Two Is Usually Better Than One, But With 2FA It Might Not Be

Two Is Usually Better Than One, But With 2FA Might Not Be.jpg

By Robert Capps

FakeBank Mobile App Malaware

Mobile banking is fast and convenient for users but poses an opportunity for sophisticated cybercriminals who have found ingenious ways to empty bank accounts remotely without the users’ knowledge.

This is the case with a mobile malware known as FakeBank which was discovered by security researchers from Trend Micro. The new malware has been embedded in several SMS/MMS management software apps and is designed to steal banking information and funds.

How It Works

FakeBank found in SMS/MMS management software apps can intercept incoming and outgoing SMS.

This means that bad actors can successfully pass the two-factor authentication step that is based on SMS codes.

It also blocks users from the legitimate banking app and from calling their customer service center.

The malware employs a stealthy M.O. to replace the actual SMS management program and cloak the icon, so users have no idea that this has occurred. Additionally, it can also prevent users from removing the link between the card and the phone number. Once this malware is on the phone, the hacker then has access to all the banking information, and the account is successfully subverted.

The malware then blocks real banking messages while stealing all SMS messages, call logs, contact lists, user phone numbers, installed banking apps, balances on linked bank cards, and location information. All the data is sent to a command and control server where cybercriminals can leverage the information for account takeovers and empty the virtual piggy banks.

Unmasking the Impostors

To detect potentially fraudulent transactions before they can create a financial nightmare for consumers – and for companies – new authentication methods must be adopted.

Organizations need to adopt a multi-layered approach to authentication that includes passive biometrics combined with behavioral analytics to identify true customers by their behavior.

These technologies reduce the friction that causes customers to drop their transactions before they are completed. Solutions based on consumer behavior and interactional signals are leading the way to provide more safety for consumers and less fraud in the marketplace.

The FakeBank attack is an example of why security layers have to be combined with passive behavioral technology to provide better protection. Biometrics technologies measure inherent human behaviors for unique identification and security. They are also used to identify people accurately and dynamically. 

Identifying the Real Customer

A layered defense that includes passive biometrics and behavioral analytics can review multiple vectors of the user’s behavioral interaction, such as how the user holds a device, how hard a user hits the keys, and hundreds of other identifiers. These technologies can also distinguish machines from humans, separate good machines from bad, select known humans from unknown humans, and finally sort unknown humans demonstrating low-risk signals from unknown humans demonstrating high-risk signals.

This process lets organizations fast-track the known and low-risk users and provide them with an optimal experience. High-risk users face more intensive scrutiny, and false transactions are blocked. These multiple layers validate the user through information that hackers can’t replicate, securing the good user’s transaction throughout the process. It also allows online companies to provide premium offers to key customers who have been identified.

With a multi-layered solution that looks at the user’s passive biometrics, even if a device is infected with FakeBank or any other malware and the one-time SMS code is intercepted, the behavioral layer will flag the session as high-risk and prevent fraudulent transactions.

About Robert Capps

Robert Capps is the Vice President of Business Development at NuData Security Inc., a Mastercard company. He is a recognized technologist, thought leader, and advisor with more than 20 years of experience in the design, management, and protection of complex information systems – leveraging people, process, and technology to counter cyber risks.

More About Robert