With the rapid advancement of technology, mobile banking has become an integral part of our daily lives. However, this convenience comes with its own set of risks, especially in the face of increasing mobile banking malware.
In Singapore, more than $8 million was lost in the first half of the year in over 700 malware-related scams. In nine of these scams, CPF savings were involved, resulting in losses of at least $335,000. Victims were tricked into downloading malware onto their phones, resulting in unauthorized transactions from their bank accounts.
So how does mobile banking malware work? And what are governments and regulators doing about the issue? Let’s take a closer look.
Mobile banking malware employs sophisticated tactics to deceive users and gain unauthorized access to sensitive information. These scams typically start with phishing links distributed through emails, SMS messages, or disguised as QR codes. Once clicked or scanned, these links lead users to fake banking pages that appear genuine, compelling them to download what is presented as a companion app but is in reality, malicious software or malware.
Once the malware is installed on the user's device, it scans for banking apps and imitates them to capture login credentials and One-Time Passwords (OTPs). This seamless overlay of the legitimate banking app's login screen allows the malware to intercept and authorize transactions, transferring money out of the account undetected.
Some malware also possess features like remote control and screen sharing to aid in its fraudulent activities.
In response to the surge in malware-related scams, regulatory bodies worldwide are mandating various security measures for both traditional and digital-only banks. Here’s what Malaysia and Singapore have done so far.
The Reserve Bank of Malaysia published the Risk Management in Technology (RMiT) document, which outlines the Bank's requirements for financial institutions' management of technology risk. It specifies the control measures on mobile applications and devices.
1. A financial institution should ensure digital payment, banking and insurance services involving sensitive customer and counterparty information offered via mobile devices are adequately secured. This includes the following:
2. A financial institution should also ensure the following measures are applied specifically for applications running on mobile devices used by the financial institution, appointed agents or intermediaries for the purpose of processing customer and counterparty information:
The Monetary Authority of Singapore (MAS) regulates and supervises over 150 deposit-taking institutions, including full banks, merchant banks, and finance companies. To address mobile banking security, MAS issued revised Technology and Risk Management Guidelines in 2021.
Security measures for securing mobile applications are as follows:
Security for mobile banking applications must be as dynamic and intelligent as the threats it seeks to combat. Does your organization need help with mobile security? Get in touch to see how we can help.