Attackers use latest technologies to trick bank clients for money

Open banking means new opportunities for cyberattackers.

Banks warn that fake e-shops selling face masks have mushroomed in Slovakia.Banks warn that fake e-shops selling face masks have mushroomed in Slovakia. (Source: Sme)

To read in this article:

-What are the biggest threats in digital banking

-When to do simulated phishing attacks

-What security rules to follow when shopping online

“Dear customer, your last bank transaction was cancelled due to security reasons,” reads an email to a Slovenská Sporiteľňa’s client, instructing them to clink on a link below and enter sensitive data. A closer inspection, coupled with the fact that no bank asks their clients to give out their credentials, clearly indicates that this is a scam. While the banking sector, including e-banking services, remains prone to cyberattacks due to the nature of its business, the current COVID-19 pandemic has brought a surge in fraudulent schemes as the number of fake e-shops offering protective equipment has also mushroomed in Slovakia.

“The activities of fraudsters in the online environment have been intensifying during the current crisis,” said Marta Cesnaková, spokesperson of the biggest bank in Slovakia, Slovenská Sporiteľňa. “Thus, we advise clients to be cautious and watch out for dangerous e-shops.”

Mobiles and tablets are computers, too

Cybercriminals will continue to target banking websites and apps, and banks must continue to do their best to thwart their attempts, believes Miroslav Kořen, general manager of the antivirus firm Kaspersky for eastern Europe.

Related articleDigital banking is becoming a reality in Slovakia Read more 

“Last year was marked by a worrying rise in mobile banking Trojans, malware designed to steal credentials and money from users’ bank accounts,” said Kořen, adding that this malware generally looks like a legitimate app, such as a banking application. When a victim tries to reach their genuine bank app, the attackers gain access to their credentials.

Researchers of the security software company Eset alerted the public to a dangerous trojanised application available for download on Google Play at the end of 2018. The tool, QRecorder, was built to record calls; however, one of its updates turned the app into malware, allowing attackers to gain remote access to the mobile banking apps of Android users. The attackers were primarily targeting users from the Czech Republic, Poland and German-speaking countries while on the basis of an official report of the Czech police, this malware robbed five clients of Czech banks of more than 2 million Czech crowns, or €73,000.

Related articlePeople like being smart. In banking and insurance tooRead more 

In general, Eset has not seen a big difference in terms of the forms of cyberattacks on online banking over the last two to three years. Attackers try to steal credentials either by infecting the device of the user or by phishing, i.e. luring individuals by email, telephone or text message into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

The situation is more varied in mobile banking.

“This is because people are forgetting that mobile phones and tablets are also computers and that it is possible to steal sensitive data from them,” Ondrej Kubovič, digital security specialist at Eset, told The Slovak Spectator, adding that while security software would halt such fraudulent attempts, its usage is not as popular as on traditional computers.

Biggest threats

Kořen sees three key types of threats against digital banking. The first one is tied to SMS banking.

“The Trojan infects the device and sends a text with a transfer request to a special bank phone number,” explained Kořen, adding that the bank then automatically transfers the funds to the recipient from the device owner’s account. “Limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.”

Phishing attacks designed to steal online banking credentials pose another threat.

In 2019, cybercriminals mastered a third method: stealing by manipulating banking apps.

First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude.

“As a result, the cybercriminals can clean out the account in one go,” said Kořen.

He expects that since banks, based on the revised Payment Services Directive (PSD2) are required to open their infrastructure and data to third parties who wish to provide services to bank customers, it is likely that attackers will seek to abuse these new mechanisms with new fraudulent schemes.

Moreover, attackers are becoming more and more sophisticated, and they are ready to implement the latest technology to increase the success for their endeavours. Kaspersky has already noticed the use of artificial intelligence and machine learning to enhance their social engineering techniques.

