Taking an unusual step today, an association of Singapore banks revealed that about 50 smartphone users here had been hit by malware specifically targeting mobile banking services in the past three months.
You’d expect security incidents to be quietly fixed if there wasn’t a loophole in the system – there wasn’t this time – but the banks decided they had to issue a detailed advisory.
The reason? Such cases of malware are getting more common, according to the Association of Banks in Singapore, as more users are turning to their phones to transact. There are now 2.4 million such mobile banking users, up from 1.5 million in 2013.
One particular ruse that the malware creators used was to prompt a user to update his phone’s software, such as the popular Whatsapp.
Instead of doing that, he would be unwittingly giving access to cyber criminals, who could then steal credit card numbers or even the SMS-based one-time passwords used to log in to a bank account online.
Along with a detailed description of the issues (see the release here), the banks advised users to download apps only from trusted sources (like Google Play Store), not to “root” their phones to customise it and to avoid pirated software.
However, they stopped short of telling people to do away with receiving their one-time passwords via SMS. If an online thief steals your username and password and has access to your phone’s SMSes, he can log in to your bank account remotely.
Fortunately, there have been additional safeguards required by the authorities over the years. For example, “sensitive” transactions like transferring large sums of money to another account still require you to get a separate password on your physical token.
How safe are users? Generally, if you stay clear of suspicious apps or websites that prompt you to install software or key in your password or credit card numbers, you should be okay.
The physical token is still the strongest protection yet for users. That’s because it is required for money transfers (instead of passcodes sent over SMS) and remains separate and “not connected” unlike your PC or phone.