Top cyber threats in 2022 that pose potential risk to Southeast Asia's mobile banking apps

The banking industry has seen a radical change in terms of mobile banking. Millions of users worldwide are using mobile banking apps. But with that progress come a new set of cyber threats: third-party apps, mobile malware, unsecured public wi-fi, and many more. It doesn’t matter whether an organization uses a proprietary or third-party banking app; the bank will be held accountable for any data breach. 

Covid-19 was the most unexpected and unprecedented fintech/bank’s risk management test. Around the world, numerous banks went into the crisis in better financial health, with liquidity positions and capital strengthened significantly with measures well taken after the past global financial crisis. However, the depth, sheer scale, and prolonged nature of the current economic shock have highlighted credit concerns in several countries. 98% of bank CROs (Chief Risk Officers) named credit risk the biggest issue worldwide. 

Before the pandemic, fintech/banking firms were already investing in enterprise or operational resilience. Covid-19 intensified these priorities, with 70% of bank CROs mentioning operational resilience as a top priority since the pandemic. Seven in ten believe operational resilience skills will be essential and required in the risk functions. 

As businesses have gone digital and people work remotely, performance assessments must be equitable and fair. The employee voice must be understood, systematically solicited, measured, and monitored as a critical metric for corporate culture. ASEAN banks are focusing on groups and considering more employee surveys to monitor culture. 

Top Cyber Threats In 2022 That Pose Significant Risk To ASEAN Mobile Banking Apps

Social Engineering

During social engineering attacks, cybercriminals send fake texts (smishing attacks) or emails (phishing attacks) to the employee to trick them into providing private information or downloading malware onto the device. 

Countermeasures – The best defense for social engineering and phishing attacks is to educate employees on how to spot suspicious messages and phishing emails and prevent falling prey to them. Minimizing people’s access to confidential data can help protect the company against social engineering attacks since it minimizes the access points hackers have to gain access to critical information or systems.

Data Breach Through Malicious Applications

According to the CTO and CEO of Marble Security, Dave Jevans, “Companies face a greater threat from applications available on their staff’s devices than from mobile malware since 85% of applications today are unsecured.” 

According to the CEO of Appdome, Tom Tovar, “Cybercriminals can easily find the unsecured mobile application and use that to steal data, backend details, and digital wallets directly from the app or design more significant attacks. 

Countermeasures – The most effective way to defend against data leakage through unsecured or malicious apps is by using MAM (Mobile Application Management) tools. These tools enable IT admins to control corporate applications (control or wipe access permissions) on their staff’s devices without disrupting the user’s data or apps. 

End-To-End Encryption Gaps

A hole in a water pipe is like an encryption gap. While both the positions where the water enters (user’s mobile devices) and exits (your system) are secure, but the hole in between lets cybercriminals access the water flow (sensitive information) in between. An example of an encryption gap is unsecured public wi-fi. Since the network is not protected, it leaves a hole in the connection for attackers to access the data your employees are sharing. 

Countermeasures – End-to-end encryption is essential for any sensitive information. This includes ensuring the service providers encrypt their services to avoid unauthorized access and ensuring the systems and users’ devices are encrypted.

Spyware

Spyware is installed on a mobile device and used to collect information when someone clicks on a suspicious advertisement or through frauds that trick people into downloading it unintentionally. Whether the employee has an Android or iOS device, their devices are a prime target for data mining with spyware.

Countermeasures – Dedicated mobile security applications such as Google’s Play Protect can help employees identify and eliminate spyware installed on their devices to access the company’s information. Ensuring the employees keep their applications and operating systems up-to-date helps ensure that the data is protected against advanced spyware threats. 

IoT (Internet Of Things) Devices

Mobile devices that access the company’s systems are branching out from tablets and mobile phones to include physical devices (such as Alexa or Google Home) and wearable tech (such as Apple Watch). The advanced IoT devices contain IP addresses, which means if the devices are connected to your network, cybercriminals can use them to access the company’s network over the internet.

