Font Size
Share this article

Print Friendly Version
11 April 2019

Man in the mobile

By Pawel Bulat, Product Manager at Comarch


There are three things we usually do not leave home without: keys, wallet and phone. The first two can be easily replaced by the third one. But to manage money using a few-inch screen is not a small task by any measure.

Granted, we can deal with managing access to the device itself quite efficiently. It is much harder for us though to protect it from malicious software.

The amount of malware not captured by Google Store security mechanisms is still quite large. According to McAfee, 2017 was a breakthrough year, a total of 4,000 threat types were identified at the time, and each of these types was found in dozens of varieties. The total number of malware in the crypto currency segment increased by 70 per cent and in mobile banking – by 60 per cent.

This is where it gets complicated, because: first, the market is dominated by two mobile operating systems; and second, our own habits make us reluctant to update and expand security mechanisms, which most often extend the time of a given operation, such as logging in.

Stealth and effective

However, there are risks that are essentially impossible to defend ourselves against. The ones whose occurrence we have no control over. One of them is SIM card cloning, an effective procedure ran in a stealth mode. You’re being tracked for weeks, and struck upon when you least expect it. And even then, you remain in blissful ignorance.

First, a hacker instals spyware on your phone to intercept your bank login data. Then, knowing enough, they make a false ID card and, upon presenting it, obtains a duplicate of your SIM card from the operator.

All it takes now is to log into the GSM network to order a transfer and receive an SMS with an authorisation code. A newly logged in card (duplicate) will cause problems with your network connection, so sudden range loss, or logging out of the network is the first signal for you that something wrong may be happening.

The scale of this procedure indicates that it simply pays off. Hundreds of thousands of euros are often syphoned at once, which quickly migrate to crypto currency markets (where they disappear without a trace), or are withdrawn in a massive and coordinated manner at ATMs, in different locations at the same time.

The alternatives

In the financial industry, a mobile token for authentication and authorisation seems to be a good solution. Even better one would be a dedicated cryptographic device compliant with PSD2.

Such solutions record every attempt to activate a new phone. With the right pairing procedure, you are guaranteed that nobody else will impersonate you – even if you have a duplicate of your SIM card.

This process is entirely controlled by a bank and there is no concern that the mobile operator will cause a loophole in banking procedures by changing their own ones.

There are solutions (such as tPro ECC) equipped with mechanisms to protect against remote attacks when the user is not at their workstation (HPD - Human Presence Detection). It is also possible to pair such mechanisms with popular services such as Gmail or Facebook. Thanks to this, apart from the bank account itself, you can also control access to other resources important for the user.

The best mobile tokens for transaction authorisation also provide an attack detection mechanism and a WYSIWYS (What You See Is What You Sign) model. Transaction data must be re-entered on a separate device, where the user makes the final decision whether to accept or reject the transfer. This avoids changing the amount and account number without the user's knowledge in the transaction already accepted by the user. Very rarely do we finally check whether the data in the SMS concerning the recipient and the amount is correct.

Bye, bye SMS

We slowly forget about text messaging: it’s being replaced by chat rooms and instant messengers. The time has come to forget about SMS in the context of the authorisation mechanism for banking. The last scale of attacks proves that this mechanism is flawed - and that the procedure of phishing duplicates of SIM cards and user login data allows for full control over the user's bank account. The attacker can dispose of the funds collected there as - and when - they please.

This is the best moment to start using modern, secure authentication and authorisation mechanisms such as hardware tokens and mobile applications.

If the latter support asynchronous cryptography to protect communication with a bank server (think tPro Mobile), we gain additional strong data protection, which makes it impossible for the attacker to read the data. Support for biometrics (fingerprints, face recognition) allows for quick and convenient authentication, which significantly reduces the time needed for data authorisation.

Find out more about tPro ECC -





CPI Financial was established in Dubai in 1999 to meet the needs of an ever-expanding financial community, offering a comprehensive portfolio of market-leading products and services tailor-made for the banking and financial services sectors.

Subscribe to our News Letter


© 2019 CPI Financial. All rights reserved.

No part of this website may be reproduced or used in any form of advertising without prior permission in writing from the editor.