Comments on the FBI Warning on Mobile Banking
Updated: Sep 5, 2020
Our life has changed in all so many ways since COVID-19 started. A significant portion of our routine activities are no longer relevant, and as it seems, may not be returning any time soon, or maybe at all.
I personally believe a lot will come back. However, I am less convinced when it comes to in-person banking. True, branches were declared a thing of the past years ago and yet they survived the internet and mobile revolutions. But will they survive Coronavirus?
Over the last few months digital channels have been clearly taking the front seat. We are witnessing a vast increase in mobile and online banking across the board. According to the FBI announcement released recently, studies of US financial data indicate a 50% surge in mobile banking since the beginning of 2020. Great news for cyber criminals.
Indeed, the FBI anticipates cyber actors will exploit digital banking platforms, warning the banks and the public from Trojans disguised as games or other tools performing “overlay” attacks, and from fake apps designed to impersonate the real apps of major financial institutions. In both cases the objective of the malicious Trojans and apps is to steal credential information such as passwords and 2FA tokens so they can bypass the authentication controls of the banking app. Not necessarily new attacks but at a much higher scale.
However, while FBI's recommendations are focused around increasing the sophistication of the authentication controls, in reality these multi-factor authentication techniques suggested by the FBI are only making banking fraud attacks more complicated, but far from preventing them.
Here is why…
Authentication solutions are focused on identities, and most of them only authenticate digital proxies of the customers, not the customers themselves. Whether it is a password, token, SIM card, app or device (even with biometrics) - these proxies can be stolen and spoofed either digitally or by social engineering the customers. So you have to assume that fraudsters will always find the way to “get in the door”.
Moreover, as the FBI suggested, “surveys of application and website users have identified that a majority of users do not enable two-factor authentication when prompted. These users cite inconvenience as the major reason to avoid the use of this technology”.
Lastly, and this is often overlooked, even if you get customers to use the inconvenient multi step authentication process and even if you make it super hard for fraudsters to bypass these steps, cyber actors can always come up with sophisticated man-in-the-middle/browser/app attacks that wait for customers to authenticate and then kick in and transact on their behalf.
A new paradigm is required to combat these attacks - we need to authenticate the activity itself and not just the identity or its proxy. The way to do it is to digitize the model that has been working for centuries in the offline world for validation of remote transactions - the notarization process - in which both the true identity and the act of signing are simultaneously verified, explicitly and not via digital proxies.