PayThink

Banks are falling behind in fighting app store payment scams

Researchers recently revealed three apps published on the Apple App Store that purported to help users monitor their health but instead attempted to swindle them out of more than $100 each.

It shatters the notion that iOS and the Apple App Store are immune to threats typically associated with Android and Google Play.

The fraudulent Fitness Balance and Calories Tracker apps asked users to scan their fingerprint using Apple’s Touch ID sensor in order to personalize their app experience.
While warning the user not to remove their finger from the sensor, the app quickly served up an App Store pop-up for an in-app purchase. If a user had connected a payment card to their Apple account, before they could pull their finger away the $119.99 or €139.99 transaction was verified and the money was gone.

Apple and Google keep many bad apps off their stores and remove them rather promptly when notified, but criminals only get better at finding workarounds.

Just as consumers can’t afford to count on the official app stores to immediately detect and filter out every fraudulent or malicious app (e.g., mobile banking Trojans), neither can banks or financial institutions. Banks and FIs count on Android or iOS to give their customers access to their mobile banking applications.

Unfortunately, too many FIs are mostly blind to understanding the security status of their customer’s devices. A consumer’s device may be infected with a mobile banking Trojan targeting financial services apps with overlay and other attacks in order to steal credentials or initiate fraudulent transactions. And again, it’s possible that a consumer downloaded a mobile banking Trojan that came from an official app store!

Fortunately, banks and other financial institutions can take action to protect their apps in untrusted, potentially hostile environments.

Mobile app shielding technology fortifies a mobile app, regardless of the security status of a user’s device to detect and protect against many of the most prevalent tactics and techniques used by attackers today. When it comes to mobile security, it’s usually best to assume the worst (a compromised device) and then take action to protect an app and customer data even in those hostile conditions.

For reprint and licensing requests for this article, click here.