of Authentify, a security and authentication solutions provider. “Mobile security will be much like online security. If you don’t know where it’s from, don’t click on it,” he points out.

[For More of Our Coverage on Mobile Security: Improving Security In the Fast-Paced World of Mobile]

Banks will need to educate consumers on their mobile offerings so they know what to look for in the app stores. “You have to alert users that you won’t ask them to download any second app for security [a common prompt used by malicious apps to attract downloads]… You need to tell consumers to research apps before downloading them,” Zurawski advises. “The end user needs to know what your app looks like, what the logo is [in the app store]. The real app is going to have lot of downloads and reviews. The end user needs to realize that if they see a Bank of America app with 16 downloads then it’s a fake.”

There are anti-virus programs for mobile as well that banks should promote, he says. “The trojan at work in the Mid-East had a signal code that was well known. Any of the top anti-virus programs would have noticed it. But I could probably stop 100 people on the street and none of them would have anti-virus protection on their mobile device,” Zurawski notes.

Banks should also use more post log-in verification for mobile sessions, Zurawski adds. The botnet at work in the Mid-East attacks intercepted one-time passcodes that were sent to users’ mobile devices for authentication. Zurawski says that he expects banks will move away from that type of authentication towards a model where details are presented to the consumer out-of-band for approval after the log-in has occurred.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.