New attack vectors targeting mobile devices pose emerging risks: Manjunath Bhat of Gartner

There has been an increase in the number of malware and phishing attacks on smartphones. With our banking information stored in our smartphones' payment apps, hackers are targeting banking apps using malware to overlay the legitimate apps screen for stealing login information and funds. Manjunath Bhat, Research Director, Gartner, talks to Business Today's Nidhi Singal about the security layers on banking and payment apps, and precautionary steps a consumer can take.
 
Recent cyber-attacks on City Union Bank, Axis Bank's mobile wallet app Lime and SBI's Buddy have shaken customer's confidence in security of digital payments. How secure do you believe are the mobile banking apps and digital wallets?
 
Mobile banking apps do not adequately shield their apps to make them tamper-proof. App shielding includes code obfuscation to prevent reverse-engineering, whiteboxing of sensitive data and anti-tampering mechanisms such as certificate pinning and debug detection. Currently, apps implement platform-specific best practices but are insufficient to protect against attacks across the device, network, and app tiers.
 
How many such attacks have been orchestrated in last one year alone, globally and in India?
 
Without getting into numbers, we can confirm that new attack vectors targeting mobile devices pose an emerging risk. Mobile attacks are leveraging different types of vectors that focus on consumers, such as mobile application stores and network-based proximity attacks.
 
Payment apps today are based on USSD, UPI, NFC, audio signals amongst many other platforms? Which ones do you believe are the most secure platforms? Why?
 
The comparison between UPI and NFC is not apples-to-apples. UPI is a service for transferring money whereas NFC is a communication protocol between two devices. Security in financial transactions should adopt a "defence-in-depth" strategy, store information locally, and limit the transfer of sensitive information. NFC in that respect is secure, as data is not transmitted beyond a few centimetres.
 
Are smartphones with internet connectivity and host of apps, more vulnerable to security threat than a basic feature phone? Alternately, is the vice-versa true?
 
Smartphones have a larger attack surface, but that does not make them necessarily less secure. Feature phones could use SMS for sending second-factor authentication codes, which is worse than a mobile authenticator app on a smartphone. Bottom-line is - users should be aware of the risks of digital banking and take necessary precautions to mitigate them.
 
What security layers do you recommend should be added to make these payment modes more secure?
 
Mobile applications are more secure when they are modular, presenting a fragmented, distributed attack surface, with each component wrapped in its own "need-to-know" set of controls. Payment applications frequently make API calls, which need to be hardened, and well defended. We recommend a "defence in depth" strategy so that the breach of one component is much less likely to compromise the others.
 
According to a recent report, only about 60 per cent of cyberattacks are detected by security agencies. Rest, known threats, are identified by customers, vigilance departments and ethical hackers. How do you suggest, can a customer identify whether his account has been attacked/ hacked?
 
Users must follow a thumb rule - protect all access to account details with two-factor authentication (2FA) regardless of whether it is accessed from a mobile app or web browser. Set alerts for any transactions or login attempts to your account - most banks support this today and offer it at no additional cost. Alerts are a detection mechanism while 2FA is a prevention mechanism.
 
What precautions should the customers/users take while registering their details on such wallets/apps?

Two precautions - find out if you are using legitimate and not counterfeit app. Simply because the app has the look-and-feel of your bank and displays the bank's logo do not mean it is authentic. Always look for permissions that the app is asking you to provide, check the app-publisher's name. Secondly, set a daily limit for the amount transacted.
 
How effective are antivirus, against such threats?

They are only partly effective because remember on mobile devices, traditional signature based malware detection do not work. Gartner uses the term mobile threat defence to describe mobile security solutions that protect against vulnerabilities, rootkits and trojans, network based, and configuration based attacks, that impose a security risk to a user's mobile device. To start with, if you are using an Android device, download apps only from the Google Play store, and ensure that Google Play Protect is enabled.