We all love the ease and convenience of mobile wallets, or mobile payment apps. I’d bet that, if you look down on your mobile phone right now, there is at least 1 mobile payment or mobile wallet app on your home screen. These apps make life and buying, easier for us all. But, just how safe is your mobile payment or mobile wallet app? That’s exactly the question we’ll explore in this blog.
Mobile Wallets Are Everywhere
It’s projected that more than half the world, or 4.8 billion mobile citizens, digital wallet will use mobile wallets will be in use by 2025. During and after the pandemic, these same people expect to continue to use mobile wallets to improve the buying experience and make purchases more efficient. For example, new mobile wallets make it easy for people to send money to others who then receive the funds at local stores and businesses. These payments can be sent and received by people without bank accounts.
The Reality of Mobile Wallet Cybersecurity Attacks
As mobile wallet adoption continues to grow, mobile wallet and mobile payment apps become primary targets for hackers and fraudsters. In fact, attacks on mobile wallets have resulted in hundreds of millions of dollars being lost and confidential data leaked. Here’s a not so fun example of what can happen when a skilled hacker gets a hold of your mobile payment app. Recently, more than 50,000 mobile banking customers at 56 European banks were impacted by Xenomorph malware. Xenomorph puts a screen over a running app to trick users into revealing confidential information that is then used to perform fraud. The attackers used this feature and other capabilities to inundate the user with requests for Accessibility Services privileges until those privileges are granted. While Xenomorph has attacked mobile banking digital wallets in the past, it now has the ability to target crypto digital wallets. The problem is malware attacks an app (and sometimes other apps on the same device) and uses different tactics to harvest data and then commit fraud.
Fintech Cybersecurity Checklist- Top 5 Mobile Wallet Cybersecurity Attacks and How To Solve Them
Here are my top 5 mobile wallet security hacks and attacks and how to solve them.
-
Input Capture Attacks, Data Harvesting, PII Harvesting
Data entry happens throughout the lifecycle of use in a mobile wallet or mobile payment app. Simply logging into a mobile wallet or mobile payment app is a form of data entry. Creating your account, adding personal details about yourself, linking credit cards and bank account information is also a form of data entry. Even advanced features like scan-and-pay that allow users to scan a QR code to make a payment, is form of data entry. All forms of data entry should be protected. Malware and fraudsters can use transparent or malicious overlays, placed on top of the application’s legitimate page to capture user or transaction data. The objective of overlays is to secretly gather the targeted data or trick users into engaging with the fake (malicious) element to harvest the target data. In addition to overlay attacks, malware keyloggers can be used to gather usernames, passwords, credit card information and more at the point of data entry, long before the mobile payment application saves this information to the device or backs the data up to the cloud.
To protect against overlay attacks, it’s recommended to detect when overlay screens are being used on top of a digital wallet and either (1) the shut down the app to protect the app or (2) send notifications to users so that they might contact the mobile wallet provider to achieve other enforcement actions when a threat is detected. Here’s more information how protect against overlay attacks and prevent keyloggers.
-
Data Leakage & Theft Due to Weak/Missing Encryption & Insecure Storage
Once the user enters her data in the mobile wallet or mobile payment app, that user’s data is stored locally on the mobile device and should be protected. In 2020, the mobile payment app Bharat Interface for Money was breached and exposed the personal and financial data of millions. Information that was leaked included scans of national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, names, dates of birth, age, gender, home address, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.
On a jailbroken or rooted device, an attacker has much more control over the underlying operating system, file system and any app running on the device, all of which allows them to access mobile data stored in or by mobile wallet and mobile payment apps. To prevent this class of attack, mobile wallet developers and security professionals should prevent the mobile wallet from running on jailbroken or rooted devices, including blocking advanced rooting and root hiding tools like Magisk Jailbreak bypass tools such as Liberty Lite. To make sure confidential data is not exposed, ensure that all digital wallet data stored locally is encrypted at rest and use advanced white box cryptography and threat aware encryption keys to encrypt app sandbox, encrypt files, strings, resources, preferences, strings, native libraries.
-
Stop Synthetic Fraud in Mobile Wallet Apps
Weaponized mobile wallets that are used with emulators, simulators and other automated systems are like the digital trolls of the payment world. These incarnations can be used to commit synthetic fraud i.e., fake accounts and fake transactions that defraud businesses and users of the mobile payment app or mobile wallet. For example, attackers can pretend to be real customers who are accessing their accounts from mobile devices, spoofing device IDs, OSs and automate the process of accessing accounts and initiating payments. Attackers use automation and other tools to initiate and finalize fraudulent transactions at scale. In this case, over 20 emulators were used to spoof more than 16,000 mobile devices and access compromised accounts.
To protect from emulators, it’s recommended to implement runtime application self protection (RASP) methods, particularly anti-tampering, anti-debugging and emulator protections. To prevent fraudsters and bad actors from weaponizing digital wallets, such as injecting malicious code, and/or change a mobile app’s logic or behavior in unintended and malicious ways, it’s recommended to protect against the misuse of Frida, block auto-clickers, Knox, Bluestack and other app players.
-
Man-in-the-Middle Attacks
Many articles on safeguarding mobile wallets will warn “customers” against making mobile payments on a “public service provider” or public WIFI network. Why? Because it’s easy for hackers to get in between your mobile wallet and its server over the public WIFI. According to OWASP, “The man-in-the middle attack intercepts a communication between two systems.” When the hacker intercepts communication between your mobile wallet and its server over the public WIFI without HTTPS, the hacker can pull credentials and other confidential data they will then use to access accounts and fraudulently transfer funds.
If your wallet is communicating to a server over an unsecured public WIFI, hackers can do a man-in the middle attack, replay attack or similar. To prevent these types of attacks, it’s recommended to (1) make sure the connection is safe with TLS, SSL certificate validation, CA verification (2) detect malicious proxies.
-
Digital Wallet Trojans
For the end user or “customer”, there are many mobile wallet clones that look similar to the legitimate apps that provide secure payment options. However, when the user tries to make payment on the mobile wallet clone, bad actors harvest the credentials the user enters to fraudulently transfer funds for the user’s actual account. Or because the cloned app has such poor security, the fraudsters are able to elevate permissions for themselves and get access to confidential information they need to defraud the user.
For “sellers,” fraudsters have used fake mobile wallets to walk away with merchandise they didn’t actually pay for. In this example, bad actors cloned Paytm and google apps, used them to try to trick show owners they paid for items using the mobile wallets.
To protect against fake digital wallets, it’s recommended you use anti-tampering to prevent hackers from repackaging or resigning your app. Use Mobile Piracy Prevention to ensure Android and iOS apps will not be copied or become trojan apps after the app is published to the public app store. Validate that apps signed for Apple App Store and Google Play cannot be distributed through any other app stores and verify the integrity of the app bundle and all its contents at runtime.
We’d Love to Help Stop the 5 Cyber Attack Vectors Aimed at Mobile Wallets
As mobile wallets grow in popularity, it’s important to take preventative measures. Preempting fraud as opposed to dealing with the attacks and fraud after it has happened saves Fintechs millions of dollars or more in lost funds, lost reputation and internal resources spent on dealing with the attacks and resulting fraud.
I’d love to help with your security project and help your mobile wallet overcome the challenges you are facing. Let me show how you can protect against threats to your mobile app. Please reach out to us for a demo!