Countermeasures – MDM (Mobile Device Management) and IAM (Identity and Access Management) tools can help combat IoT threats effectively. However, Machine-to-Machine (M2M)/IoT security is currently in a “wild west” phase. So, it’s up to the company to put the appropriate policy and technical regulations to ensure the systems are protected.

Stolen Or Lost Devices

Stolen or lost devices are not a new threat to companies. However, with more employees working remotely in coffee shops or cafes, stolen or lost devices pose a significant risk to the organization.

Countermeasures – Firstly, ensure the employees know what steps should be taken if the device gets stolen or lost. Since devices now have remote access to transfer or delete data, that should include asking users to ensure those services are activated. Furthermore, MDM tools can encrypt, secure, and delete sensitive information from the mobile device that’s stolen or lost, so ensure these tools are installed on the device. 

Poor Passwords

According to a study by Balbix, 99% of people reused their passwords between personal and work accounts. Unfortunately, those passwords are often weak as well. This employees’ habit poses a threat to the company since both work and personal accounts are accessible with the same password from the same device, which simplifies the attacker’s work to breach your systems.

Countermeasures – For password best practices, the NIST Password Guidelines are preferred as the international standard. Insisting the employees to follow these guidelines will help defend against threats from stolen or weak passwords. Moreover, requiring the employees to use multi-factor authentication to access corporate apps will help minimize the risk since the attackers would require to verify their identity to log in.

Outdated Operating Systems

Like other information security initiatives, mobile security needs continuous work to identify and patch vulnerabilities that cybercriminals use to gain unauthorized access. Companies like Google and Apple address multiple vulnerabilities with OS updates. For instance, in 2016, Apple analyzed a few vulnerabilities that left the devices vulnerable to spyware attacks and released a patch to secure users against it. However, the patches protect the company’s data if staff’s devices are up-to-date. 

Countermeasures –  Apple and Google allow companies to push updates to managed iOS and Android devices. Third-party MDM tools also provide this functionality. 

Forecasts For 2022

We have seen exponential growth in cyber-attacks in 2021. Considering the diversity of offers, effectiveness, and low costs, it’s predicted that the trend will continue. With the international coordination to crack down on significant ransomware groups, we can see a rise in regionally derived groups geared towards regional victims. Moreover, the adoption of mobile banking may lead to enormous opportunities for cyber-attacks involving mobile banking Trojans, especially RATs that can bypass banks’ security measures such as MFA and OTP. 

In 2021, we saw Android Trojans globally targeting users with a particular focus on the Middle East, Latin America, and Europe. We witnessed several families, including BasBanke, BRata, TwMobo, Ubel, SMisor, Bian, Coper, and RealRAT, actively targeting mobile users. Most of the campaigns were accompanied by social engineering. The threat actor called the user and sent a crafted text with a download link to a malicious APK file. 

Numerous businesses have gone digital and rely on online payment systems amid the pandemic. But, this rapid shift isn’t accompanied by suitable security measures and is attracting cybercriminals. This issue is severe in ASEAN member countries, and cyber-attacks consequences of cyber-attacks will last for a while. 

Thanks to Fintech applications, loads of sensitive data are stored in mobile devices. Cybercrime groups will continue to target mobile phones with advanced strategies such as malware and deep fake technology to steal victims’ information. Besides that, remote employees using corporate digital devices for entertainment purposes will pose significant cyber threats to organizations. 

What To Do Now

The first step to defend against potential cyber-attacks in 2022 is to perform a mobile application security scan, even though firms have left no stone unturned in utilizing anti-virus solutions and installing appropriate network security. App scanning is essential for ASEAN mobile banking apps to identify security loopholes since apps are the weakest link in overall organization security. 

Additionally, utilizing app hardening and real-time threat monitoring solutions can effectively secure the mobile banking app against malware, spyware, tampering, reverse engineering, and more. Using threat monitoring allows companies to identify undetected threats like outsiders exploring or connecting to networks and compromising internal accounts. It isn’t very easy to detect such activities otherwise. Still, real-time application threat monitoring systems correlate information about endpoint activity and network with contextual factors, including file/app details, URLs, and IP addresses, to accurately identify irregularities indicative of threat activity.