It is customary at this time of year to make predictions for 2012. Pronouncements such as “RIM gets bought” or “A lot of NFC handsets will be sold” are common. McAfee’s 2012 Threats Predictions (see here for full report) is a variation of that genre and one that will give readers a bracing start to the new year. Among the list of potential threats compiled by the security firm is a whole section devoted to mobile technology. The report notes a general increase in attacks on smartphones and mobile devices in the last two years and a move from simple malware to spyware and malware that is intended to be money-making. In 2012, McAfee says, stand by for more of the same with an addition: a move towards mobile-banking attacks.
The starting point for the security firm’s analysis is attacks by criminals on PCs to steal from users’ online bank accounts. Zeus and SpyEye are two of the leading crimeware software kits to do this. The report says criminals familiar with these kits are now using mobile apps “as helpers to bypass two-factor authentication and gain access to victims’ money”. The report mentions Zitmo (Zeus-in-the-middle) and Spitmo (SpyEye-in-the-middle) as two types of mobile spyware that forward SMS messages to attackers who are required to log in themselves to seal money from users’ bank accounts.
Last summer freelance security consultant Ryan Sherstobitoff looked at how criminal transactions using Zeus and SpyEye could be tracked because they look different to normal transactions. Sherstobitoff has subsequently shown how criminals can steal from a victims’ account while they are still online, which makes it look like the transaction originates with the real user.
Criminals adapt quickly to every security barrier that is thrown up in their way, points out McAfee. As mobile banking services become more popular expect criminals to bypass the PC and directly attack the mobile device and apps, it says. “As we use our mobile devices ever more for banking, we will see attackers bypass PCs and go straight after mobile-banking apps,” the report says. McAfee expects “a greater frequency” of such attacks as more users handle banking and money via their handsets.
Any rise in such activity could encourage existing consumer uncertainty about handling their finances via mobile phone, uncovered for instance by a Gemalto survey late last year. It’s the combination of the two that the mobile industry needs to be wary about. Either one in isolation is not such a significant problem but the concern is of an isolated criminal hack gaining media attention and fanning user unease about mobile payments. Hopefully this grim possibility (like most of those annual predictions) will turn out to be false.
The editorial views expressed in this article are solely those of the author(s) and will not necessarily reflect the views of the GSMA, its Members or Associate Members.