Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.
The report claims these apps all utilise the same process:
- Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
- Once the form is completed and submitted a pop up customer service box is displayed
- The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
- In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.
The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.
Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)
Customers can mitigate risk by:
- only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
- paying attention to the ratings, customer reviews when downloading from Google Play;
- implementing security controls on your smartphone device from a reputable mobile security provider; and
- contracting their financial institution directly to seek further guidance on the particular banking apps in use.
It cannot be overlooked, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.
Copyright 2018 K & L Gates.
This post was written by Cameron Abbott and Jessica McIntosh of K & L Gates.
Read more stories like this on the National Law Review’s Cybersecurity legal news page.