Bad news coming in for banking and financial services companies.
Cybersecurity researchers at Cleafy have uncovered a new banking Trojan called “SharkBot” that is currently targeting banking applications and cryptocurrency exchanges in the UK, Italy, and the United States.
The new malware infects vulnerable mobile devices running on the Google Android operating system to steal sensitive banking information such as credentials, personal information, current balance, etc., and perform fraudulent money transfers through mobile banking applications.
According to researchers at Cleafy, “The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., Strong Customer Authentication or SCA).”
It is said that SharkBot belongs to the next generation of mobile malware as it is able to launch attacks by abusing the Automatic Transfer System (ATS) system. ATS is ostensibly an advanced threat tactic that allows attackers to auto-fill fields in mobile banks apps and initiate money transfers, all while evading security checks such as multi-factor authentication, biometrics, and behavioral analytics that banks usually enforce.
SharkBot, like other banking trojans, is equipped to perform overlay attacks to steal credentials and credit card information, intercept legitimate banking communications sent through SMS, enable key logging, and obtain complete remote control of the infected device.
“With the discovery of SharkBot we have shown new evidence about how mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years,” the researchers concluded.
The Threat is Real. What Should Banks and Financial Institutions Do?
The threat of mobile malware has been looming large in cybersecurity for a long time now. As per Nokia data, the banking trojan attacks on Android devices have shot up by 80 percent in 2021 compared to the previous year. Now with the discovery of SharkBot, the threat has become more real and dangerous.
Ever since digital transformation became a necessity, the financial services sector has been aggressively moving its services online to create unparalleled digital experiences for its customers. Almost all banking services can now be availed on mobile devices without having to visit a physical branch. While this is convenience at its best for the customers, it also brings a high degree of security risk.
On the other hand, the pandemic-driven large-scale shift to remote work forced banks and financial institutions to compromise on security to maintain business continuity. According to the Verizon Mobile Security Index 2021 Report, almost a quarter (24%) of the survey respondents said that their organization had sacrificed the security of mobile devices to facilitate their response to restrictions put in place due to the pandemic. This backs the fact that companies that sacrificed security in 2021 were 1.5 times as likely to experience a mobile-security related compromise.
The massive uptick in the use of cloud services and mobile devices has opened a sea of opportunities for cybercriminals. The lack of basic security controls in mobile applications and devices is making it easy for attackers to penetrate banking systems. Moreover, the highly sensitive nature of the data and the high-value transactions involved make the BFSI sector the no. 1 target for attackers.
Although threats continue to evolve and grow, there are several strong defenses that banks and financial institutions can adopt to steer clear of cyberattacks. One of the most effective defenses to tighten security for mobile applications and mobile devices is to implement Public Key Infrastructure or PKI.
Create a Secure Mobile Banking Environment with Public Key Infrastructure (PKI)
PKI is a time-tested security framework built on the foundation of identity authentication and data encryption. It employs digital certificates and key pairs (public key and private key) that work together to enable trusted access to the core network, regardless of where the users and devices are.
Here’s how PKI can help banks and financial institutions to improve security for mobile applications and devices:
- Identity Authentication: Digital certificates provide an effective and transparent way to establish and prove the authenticity of mobile applications to customers. Issued by trusted Certificate Authorities (CAs), the digital certificate is an assurance that the app is genuine and from the bank or financial institution, customers believe it is. This prevents customers from falling prey to fake websites and unknowingly revealing confidential information to hackers.
X.509 digital certificates provide the highest level of security for mobile applications to prevent phishing and man-in-the-middle attacks. Financial institutions can also use digital certificates to validate the identity of the mobile application before allowing access to the remote server to avoid connecting to compromised devices.
- Data Privacy: PKI’s public and private keys help protect data both at rest and in transit. The keys work together to encrypt and decrypt data end-to-end to ensure that the communication between the customer’s mobile device and the bank is entirely private. Strong ciphers used in encryption and decryption mechanisms help prevent any unauthorized users or malware from intercepting the communication.
- Email Encryption: PKI helps secure email communication on mobile devices through an internet standard/protocol known as S/MIME (secure/multipurpose internet mail extension), a highly reliable security control. With S/MIME certificates, employees can encrypt and digitally sign email communications to establish the sender’s authenticity and retain the confidentiality of the message.
- Passwordless Authentication: Passwords are considered the weakest links in enterprise security. When it comes to accessing mission-critical remote systems in financial services, password compromises can have catastrophic effects. To mitigate this challenge, financial institutions must switch to PKI-based SSH authentication that eliminates the need for passwords and helps ensure only those users from authorized devices are allowed access to remote systems. Unlike passwords, SSH keys are much stronger than passwords and are difficult to break even with brute force attacks.
- Document Signing: The convenience of online processing has led to financial institutions replacing physical documents with electronic documents for various services. However, financial institutions must adhere to strict security regulations around digital signatures to offer this service to their customers. PKI allows to digitally sign the documents with ironclad security via digital certificates that help comply with the most stringent regulations and build customer trust in digital services.
- Regulatory Compliance: Financial institutions should create and enforce PKI management policies with regard to role-based access to crypto-assets, certificate renewal durations, and PKI audit/audit trails. By creating transparency and clearly defined rules, the chances of mismanagement-induced vulnerabilities are lowered, and errors, if any, can easily be tracked and remediated.
a. Automation of certificate management based on policies laid down by the enterprise, the CA, and industry regulations, such as The Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Revised Payment Service Directive (PSD2) and The Sarbanes Oxley Act (SOX) among others, is highly crucial. Policy-based automation takes care of certificate lifecycle tasks such as time-bound certificate renewals, key rotation, access privileges, and compliance audits.
Trust Is Non-Negotiable. Build It with PKI.
Mobile malware is a growing menace that the banking and financial services sector cannot escape from. On the other hand, customers are becoming increasingly aware of security risks that come with internet transactions and are growing more reluctant to use digital services. The only way for financial institutions to beat these odds and secure the future is to build continuous trust. PKI makes this possible.
If this spurs you to action, do check out AppViewX CERT+ , a turnkey solution for all enterprise PKI needs. It helps discover, monitor, analyze, orchestrate and fully automate certificate lifecycle management and key management solutions to prevent data breaches. It not only simplifies enterprise PKI management but also bolsters the security posture.