Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Mobile banking fraud hits Brazil

by Avivah Litan  |  August 17, 2012  |  9 Comments

It finally hit – in Brazil which reminds me of how Internet banking fraud started – also in Brazil. It looks like the same mode of attack. One mobile device is used to illegally access multiple online bank accounts and to transfer money out of them to new payees or existing mule accounts. Apparently, the banks in Brazil are more liberal with online banking functionality (e.g. money transfers) on mobile devices than the North American and European banks are.

I also heard that some banks are having users use separate and dedicated user ids and passwords for mobile banking. This helps in the documented cases where fraudsters illegally collect user credentials (user ids and passwords) used to access mobile banking applications, where they can’t do ‘too much’ damage because of limited functionality, and then reuse those credentials in online PC-based banking where they can do much more. I’m guessing it’s probably also because the fraudsters already have scripts written for PC-based Internet banking attacks and are too lazy to rewrite them for mobile banking.

So mobile bankers beware – mobile malware is not rampant yet but it’s starting to appear. For now, solutions are sparse, costly, or not yet fully implemented. And it’s a lot more expensive to use a dedicated mobile device for mobile banking than it is to use a dedicated PC for PC banking.

9 Comments »

Category: Uncategorized     Tags:

9 responses so far ↓

  • 1 Ken   August 18, 2012 at 12:47 pm

    How is it “more expensive” to have a dedicated mobile banking phone than to have a dedicated mobile banking PC?

  • 2 Avivah Litan   August 20, 2012 at 11:37 am

    I was trying to say it’s more expensive to get a separate mobile phone and service just for mobile banking than it is to get a separate PC with service just for internet banking. Typically, people have old PCs lying around and can hook into their existing internet service at home so the incremental cost is practically zero. I haven’t seen the same phenomena with mobile devices and data services for the average user.

  • 3 Evgueni Krylov   August 21, 2012 at 3:27 am

    It would be better to configure a separate virtual machine just for Mobile Banking. I would recommend Linux VM (any type of free linux) and use it for banking only. I use VMware player to run VM, but you could use Oracle Virtual Box as well. SSH port is usually opened by default.

  • 4 Solis Consulting   August 21, 2012 at 4:06 am

    Its also much less convenient to carry an extra mobile device…

    Evgueni, I am pretty sure the author is referring to banking via your mobile phone when referring to mobile banking, although the VM solution is better for the environment than an additional pc with only a slight loss of security and a minimal overhead for current model PCs and can be free if you chose the right tools, for your internet banking service.

  • 5 Brian Batch   August 21, 2012 at 4:35 am

    Interesting thoughts Avivah,

    To clarify, are you seeing new mobile malware attacking existing accounts?

    Or is this an individual(s) manually logging onto accounts using previously compromised account details (i.e. standard Phishing or Zeus on PC banking) to extract funds. They may access the accounts using a prepay mobile to try and conceal their identity and location?

  • 6 Jayaprakash Kavala   August 23, 2012 at 7:15 am

    great thoughts Avivah. How is the liability situation for mobile banking fraud in Brazil. I know American and European banking customers gets coverage of consumer protection laws (e.g. Reg E in US caps customer liability to $50 if the customer reports fraud within 2 days) for lost funds in case of mobile banking fraud. India too does not have such consumer protection clauses for electronic banking transactions.

  • 7 Fabio Assolini   August 24, 2012 at 9:12 am

    AFAIK Brazilian bad guys are attacking creating phishing pages in mobile format. Details (in Portuguese):
    http://brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/br-mobile-phishing

    We also know “professionals” bankers are massive using 3G connections on smartphones to access the accounts of the victim, using data collected by trojan bankers on the PC.
    The main reason is that only one password is required in these kind of access.

    We haven’t found yet a malicious app, but we’re near of it.

    Regards,

    Fabio

  • 8 Avivah Litan   August 24, 2012 at 11:29 am

    Hi Brian,

    Sorry for the late response. I’ve been traveling. I only know the results of the attacks against mobile banking. I’m not sure what the exact method used to extract the money via mobile banking was. I’m sure it will be figured out eventually.

    Avivah

  • 9 Avivah Litan   September 9, 2012 at 4:25 pm

    Hi Jayaprakash,

    Interesting that India does not have consumer protection laws to protect against online account takeover. I don’t know the laws in Brazil. I do know that some banks won’t allow their online customers to bank online unless they download and use the required anti-malware software (in this case typically from a specialized Brazilian vendor).

    Thanks for your insight,
    Avivah