A Security Lesson from Down Under: Australia’s Banking App Malware Theft

Wednesday, April 20, 2016

Harvey Boulter


With the Australian banking system reeling from its recent malware attacks, it seems news stories about the theft of personal data are popping up with depressing regularity.

In case you missed the latest story, it bears investigation due to the warning shot it fired across the U.S. commercial banking sector, and the implications for how safe your financial data is right now. And when I say financial data, let’s be clear, I mean your actual money.

The sophisticated Android attack on the banking apps of Australia’s biggest banks has targeted millions of customers. That’s ANZ Bank, Commonwealth Bank, National Australia Bank, Westpac and a host of others. Hiding in infected phones, using fake log in screens for the banking apps themselves, but also Whatsapp, Skype, PayPal, eBay and Google services, the malware leaps into action when a legitimate banking app is used, replacing it with a fake cover in order to intercept log-in details. In fact, it also serves to steal SMS two-factor authentication codes, meaning the bank’s security measures are bypassed, and the thieves can then transfer funds at will.

Terrifying, yes, and unfortunately not an isolated event. Just a few short months ago, German users were targeted by criminals using mobile banking malware disguised as a fake PayPal app. The cyber-criminal’s dictionary is ever expanding, with phishing (malicious emails) now joined by smshing (malicious SMS) and vishing (voice over telephone scamming).

But it’s not just the lexicon that’s growing, it’s access. Right now any one of us can go online and make a free spoof call from our phone, using simple, consumer focused websites. Sure it’s being marketed as a way of playing “hilarious” jokes on friends and family, or of protecting your own caller ID and privacy, but let’s not be overly naïve. Privacy is a right, protected by law; anonymity, however, particularly online, rarely brings out the best in people. 

Perhaps your response is that while Germany and Australia are having their problems, it’s all a long way from our shores. Unfortunately, it’s not a view shared by the Washington Legislature, who are so concerned with malicious online activity that a new cybercrime bill has just sailed through the House and Senate. Focusing on prison sentences and fines for spoofing, electronic data tampering, theft and service interference, the bill is an explicit indication that the lawmakers identify these threats as a clear and present danger.

Obviously then the time has come for the financial sector to take decisive action and demonstrate a leadership role in this area. The technology exists and is widely available for banks to provide spoof-proof communications internally and to their customers, with solutions such as two factor tokens.

As a parallel, every bank has fraud and crime units in place, the entire function of which is to protect the organisation and its customers from malevolent activities by reacting quickly and proactively to perceived irregularities and suspected threats. To not have such a function would be unthinkable, and the costs, both hard and in terms of reputational damage would swift and seismic.

The same approach must be taken with secure communication – failure to take responsibility will be to invite exactly the type of hacking discussed earlier. The financial services sector must not wait for governments to act, conflicted as they are while they work out their balance between protecting their electorate from crime, and attempting to control the use of strong encryption technologies. The duty of care and the protection of customers falls instead to the banks themselves, and it is an obligation they must meet now and with gusto, or prepare to count the cost of their negligence.

About the Author: Harvey Boulter is Chairman of Communication Security Group (CSG).

Possibly Related Articles:
General Phishing PDAs/Smart Phones
Encryption Phishing Mobile Banking malware secure communication
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.