Online banking is big business. As a matter of fact, according to a recent survey from Deloitte, 73% of respondents use online banking resources at least once a month, and 59% use mobile banking apps. Yet despite the high level of user traffic, today’s banking platforms are not designed specifically to stop hackers. As a result, attackers have been taking advantage of the built-in weaknesses of e-banking and manipulating users into making online mistakes.
In a recent article for Help Net Security, Andre Machado, Product Manager at WatchGuard, explores five ways hackers engage in user-centric bank fraud. These include SMS Swaps, Man-In-The-Middle attacks, Man-In-The-Browser attacks, Spear Phishing attacks, and Mobile Malware attacks. Here’s an excerpt from the article:
Although banking attacks have become more complex in the past few years, the vast majority still rely on tricking users. For example, one common phishing attack used against banks involves directing targets to a malicious clone of the banking platform’s actual website. Once users try to log in to this genuine-looking fake website, the platform can confuse them by displaying a “Service Not Available” messages and store the credentials the user just tried to enter.
Another old but effective tactic is the Man In-The-Middle (MITM) attack, in which attackers target banking platforms that do not adequately protect their infrastructure. This not only allows hackers to steal money, but also negatively affects the bank’s reputation by making their infrastructure seem fragile and vulnerable. The attack allows fraudsters to interfere with the communication between users and the bank’s backend implementation to change transaction values and accounts. It can be prevented by using certificate pinning technology, which allows bank application to trust a specific certificate for a given server.
To read about all the different bank fraud attacks – and to get some information on how banks can better protect their systems – follow this link to Andre’s article.
Want to learn how to prevent employees from falling for a phishing attack? Check out this Secplicity post. Need a better mobile authentication service? Check out AuthPoint.