Insidious Dubious ‘Apps’: Mobile Banking Phishing Scams

In the past few years, we’ve witnessed dramatic growth in mobile devices and the services they provide. Whatever you can do on your laptop or desktop you can now do on these pocket-sized gems. Including stealing people’s money.

Joseph Franklin was excited. He had just bought a new smart phone and wanted to use the “apps” to make his life easier. He downloaded a mobile-banking application and entered his bank account number, username, and password. Now he could conduct all his banking transactions with his phone. He thought.

About a week later, he checked his account balance and almost had a heart attack. Someone had withdrawn thousands of dollars from his checking account. He contacted his bank and found that it had never received any information to allow him to open a mobile account. Franklin had downloaded a bogus banking app that allowed fraudsters to pilfer his bank accounts. 

PHISHING FOR MOBILE BANKING VICTIMS 

This case is fictional, but it’s representative of a new generation of phishing scams that are just starting to emerge. Aleksandra Todorova, in the Jan. 30 article, “ ‘Phishing’ Scams Cast Net on Mobile Banking,” in The Wall Street Journal, wrote that this next generation of phishing scams, focused on mobile banking, has the potential to do much more damage than earlier versions. Fraudulent apps can steal account information and, potentially, any other data stored on mobile devices, she wrote.

Todorova reported that in December of 2009, Google Inc. pulled 50 applications from its Android Market online app store because users believed they might be malicious. The same developer had uploaded all the apps to the store and claimed to offer access to bank accounts from a variety of banking institutions including J.P Morgan, Chase & Co., HSBC Holdings PLC, and U.S. Bancorp.

Todorova reported that an executive of MShift Inc., a company that develops applications for about 200 banks and credit unions, estimated that the number of consumers who downloaded the fraudulent apps was less than 1,000.

A Cathay Bank representative said on www.cathaybank.com that this scam “impacted customers from more than 50 financial institutions worldwide.” A Travis Credit Union employee said on www.traviscu.org that this “represents an attempt to [also] gain access to credit cards and account numbers through the emerging Android platform.”

Here we’ll look at some possible solutions that might help minimize the adverse impact of mobile-banking phishing scams and some steps to help prevent you and others from becoming victims. But first, let’s examine some key aspects of the mobile industry.

SMART PHONES FOR ALL 

In the past few years, we’ve witnessed dramatic growth in mobile devices and the services they provide. Whatever you can do on your laptop or desktop you can now do on these pocket-sized gems with miniature keyboards and touch-screen technology.

Apple’s App Store and Google’s Android Market, among others, offer thousands of free or cheap applications to the general public. Both of these “open” systems solicit apps from independent developers who normally receive 70 percent of the price charged for each app sold.

Apple’s App Store has been successful, according to Ade Bamigboye, CEO for Mobile Flow and a mobile industry expert, because of the “relatively high degree of assurance that users get, perceived or real, when they download and install an app.”  Bamigboye wrote about how app marketplaces must maintain high standards in his Feb. 3 article, “Phishing Scams Cast Net on Mobile Banking; Has Wider Implications for App Stores” on the Gerson Lehrman Group website.

Apple’s ruthless focus on user experience “provides the underpinning for this and their centralized approach to vetting each app [received from a developer] goes a long way to ensuring that neither poor quality or deliberately criminal apps make it into the App Store,” Bamigboye said.

On the other hand, according to Bamigboye, Google “for the moment decided to leave the doors to their store [Android Market] wide open.” Google doesn’t approve submitted applications, which means anyone can publish and offer them for sale on their Android Market.

WHAT CAN THE MOBILE INDUSTRY DO? 

The mobile industry faces a real challenge if it’s to continue to provide quality services to its customers. “Whilst some of these [apps] have been created and published by significant, well-known authorities, most others are the work of independent developers,” Bamigboye said in the Gerson Lehrman Group article. “So how does a user really know when apps are giving the right advice, performing the right calculations, or not trying to access data that they should not be?” he asks. “User communities alone will never be sufficient to prevent bad apps from reaching the marketplace before they are downloaded and used,” Bamigboye writes.

“As the mobile apps ecosystem continues to develop, we may well see the emergence of industry specific app clearing houses,” he writes. “Businesses that operate in sectors such as banking or healthcare could benefit greatly from there being a knowledgeable authority that can approve apps based on accurate implementation of sector process and knowledge. Stamps of approval could be awarded to apps that meet the appropriate standards for that sector,” Bamigboye writes.

“Two immediate benefits are that (1) open app stores [like Google] start to become less of an issue and (2) apps such as that are possible in mobile banking can start to deliver more complex functionality,” he writes.

Hopefully, mobile industry leaders and decision makers will listen to Bamigboye’s recommendations. Until then, as in many cases involving financial resources, the consumer is at the mercy of the fraudsters and an industry with inadequate security on some of the applications.

STEPS YOU CAN TAKE

Travis Credit Union, on its website, offers excellent advice to its customers – and all other smart phone users – in the article “Phishing Scam Targeting Android-based Mobile Devices.”

“If you think your mobile device has been affected, please immediately contact [your bank or credit union] and change your mobile banking login password. … (I)mmediately remove the application from your mobile device, take it to your mobile provider and have the technical team evaluate the phone to make sure the application is completely removed and has not compromised any other applications or records within the phone.” TCU also told their members with Android devices to “access their [financial] accounts (or perform other e-commerce-related activities) ONLY through the web browser interface, instead of a downloadable application, until the Android platform has been proven secure for financial transactions.”

Cathay Bank, on www.cathaybank.com, echoes the advice of TCU by telling its customers to “access your bank accounts ONLY through Cathay Bank’s secure web browser interface through a computer, instead of through a downloadable application on your phone.”

If you believe you’ve been victimized by this scam but still want to do online banking via your laptop or PC, immediately contact your bank and change your username and password. Also, contact your credit and debit card companies to order replacement cards and change PIN numbers. Contact credit-reporting agencies to put out fraud alerts. Also, change all passwords on your mobile device.

MORE HELP FOR THE COMMUNITY

I hope you’ll share this column with your family, friends, and clients. This new potentially devastating phishing scam could be a huge revenue stream for fraudsters. Let’s help to nip it in the bud. Stay tuned.

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.