Mobile banking users lose thousands of dollars to hackers

A screenshot provided by the Association of Banks in Singapore showing one of the ways in which mobile banking users were prompted to update their software. People who clicked on the link were asked to enter their credit card details to complete the
A screenshot provided by the Association of Banks in Singapore showing one of the ways in which mobile banking users were prompted to update their software. People who clicked on the link were asked to enter their credit card details to complete the software upgrade.PHOTO: ASSOCIATION OF BANKS IN SINGAPORE

Banks issue alert on malicious software targeting Android smartphone users

Mobile banking users in Singapore have lost thousands of dollars after they fell victim to malicious software targeting Android smartphones.

The Association of Banks in Singapore (ABS) yesterday issued a warning against the malicious program, hidden in a pop-up window that prompts users to update their software.

Some 50 mobile customers of major retail banks here reported losses of up to "several thousand dollars" after clicking on the dubious link, prompting ABS to issue the warning.

"ABS would like to remind mobile banking customers that smartphones are as susceptible to malware as desktop computers or laptops," said Mrs Ong-Ang Ai Boon, director of ABS.

"Now, criminals have turned to targeting Android phone users... as banks are pushing out more banking apps for user convenience."

HOW A MALICIOUS PROGRAM WORKS

The malware is able to detect banking activities, for instance, and launch a fake website to trick users into entering their banking credentials.

MR LIM CHIN KENG, the Asia-Pacific director of security solutions at security specialist F5 Networks

The dubious pop-up window is believed to have appeared after mobile phone users visited websites infected with malware.

It prompts unsuspecting users to click on an embedded link to update their WhatsApp messaging software or battery management module.

People who clicked on the link were asked to enter their credit card details to complete the software upgrade. After doing so, users were greeted with the Android green robot logo with the message: "System update in progress..."

It is at this point that cyber criminals take control of the phone, using the credit card details entered and one-time passwords received via SMS for making fraudulent online transactions.

Some users have lost several thousand dollars from online transactions which appear to originate in Eastern Europe, according to Mrs Ong-Ang. Items purchased include airline tickets.

  • Dos and don'ts

  • Do not download apps from random websites as the apps may be infected with malware.

    Do not jailbreak or remove the software restrictions of your phone’s operating system as it makes your phone more susceptible to malware.

    3  Avoid using unsecured Wi-Fi connections for sensitive transactions as cyber criminals are known to snoop around on these networks.

    Update the operating system of your device regularly as these updates contain bug fixes and new features that better secure the phone.

    Secure your smartphone with a password to prevent unauthorised use.

Bank refunds may be made on a case-by-case basis, but customers must prove that they took steps to protect their banking credentials.

As a precaution, consumers should not use their infected phones for mobile banking. Users may need to restore their phones to factory settings to remove the malware.

Users also should not download apps from dubious sources as malware can hide in these apps, said Mr Lim Chin Keng, the Asia-Pacific director of security solutions at security specialist F5 Networks. "The malware is able to detect banking activities, for instance, and launch a fake website to trick users into entering their banking credentials," he said.

Consumers are also advised to report any suspicious activities to their banks so that transactions on compromised credit cards can be blocked. Some of the victims have made a police report.

Fraudulent online transactions have risen sharply over the past three years - from 238 reported cases in 2012 to 510 cases in 2013, and 1,659 cases last year.


A screenshot provided by the Association of Banks in Singapore showing one of the ways in which mobile banking users were prompted to update their software. People who clicked on the link were asked to enter their credit card details to complete the software upgrade. PHOTO: ASSOCIATION OF BANKS IN SINGAPORE

Separately, security firm Norton's recently released online survey of more than 1,000 people here showed that Singaporeans lost over half a million dollars to cybercrime in the past year.

A version of this article appeared in the print edition of The Straits Times on December 02, 2015, with the headline 'Mobile banking users lose thousands of dollars to hackers'. Print Edition | Subscribe