This week the FBI issued a warning on the increased use of mobile banking apps. With more mobile banking usage by Americans, the FBI predicts an increased threat by cyber criminals targeting these apps.
The FBI estimates that more than 75% of Americans used mobile banking in 2019. Another study indicated a 50% increase in mobile banking this year.
These exploits come as fake banking apps, fake login pages, and trojans overlaying a fake login page on a legitimate bank login. The malicious page sends any details you enter directly to the malicious cyber actors. The FBI also warns that some trojans may lie dormant on the victim’s device for long periods of time until you open certain apps like a banking app.
“In 2018, nearly 65,000 fake apps were detected on major app stores, making this one of the fastest growing sectors of smartphone-based fraud,” the FBI warns.
The warning goes on to provide mostly good advice on how to avoid these exploits such as only downloading an app from the phone’s official app store or from the banking website. Also, never downloading a banking app from a 3rd party.
Another good idea is to use MFA (multi-factor authentication) for all logins. Using MFA will usually stop an account takeover with a compromised password. The report states, “enabling any form of two-factor authentication will be to the user’s advantage,” but some authentication methods perform better than others. If a trojan on your phone can display a login page, then it likely can read your text messages. If you use a SMS message for your second factor, then the trojan can send that to the threat actors. We recommend using secure MFA apps or hardware tokens as the second factor whenever possible. Push notification-based MFA, where the app provides a notification for approval or denial, provides the most secure option when using the app. Never give out the one-time password or token from the app to anyone.
The FBI warning also recommends creating a password of at least eight characters using uppercase letters, lowercase letters, and symbols. The recommendation in the FBI warning on password use doesn’t consider recent studies on human behavior and how fast programs can crack hashes though. For example, given a modern hash algorithm of a password using the minimum requirements, we could brute force the password in less than 21 seconds. We have no special equipment except a high-end graphics card used for tests like this one.
We recommend a passphrase of at least 16 characters. Use a phrase you can remember, like names and places or dates, for example “SierraTerrierTexas” This provides a far more secure password that we could never brute force. Also, avoid common words that one could easily guess. This protects against dictionary attacks where the cyber threat actor combines lists of common words to crack passwords.
One of our own colleagues here at WatchGuard recently received a SMS message directing him to a fake login page. You can read about the incident here. If you do spot a suspicious app or login, contact the financial institution directly from a phone number posted on their official website to verify its authenticity.