• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

FBI Warns of an Increase in Malicious Banking Apps

June 12, 2020 By Trevor Collins

This week the FBI issued a warning on the increased use of mobile banking apps. With more mobile banking usage by Americans, the FBI predicts an increased threat by cyber criminals targeting these apps.

The FBI estimates that more than 75% of Americans used mobile banking in 2019. Another study indicated a 50% increase in mobile banking this year.

These exploits come as fake banking apps, fake login pages, and trojans overlaying a fake login page on a legitimate bank login. The malicious page sends any details you enter directly to the malicious cyber actors. The FBI also warns that some trojans may lie dormant on the victim’s device for long periods of time until you open certain apps like a banking app.

“In 2018, nearly 65,000 fake apps were detected on major app stores, making this one of the fastest growing sectors of smartphone-based fraud,” the FBI warns.

The warning goes on to provide mostly good advice on how to avoid these exploits such as only downloading an app from the phone’s official app store or from the banking website. Also, never downloading a banking app from a 3rd party.

Another good idea is to use MFA (multi-factor authentication) for all logins. Using MFA will usually stop an account takeover with a compromised password. The report states, “enabling any form of two-factor authentication will be to the user’s advantage,” but some authentication methods perform better than others. If a trojan on your phone can display a login page, then it likely can read your text messages. If you use a SMS message for your second factor, then the trojan can send that to the threat actors. We recommend using secure MFA apps or hardware tokens as the second factor whenever possible. Push notification-based MFA, where the app provides a notification for approval or denial, provides the most secure option when using the app. Never give out the one-time password or token from the app to anyone.

The FBI warning also recommends creating a password of at least eight characters using uppercase letters, lowercase letters, and symbols. The recommendation in the FBI warning on password use doesn’t consider recent studies on human behavior and how fast programs can crack hashes though. For example, given a modern hash algorithm of a password using the minimum requirements, we could brute force the password in less than 21 seconds. We have no special equipment except a high-end graphics card used for tests like this one.

We recommend a passphrase of at least 16 characters. Use a phrase you can remember, like names and places or dates, for example “SierraTerrierTexas” This provides a far more secure password that we could never brute force. Also, avoid common words that one could easily guess. This protects against dictionary attacks where the cyber threat actor combines lists of common words to crack passwords.

One of our own colleagues here at WatchGuard recently received a SMS message directing him to a fake login page. You can read about the incident here. If you do spot a suspicious app or login, contact the financial institution directly from a phone number posted on their official website to verify its authenticity.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use