“Just several months ago, artificial intelligence was used to emulate the voice of the CEO of a UK-based energy firm, asking his employees to send €220,000 to a fictitious, as it later turned out, Hungarian supplier within an hour,” said Kořen. “As technology advances, such incidents will become more frequent.”

In this respect, Eset expects a need for quality, deep penetration testing of third-party applications. Penetration testing is done with the consent of the creators or providers of a given application, in which security researchers basically play hackers and try to find all possible ways to attack the application or service.

“With this data, the creator then knows what it needs to fix in its application or service,” said Kubovič.

Attractive targets

Companies that process payments are at the forefront of implementing the latest advances in information technologies. Systems are now interconnected and mobile devices extensively used both for remote access and for data sharing. That makes them an attractive target for cybercriminals aiming to steal money through online transactions.

Thus, banks and fintechs should pay more attention to endpoints from which financial operations are being completed. This includes updating the software installed on these endpoints while keeping their security solution up to date.

They should invest in regular cybersecurity awareness training for employees to prevent them from clicking on links or open attachments sent by untrusted sources.

“Conducting simulated phishing attacks ensures that employees know how to distinguish phishing emails,” said Kořen.

Companies should also install a dedicated protection to limit attacks against business emails, ensuring that all levels of corporate infrastructure are protected, from core data centres to specialised systems in the case of banking infrastructure, such as ATMs. In addition, security operation centre teams should have access to Threat Intelligence so they remain up to date on the latest tactics and tools used by cybercriminals, said Kořen.

What clients should and should not do

“The technology that enables customers to make transactions 24 hours a day, from any place and any device, also leaves doors open for criminals,” said Kořen.

Security software firms recommend users of electronic banking secure their devices, including mobile phones and tablets, with security software, keep their apps and programmes updated and use strong passwords. They also do not recommend storing credit card information in browsers or e-shops. The clients should avoid shopping or making bank transactions on free, unsecured public Wi-Fi.

“On public Wi-Fi, we recommend shopping or banking exclusively through mobile apps of given shops or banks, never through a browser,” said Kubovič. “For computers and laptops, it is safest to use VPN.”

Kořen warns against following an email to the bank’s website and then entering personal details. Clients should make sure that they type their bank’s address into their web browser and check if the address starts with “https://”; “http” does not provide a safe connection. They should be wary of any unexpected or strange ‘pop-up’ windows that might suddenly appear during their online banking session.

Banks advise making credit card payments online rather than transferring money to e-shop accounts when shopping online. This protects payments in the case of the non-delivery of goods, explained Cesnaková of Slovenská Sporiteľňa.

“For internet card payments, the bank will make every effort to ensure that people get their money back,” said Cesnaková.

If there are any discrepancies in a client’s card or account transaction, the client should contact his or her bank immediately. If the bank card of a client was abused, the Slovak legislation entitles him or her to full compensation.

However, if the client shops in a fraudulent e-shop, the situation becomes more complicated. The banks assess such cases individually, but unfortunately, compensation is not a matter of course.

“Thus, we constantly call on our clients to make sure they shop in verified e-shops and not swallow the bait of great deals – such as a number of fake e-shops offering face masks at low prices today,” said Boris Fojtík, spokesperson of Tatra Banka.

Get daily Slovak news directly to your inbox

Top stories

People with negative tests can go to hairdresser or outdoor terraces

Those with a negative test result will have to follow rules introduced on October 15.

Companies fear drop in demand for their products and services the most

International chambers of commerce asked companies about their current situation as well as expectations.

Companies implemented anti-coronavirus measures.

News digest: The Gale targets corruption, cabinet officially prolongs curfew

Slovakia learned about biggest corporate taxpayers, the president signed laws changing the minimum wage and 13th pensions. Read the latest news overview.

Mobile testing units were built in the Hviezdoslavovo Square in Bratislava.

The big testing: When and where to show up, and what if I don't want to? (FAQ)

Here is what we know about the practicalities of the nationwide testing so far. Testing also applies to foreigners and diplomats in Slovakia.

Pilot testing in Bardejov