Hackers against Mobile Banking Apps

What is a mobile banking application? A user and an automated banking system need to be connected somehow – here comes the application. There is an algorithm: users open they mobile apps and make transactions, these transactions are sent to the bank’s server and processed by the relevant payment systems. And the user gets a message that the transaction is completed. The algorithm of online banking is the same. So, to steal money a hacker needs to find the way to interfere in this process, to break the algorithm.

The process of hacking the mobile banking application consists of 2 stages:

1) Hackers look for vulnerabilities and when they find it, they create a payment instruction. For example, any Android application is an .apk file which can be looked through and analyzed for vulnerabilities. Once hackers find an app code vulnerability, the best way to use it on the user’s device is to create a Trojan virus, which would work specifically for mobile banking apps. Such attacks are popular with cybercriminals. If a Trojan virus is on a phone or a computer, it is just a matter of time before a hacker will manage to succeed and will send a transaction request to the bank’s server. There is a difference between Android apps and iOS apps – Apple encrypts all .ipa files underlying its applications. Such a file is decrypted only in smartphone memory, meaning that to view it hackers need to have better technical skills.

2) Hackers do not want users to find out that their finances were stolen. If the user gets push notifications, these notifications could also be hacked along with the app. That is why usually banking services use SMS messages. If the user gets SMS notifications, it is much more difficult to hack him. In order to hide SMS notifications, the hacker needs to find and use malware with functionality that can either recode online banking account settings or hack the smartphone manufacturer’s SMS application. In both cases the attack will take much more effort from the criminals.

What is a secure software development? It is the last line of defense protecting the app from the risk of being compromised, and that is why the bank must properly adopt secure software development.

So, to protect their money, users should make sure their phones, computers or other devices are not infected by Trojans or other malware. It is vital to know that software and files should not be installed from unreliable sources, which may host viruses as well. Moreover, if you get an email from unknown senders – you should never open any links or attachments.

If a big sum of money is kept in a bank account, users can opt to prevent transactions exceeding a maximum amount for a transaction).

Some bank clients also buy insurance, in the case of a cyberattack and theft of funds, but the problem is it is often very difficult to prove who is at fault. It is also necessary to study the contract to see if the situation is covered by insurance and how much money the bank should return.

What is an encrypted secure folder? Many Android smartphones now have it. It is a special folder where all important and vulnerable apps should be installed. If you are an Android user you should not carry out Rooting, although many mobile banking apps track if the smartphone is rooted. If so, the app will either malfunction or operate in reading mode, where you will not be able to make any transactions. iOS users should not opt for jailbreaking. The best advice here is to use SMS notifications because smartphones are in areas without the Internet more often than in internet zones. So, if a user wants to be sure that he will be notified – he needs to use SMS.