72% of UK adult population will use mobile banking apps in 2023
Threats / Despite risks, 72% of UK adult population will use mobile banking apps in 2023
24 May 2018
In January this year, security researchers uncovered an Android banking trojan that targeted 232 banking apps by hiding behind a fake Flash Player app and obtaining administrative rights to Android devices. The trojan was capable of stealing login credentials by displaying fake login screen over apps, hijacking SMSs, and uploading contact lists and SMSs on a malicious server.
Banks and cryptocurrency exchanges afftected by the trojan included Bitfinex, Bitconium, Freewallet, WUBS Prepaid, Alfa-Direct, GarantiBank, QNB Finansinvest, Commerzbank, PayPal, Bank of America, Wells Fargo Bank, NatWest Bank, Halifax and Santander UK.
A few days prior to the discovery, researchers at the University of Birmingham also revealed that as many as 9 popular banking apps including those of Bank of America, Meezan Bank, HSBC, Smile Bank and VPN provider TunnelBear featured critical security flaws in their certificate verification processes that allowed hackers to conduct man-in-the-middle attacks and steal credentials of millions of users.
Around the same time, security researchers at ESET also discovered that a powerful banking trojan dubbed BankBot made its return to the Play Store after it was kicked out by Google. The new variant featured improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.
Convenience outweighs security risk again
It’s not that the vulnerability of banking apps to sophisticated trojans and other malware missed the attention of common citizens. Statistics released by the Office for National Statistics last year revealed that 40% of Brits did not know how secure online banking and banking apps were, and 33% of them feared they could be victims of bank fraud over the next five years.
Despite such awareness of the threat scenario, the use of banking apps at the cost of other traditional banking methods continues to rise. According to figues released by industry analyst CACI, as many as 72 percent of the UK adult population, or 35 million people, will use mobile banking services in 2023. Considering that around 22 million people use mobile banking services now, around 3.4 million people will adopt mobile banking services every year in the next five years.
“The factors behind the growth of mobile banking can largely be attributed to convenience, accessibility and functionality. Convenience has always been a large part of banking behaviour, and having a branch in your local parade of shops five minutes down the road has been superseded by having the means to carry out transactions at your fingertips.
The massive rise in the adoption of mobile banking apps and services is not because mobile security has improved over the years or that hackers are no longer interested in targeting such apps, but because convenience continues to outweigh security concerns.
To signify how vulnerable mobile banking apps are to malicious actors, a recent report from RSA Security revealed that the proportion of fraudulent transactions carried out on mobile apps jumped from just 5 percent in 2015 to 39 percent in the first quarter of 2018. The volume of fraudulent transactions also rose by 600 percent overall and by 51 percent since Q1 2017.
“Unfortunately, many mobile apps fail to build security from the ground up. This means cybercriminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds. As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks,” said , Director at the RSA Fraud and Risk Intelligence Unit.
“Mobile malware such as the Android Trojan can mimic legitimate banking apps as well as notifications. When a customer accepts a notification sent by the malware, they will typically be redirected to a fraudulent website and prompted to enter their login details. In so doing, fraudsters exploit a key vulnerability in authentication methods – even multi-factor authentication methods,” says Tertius Wessels, Product Manager at Entersekt.
He added that there must be an encrypted out-of-band channel for communications between banks and consumers so that fraudsters are not able to access authentication requests pushed by banks to their customers’ devices. This will ensure that fraudsters will not be able to perform any transactions by stealing login credentials of users.