Gartner Blog Network

Mobile banking fraud hits Brazil

by Avivah Litan  |  August 17, 2012  |  9 Comments

It finally hit – in Brazil which reminds me of how Internet banking fraud started – also in Brazil. It looks like the same mode of attack. One mobile device is used to illegally access multiple online bank accounts and to transfer money out of them to new payees or existing mule accounts. Apparently, the banks in Brazil are more liberal with online banking functionality (e.g. money transfers) on mobile devices than the North American and European banks are.

I also heard that some banks are having users use separate and dedicated user ids and passwords for mobile banking. This helps in the documented cases where fraudsters illegally collect user credentials (user ids and passwords) used to access mobile banking applications, where they can’t do ‘too much’ damage because of limited functionality, and then reuse those credentials in online PC-based banking where they can do much more. I’m guessing it’s probably also because the fraudsters already have scripts written for PC-based Internet banking attacks and are too lazy to rewrite them for mobile banking.

So mobile bankers beware – mobile malware is not rampant yet but it’s starting to appear. For now, solutions are sparse, costly, or not yet fully implemented. And it’s a lot more expensive to use a dedicated mobile device for mobile banking than it is to use a dedicated PC for PC banking.


Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Thoughts on Mobile banking fraud hits Brazil

  1. Ken says:

    How is it “more expensive” to have a dedicated mobile banking phone than to have a dedicated mobile banking PC?

  2. Avivah Litan says:

    I was trying to say it’s more expensive to get a separate mobile phone and service just for mobile banking than it is to get a separate PC with service just for internet banking. Typically, people have old PCs lying around and can hook into their existing internet service at home so the incremental cost is practically zero. I haven’t seen the same phenomena with mobile devices and data services for the average user.

  3. Evgueni Krylov says:

    It would be better to configure a separate virtual machine just for Mobile Banking. I would recommend Linux VM (any type of free linux) and use it for banking only. I use VMware player to run VM, but you could use Oracle Virtual Box as well. SSH port is usually opened by default.

  4. Its also much less convenient to carry an extra mobile device…

    Evgueni, I am pretty sure the author is referring to banking via your mobile phone when referring to mobile banking, although the VM solution is better for the environment than an additional pc with only a slight loss of security and a minimal overhead for current model PCs and can be free if you chose the right tools, for your internet banking service.

  5. Brian Batch says:

    Interesting thoughts Avivah,

    To clarify, are you seeing new mobile malware attacking existing accounts?

    Or is this an individual(s) manually logging onto accounts using previously compromised account details (i.e. standard Phishing or Zeus on PC banking) to extract funds. They may access the accounts using a prepay mobile to try and conceal their identity and location?

  6. great thoughts Avivah. How is the liability situation for mobile banking fraud in Brazil. I know American and European banking customers gets coverage of consumer protection laws (e.g. Reg E in US caps customer liability to $50 if the customer reports fraud within 2 days) for lost funds in case of mobile banking fraud. India too does not have such consumer protection clauses for electronic banking transactions.

  7. AFAIK Brazilian bad guys are attacking creating phishing pages in mobile format. Details (in Portuguese):

    We also know “professionals” bankers are massive using 3G connections on smartphones to access the accounts of the victim, using data collected by trojan bankers on the PC.
    The main reason is that only one password is required in these kind of access.

    We haven’t found yet a malicious app, but we’re near of it.



  8. Avivah Litan says:

    Hi Brian,

    Sorry for the late response. I’ve been traveling. I only know the results of the attacks against mobile banking. I’m not sure what the exact method used to extract the money via mobile banking was. I’m sure it will be figured out eventually.


  9. Avivah Litan says:

    Hi Jayaprakash,

    Interesting that India does not have consumer protection laws to protect against online account takeover. I don’t know the laws in Brazil. I do know that some banks won’t allow their online customers to bank online unless they download and use the required anti-malware software (in this case typically from a specialized Brazilian vendor).

    Thanks for your insight,

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.