Banking Technology Solutions
Home Company Information News Products & Services Success Stories White Papers Partners Career Opportunities
 

White Papers

 
 

Business Strategies

Risk Strategies

White Papers


John Jaser

Smart Phones: The Next Cyber Crime Frontier

By John Jaser, Internet Services Manager

 

A few years ago, a colleague showed me an idea for a movie thriller where computer hackers take control of a neighborhood’s PCs, smart phones, thermostats, toasters, cars, even pacemakers to extort money from helpless residents. Today, my colleague’s movie idea could be playing in any neighborhood in the United States.

He’s not looking for royalties. As a matter of fact, we both wish the idea remained a matinee fantasy, not an emerging cyber crime reality.

Apple’s acclaimed iPhone was hacked within hours of its initial release in June, 2007. Fast forward to June, 2010, and we see Apple still battling iPhone security issues. A new release of the iPhone mobile operating system closed 65 vulnerabilities. More security measures were required to prevent consumer account breaches in Apple’s online iTunes store. An ongoing problem with iPhone ‘data leaks’ is still unsolved.

The iPhone’s popular cousin, ‘Droid’ by Google and Motorola, reportedly has similar security issues. Back in December, 2009, we heard reports of criminals gaining control of other users’ Android 2.0 or Android 2.0.1 version phones.

Apparently, the criminals are lacing free smart phone applications with their own code to attack users’ phones. The users download the free applications and get a lot more than they bargained for. It’s an old infection technique honed from PC days, but smart phones raise the risks to an entirely different level.

You see, every smart phone has ‘gadgets’, such as a camera, microphone and geo-location service (GPS). When infected, the smart phone’s gadgets can be controlled by criminals who can literally track the user’s location, such as when the user enters a sensitive facility. The criminals can then activate the smart phone’s camera and microphone, giving them eyes and ears where the user wants them least.

Couple this type of exploit with a growing smart phone ‘botnet’ (thousands of hacked smart phones operating under the control of criminals) and we are looking at a thriller beyond Hollywood proportions. More ominous, the code to do this has been published on the web for other criminals to review, refine and reuse.

Apparently, the criminals have wasted little time. In January, 2010, Google removed nearly 50 applications from its Android Market in response to concerns that they might be malicious. The applications offered access to bank accounts at JPMorgan Chase, HSBC, and ING. At least one of the applications was infected with an exploit designed to steal the user’s bank login credentials.

This has not stopped Bank of America, TD Bank and USAA from forging ahead with their own Android-friendly mobile applications. Chase Bank recently added remote deposit capture and peer-to-peer (P2P) payments to its iPhone application. I can’t imagine that other banks won’t follow suit, with early adopter customers not far behind.

Certainly, we are heading into a ‘Gold Rush’ for killer smart phone banking apps, and just as certainly, the criminals are watching every move with cunning, guile and greed. After our experiences with phishing, botnets and other debilitating attacks on the Internet banking channel, we should be smarter about preventing criminal activity on smart phones.

Smart phones are essentially online laptop computers equipped with GPS and hundreds of third party applications. Banks need to regard smart phones as untrusted platforms since they don’t know what the user has installed or subverted, intentionally or not.

All of this screams ‘opportunity’ to the security application community, and sure enough, solutions such as Lookout have already attracted one million users, according to the technology weblog TechCrunch. Norton, Kaspersky, Trend Micro and F-Secure are now peddling their smart phone security solutions as well.

The challenge for banks is to ensure that their mobile banking customers have installed and are using security solutions on their smart phones. Applications do exist for this purpose, and banks would do well to deny transactions from customers who aren’t protected.

Marketing might howl and customers might threaten, but banks should remind them that criminally-controlled smart phones are not in their best interest, except, of course, in a movie theater on the big silver screen.