Stealing your mobile bank data

We had a meeting of the Financial Services Club last week that looked at fraud and mobile malware with the Serious Organised Crime Agency and the International Systems Security Association (ISSA).

It was an interesting meeting, as I’m particularly intrigued by stories about mobile as this is our hot space right now.

Every bank is getting into mobile payments, mobile billpay, mobile balance checks, mobile banking ... it’s a huge opportunity as I’ve written about so many times.

I’m not writing much about the issues with mobile that banks are experiencing as many are yet to come into the public domain.

One that is in public domain is the coordinated ZeuS attack from Q4 last year:

“According to S21sec, the new variant of the ZeuS trojan first infects the victim’s PC. Then a web application purporting to be from a bank asks the victim to input their mobile phone number and details of their device. Third, the victim is asked via text message to install an application on to the phone. This application can then be used to intercept any text messages the victim sends.” 

But I have a little bit more interest in what’s happening today and Joshua Pennell from ISSA talked through a whole load of new man-in-the-middle and mobile malware attacks that are growing by the day.

I mentioned one of these myself recently about Justin Bieber, but suspicious downloading is one thing.

It’s just another variation of phishing.

What concerned me more is the mobile hi-jacking capability where you think you are on your mobile carrier’s network but you’re not.

The idea is that a cybercriminal places a signal box near to the location of the person they are targeting.

The person then sees their mobile signal disappear and come back stronger.  Something that happens all the time in my part of town.

What the mobile user does not realise is that their mobile service has now been hijacked and all of their texts, apps and downloads are being filtered by the cybercriminals service.

Sounds difficult?

I thought so until someone mentioned to me that this was just an example of using the Sure Signal Service.

Then the penny dropped as I use that service!

Sure Signal is for mobile customers who live in an area that is too weak to get a decent mobile service from their carrier.

This happens to many customers who move home and the result is that they cannot actually use the mobile carrier’s service and want to leave.

So they get sent a Sure Signal box.

The box works off the broadband network of the house and the result is five bars for calls plus 3G.

Oh, and of course, the same is true for anyone else in that vicinity.

Good idea...

... and then there’s the other illustration of mobile that adds a further dimension to this.

The mobile tracker.

We all know that your geolocation is always on when you have a mobile signal, but who has a right to know about this?

In Germany, where spying is rife, apparently it’s a hot issue right now ever since German politician Malte Spitz discovered that his mobile operator was tracking his every move.

And the issue is that they were storing this information for months ... in fact, they had his whole life mapped out over a period of six months.  Every move from every day for 180 days.

Here’s how it looks over just two days...

... hot stuff and a real topical issue therefore is: what is the security of mobile and, if compromised, who is at fault: the carrier, the handset manufacturer, the retailer, the customer, the bank, the regulator...