April 29, 2019
While we love the convenience of being connected to our information 24/7, it’s important to understand that by carrying our mobile devices wherever we go, we put our wallets and investments at risk. A single cyber attack can compromise your valuable, irreplaceable data. What are the attacks du jour? What steps can you take to protect your hard-earned cash? To better understand how to protect our mobile banking and cryptocurrency investments, let’s dig into current threats to those platforms.
The current landscape
In 2017, over 1 billion people worldwide, the majority millennials, used mobile banking to access account balances, track order payments, transfer money, manage overdrafts and apply for credit cards and loans. By 2020, that number will reach 2 billion. Mobile banking technology is changing the way consumers access and manage their finances.
Fishy phishing emails
Phishing is a huge issue in banking and cryptocurrency communities. A successful phishing attack can automatically install malware on a device with just one click on an attachment or a malicious link. In 2017, Ripple* (XRP) phishing scam struck the cryptocurrency world. Two South Korean men duped Ripple investors with fake emails, ostensibly from Ripple, asking users to enter their account details on the scammers’ phishing site. The scam led to $800,000 XRP in losses.
Sneaky phishing apps
Phishing apps, which can pass for legitimate currency converters, developer tools or games, target cryptocurrency holders to obtain access to their crypto apps. Phishing apps aim to infect your device with malware. Once installed, the malware waits for users to open banking or cryptocurrency apps and then creates fake layers that pop up requests to login to the legitimate app. As users enter their credentials on the fake page, the phishers grab them.
Every time you think about installing a new app, think twice. A single rogue app can cause a lot of trouble. Remember, each new app asks for permission to access your phone's data, including your contacts, photos, and camera, increasing your risk profile. Criminals will try to access your data by getting you to download malicious apps outside of an approved app store. You should avoid new, unverified apps and only download apps from known, trusted companies.
One of the most notorious crypto phishing attacks targeted the American cryptocurrency exchange Poloniex. Attackers posted a Poloniex mobile app on Google Play Store (despite the fact that the Poloniex team didn’t develop mobile apps), promoted as a mobile gateway for the popular crypto exchange.
Banking apps are vulnerable
Researchers identified a critical flaw in some of the most popular mobile banking apps that could potentially leave tens of millions of customers, and their personal information, at risk. When a mobile app is connected to a shared network, like rogue public WiFi, hackers on the same network, could perform a 'man in the middle' attack and redirect communications between the network provider and the consumer in order to steal credentials.
Santander and Allied Irish Bank mobile apps, were struck by "in-app phishing" attacks that allowed a hacker to take control of part of a user's screen while they were in the app and then phished for login credentials.
It’s no surprise that banking apps are a high value target, given the assets they contain. But why are these apps so easily compromised? Experts blame a combination of inexperienced developers, a laissez-faire attitude towards mobile application security, and the practical new techniques for exploitation of mobile app flaws.
Cryptocurrency networks create new threats
As a relatively new technology, cryptocurrency network attacks are still evolving and may remain undetected until the research can catch up. One of the most notable attacks is the 51% attack, that occurs when a user or a group of users controls 51% of the network's mining hashrate, or computing power. Once the attacker gains this control, he can roll back transactions, refuse to confirm transactions, or even pay with the same coin multiple times. Verge, Monacoin, Bitcoin Gold, ZenCash, and Litecoin Cash networks were hit for tens of millions of dollars. Although criminals didn’t steal directly from users, it led cryptocurrencies to lose credibility, risk bankruptcy, and even have funds frozen.
Tip 1 - Be careful with public Wi-FI
You should never perform crypto transactions on public Wi-Fi in train stations, hotels or airports. Also, keep up with the firmware updates of your at-home router. Researchers identified the Wi-Fi Protected Access (WPA) protocol vulnerability that occurs when a user's device reconnects to the same Wi-Fi network as hackers. Read more tips about public Wi-Fi.
Tip 2 - Avoid cloned sites and phishing
Never interact with cryptocurrency-related sites without the HTTPS protocol. Look for the look in the browser window. When using Google Chrome, use browser extension provided by trusted wallets to protect yourself from phishing scams. If you receive messages from any cryptocurrency-related resources, copy the link to the browser address field and compare it to the address of the original site. Don’t click on suspicious links and files. Always check the spelling in any email or text message you receive to avoid entering your details into cloned sites. Read more about phishing, smishing and vishing.
Tip 3 - Use U2F based 2FA
Researchers have proven that it’s possible to intercept and hijack a text message. Therefore, SMS based 2FA is not safe enough. Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards. (Is U2F going to stop phishing?)
Tip 4 - Practice rigorous browser and device security
Use a separate browser, preferable in an incognito mode, for cryptocurrency operations. If you’re serious about crypto trading - get a separate PC or mobile device to perform such activities. As a general practice, you should install network protection solution. Do not download any crypto add-ons.
Tip 5 - Follow general security practices
Use strong passwords and secure connections. Don’t share information with others where it could be easily heard or found. Install security hygiene software and don’t forget to update your devices regularly. Be mindful of social engineering techniques, like phishing, smishing and vishing, that can come your way. While not foolproof, you will go a long way toward protecting your online financial transactions.
Remember, that as long as you have a bank account or hold some flashy cryptos, there will be hackers who try to access it. It’s important to stay up-to-date regarding mobile security best practices and also confirm the security of the existing tools, devices and environments you are using. The more risk-aware you are, the safer your identity and wallet will be.
*Ripple provides a frictionless experience to send money globally using the power of blockchain.
It’s clear that no technology is safe from phishing scams. We built Fyde app to protect your crypto investments from the same threats that plague other online transactions. Fyde app’s security blocks malicious text messages, emails, ads, trackers, spy apps and mining sites so you can enjoy your life online. Download the app and let us know what you think!