This document discusses 5 types of attacks targeting mobile banking users in 2022 and provides recommendations for prevention. Attack Type 1 involves stealing money in a "Bazos attack" by pretending to pay for goods. Attack Type 2 involves distributing malware on mobile apps stores. Attack Type 3 involves stealing credentials to access multiple accounts from one device. Attack Type 4 involves hijacking accounts by rewriting recovery codes. Attack Type 5 involves repeatedly sending push notifications to overwhelm users. Prevention strategies include strengthening identity verification, limiting login attempts, detecting malware/multi-accounting, and clearly communicating with users.
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Mobile Banking Security Threats
1. ADDRESS
Belehradska 858/23
120 00 Prague
Czech Republic
CONTACT
hello@wultra.com
www.wultra.com
Mobile Banking
and Lurking Security
Threats for 2022
2. 2
We help the leading banks
and fintech companies to
secure their digital systems
and bring trust to
customer journeys.
2014
Founded
550+
References
5
Regions
Powered by
6. 6
Attack Type 1
Bazos Attack
on 3DSecure
Pretend to pay for goods while in fact stealing
money and let the user confirm via push.
Attack Technique:
Communicate clearly the direction of the
payment: "Confirm the payment of $500 …"
vs. "You are sending $500 …"
Prevention:
8. 9
Attack Type 2
Mobile Malware
on Google Play
Pretend to be a legitimate app and later,
force the user to install banker malware.
Attack Technique:
Integrate persistent malware protection in
your mobile banking app, and let the user
uninstall malicious apps as soon as possible.
Prevention:
10. 12
Attack Type 3
Multi-Account
Gang Attacks
Steal credentials of many victims, pair their
accounts to mobile banking on your device.
Attack Technique:
Fortify the process for (re)activation by
adding personal ID scan and server-side face
biometry. Detect multi-accounting attempt.
Prevention:
11. 13
Attack Type 3
Personal ID
Please take a picture of your personal
ID from both sides.
Front Side
Back Side
Continue
Back
Personal ID Scan Face Biometry
Face Recognition ➜ Liveness Check ➜ Genuine Presence Check
SMS OTP
➜ ➜
12. 14
Attack Type 4
Recovery Code
Account Hijacking
Hack the mobile banking (phishing) and only
rewrite the recovery codes to use them later.
Attack Technique:
Block recovery codes at your call center when
customer calls. Notify clients about use of the
recovery codes. Fortify the activation process.
Prevention:
13. 15
Attack Type 4
Fraudster Client
Let me save the
recovery data and unpair
the app.
I don't see any issue
with my account…
14. 17
Attack Type 5
Repeated Push
To Annoy Users
Send repeated push approval requests to
eventually wear down the customer.
Attack Technique:
Implement throttling on login and approval
attempts on per user / per device basis.
Consider adding a QR code to the flow.
Prevention:
16. 19
Kill SMS OTP
1 Use SMS as an additional security
element and information channel, not as
a sole possession factor in strong
customer authentication.
Speak Clearly
2 Use clever copywriting. Whenever status
of strong customer authentication
changes, inform your customers so that
they have a chance to react and reclaim
security.
Key Takeaways
Be Proactive
3 Do not rely on security measures by Apple
and Google. Use active in-app protection
connected to a threat intelligence service to
detect problematic situations or malware.
Design Smart
4 Sometimes, a clever technology pick or
a small adjustment of the process can
improve the security significantly while
having a minimal impact on user comfort.
Dumb design causes troubles