It finally hit – in Brazil which reminds me of how Internet banking fraud started – also in Brazil. It looks like the same mode of attack. One mobile device is used to illegally access multiple online bank accounts and to transfer money out of them to new payees or existing mule accounts. Apparently, the banks in Brazil are more liberal with online banking functionality (e.g. money transfers) on mobile devices than the North American and European banks are.
I also heard that some banks are having users use separate and dedicated user ids and passwords for mobile banking. This helps in the documented cases where fraudsters illegally collect user credentials (user ids and passwords) used to access mobile banking applications, where they can’t do ‘too much’ damage because of limited functionality, and then reuse those credentials in online PC-based banking where they can do much more. I’m guessing it’s probably also because the fraudsters already have scripts written for PC-based Internet banking attacks and are too lazy to rewrite them for mobile banking.
So mobile bankers beware – mobile malware is not rampant yet but it’s starting to appear. For now, solutions are sparse, costly, or not yet fully implemented. And it’s a lot more expensive to use a dedicated mobile device for mobile banking than it is to use a dedicated PC for PC banking.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.