Click. Game Over!

The FBI’s warning a spam email scheme using malware called “Gameover” in January, 2012, is a good indication of where theft has gone.  This scheme involves fake emails from the National Automated Clearing House Association, the Federal Reserve or the FDIC which  attempt to trick you into clicking on a link to resolve some type of issue with your account or a recent ACH transaction. Once you click on the link, Gameover takes over your computer, and thieves can steal usernames, passwords and your money. Criminal hacking expertise has evolved to the point that online theives can navigate around common user authentication methods used to verify your identity, including personal questions, birth dates and other private information intended to provide an extra layer of security. This it is a timely reminder that it’s important to remember that your smartphone is also susceptible to hacking.

Sophisticated Mobile Scams Target YOU

Targeting a Burgeoning Market:One of every 5 U.S. consumers used a mobile phone to access a bank, or other financial account in 2011, according to a  survey of nearly 2,300 people by Knowledge Networks – and another 1 of every 5  consumers plan to do so in the future. A Federal Reserve statement about the survey  suggests that mobile banking is poised to expand further with usage possibly increasing to 1 of every 3 mobile phone users by next year. This means mobile banking is crossing the tipping point from a nice‐to‐have to a must‐have investment for financial institutions. A recent report by market research firm First Annapolis found that 54% of the top 100 financial institutions surveyed in the US offer some form of mobile banking. A recent Javelin Research new report cites massive growth in mobile banking in the past year:

  • In 2o11, the number of consumers conducting mobile banking rose dramatically from 19%  to 30%of mobile consumers.
  • Those conducting mobile banking in the most recent seven days increased 50%, from 12% in 2010 to 18% in 2011.
  • Mobile banking vendors in 2010 only had a few of banks live, but the average in 2011 is 173 live – a huge increase.
  • A “smartphone adoption crossover” is in occurring – when more Americans will own smartphones than will own regular phones. Now smartphone adoption is at 45% percent, so we’re just about at that crossover point.
  • Half of smartphone owners conducted mobile banking last year.

Mobile banking use is highly correlated with age, with people in the 18-to-29-year-old age group accounting for 44% of  users, while they are only 22% of all mobile phone users (people ages 60 or older accounted for only 6%of all mobile banking users although they comprise fully 24% of mobile phone users.) Checking an account balance and monitoring recent transactions were the most commonly reported mobile banking activities.

Targeting the Savvy: A large number of mobile phone owners who didn’t use mobile banking expressed security concerns – security is the No. 1 reason consumers fear using mobile banking, with two out of three consumers believe that transacting on a mobile phone is ‘much less secure’ than on a computer or laptop, according to a Javelin Research report.

However, mobile banking users were much less skeptical about how secure the technology was. So those who might consider themselves savvy consumers are likely targets. What this means is that those who are young and technologically savvy and used to mobile computing may be underestimating the threat.

Cyber theft and false bank alerts are becoming increasingly sophisticated.  Because you have no spam filter for text messages, and they simply appear in the same folder that holds notes your friends and colleagues, notifications about your debit card are likely to immediately catch my attention.SMiShing s term is used to describe identity theft attempts via SMS text messages.

Recent Mobile Banking Scams: SMiShing

SMiShing scams have recently targeted some account holders at Fifth Third Bank.  Here are a few examples of what’s been popping up on mobile devices:

  • Fifth Third Bank alert. Debit card locked. Call XXX-XXX-XXXX to unlock.
  • FifthThirdB MJVA alert 119471. Please call (XXX)XXX-XXXX.
  • Fifth Third B. Message. Your card has been locked. Call XXX-XXX-XXXX to unlock.

Fifth Third advises account holders that it will never contact them by email, phone or text to request or verify information. In any case like this, it’s best to call the number directly on the back of your debit card.The FDIC recently issued new warnings about the risks of transmitting account information via mobile phones. As banks continue to develop new tools and technologies, you can be sure that identity thieves will race to develop new strategies for outsmarting them.

The new game is to send out thousands texts to local phone numbers in the same area code as local banks, and hope many are members of that bank and fall for the scam.  On  February 10, 2012, SMiShing scams were reported in Tampa, Fla., where a radio show received a text message from an unverified sender with a 917 area code. It contained an alert from “Tampa Bay Federal Credit Union” that urged him to call a number with a 530 area code. When Schnitt called, an automated voice told him his bank card was deactivated and to enter his card number to reactivate it. He played along and entered a fake card number and expiration date. Finally, he was prompted for his PIN and then informed his card had been verified and re-activated.  “Watch out,” he told his listeners, “you’ve just given them your card number, expiration date and (personal identification number), so they can wipe out your account.” Hurricane, another radio show personality and Tampa resident, says he received the same text message, and knew it was a scam because he doesn’t bank at Tampa Bay Federal Credit Union.

Marie Baskerville, member solutions representative at Tampa Bay Federal Credit Union, said,”We do use a third party to track transactions for evidence of fraud or suspicious activity. They will contact you by phone, never a text message or an email, so you can verify that phone number before calling back.” She further explained when you call, you may or not be prompted by automated messages to input your account number. If so, you will be transferred to a real person. “We will never ask you for the expiration date or PIN associated with your card, as we already have that information. We will ask you to list some recent transactions to verify that you are the cardholder and that you made those transactions.”

A recent TV newscast from January alerted local residents in Batesville, Ind., to watch out for fake alert texts from Indiana Bank and Trust.

Tip offs to A Mobile Banking Scam

  • Unrecognizable phone number or strange area code.
  • Urgent text message or alert.
  • Request for personal information beyond the card number.
  • Completely automated system.
  • You are not a member of the bank contacting you.

Crucial Steps to Avoid Falling Victim

  • Update your computer and mobile device  with the newest versions of anti-virus software.
  • Do not click on any embedded links and maintain a healthy suspicion about all email senders’ authenticity,
  • Remember, banks never request any personal information via email!
  • Be vigilant about checking your account balances. The sooner you notice and report any type of fraudulent activity, the more likely you’ll be able to be reimbursed for any missing funds.
  •  Download your bank’s official app for your mobile banking needs, because that’s most secure.
  • The Federal Bureau of Investigation and Federal Deposit Insurance Corp. offer the same identity theft protection warning: If you did not initiate the communication, don’t provide any information. If you believe the contact is legitimate, call the financial institution yourself at the main number listed on your card or the company’s website, never from a link provided in an email or number provided in a text message.

Steps to Prevent Mobile Phone Theft

The lack of encryption for SMS message banking means that a banking institution must continually review its security policies. In addition,  financial institutions need to educate account holders on ways to keep their information secure, including:

  • Avoid public wireless networks for banking activities.
  • Run security software on mobile devices.
  • Protect devices with strong passwords.

Has It Happened to You?

If you’ve ever fallen victim attack, I’d be interested in hearing more about your experience and any tips to avoid the problem.

Snap principle of mobile banking security:
Institutions need to:
  • lock down mobile apps, 
  • aggressively educate customers on identity theft, 
  • work to overcome consumer fears, and 
  • establish a relatively clean safety record to settle some consumer fears.