Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Financial Firms Face Threats from Employee Mobile Devices

A new report says that phishing and man-in-the-middle attacks are major risks to financial institutions - via mobile devices in the hands of their employees.

Financial services is a highly regulated industry, but that doesn't mean it's immune to cybersecurity woes. According to a new report, financial services organizations experience higher rates of phishing and man-in-the-middle (MiTM) attacks via mobile devices than other industries, and technology trends are making the issues even more complex.

The financial services mobile security report, published by Wandera, draws on data from 4.7 million events across 225 financial services customers. Wandera compares incidents such as phishing attacks (57% of organizations in financial services have seen these, compared to 42% across all industries) and MiTM attacks (36% in financial services compared to 24% all industries) involving mobile devices.

The specifics of the threats come in the context of rising overall threats. In the UK alone, the number of breaches in the financial services industry increased by 480% from 2017 through 2018.

One of the important findings in the report, according to Michael Covington, vice-president od product strategy at Wandera, is what is not a major issue: "I think a lot of people, when they think of threats on mobile, they think of malware, and it just isn't there," he says. "I think it's largely because the mobile devices themselves are fairly well-built."

Instead of malware, criminals are using phishing attacks to gain access to financial services networks, but not just any attacks. "We're seeing more targeted attacks within financial services instead of kind of the scattershot approach where you send out a phishing attack to everybody in the organization," he explains.

The success of phishing attacks on mobile devices in financial services may be part of a larger pattern of risky mobile behavior by those in the industry. According to the report, 42% of the organizations represented had devices with "side-loaded" apps — apps downloaded and installed from sites other than the app stores approved for the device. Covington says, "You start to see the implications of letting employees manage their own device."

And those employees are managing their devices in tremendous numbers, he says. Employee-owned devices, used to conduct company business, are targets because of the sensitive data they contain.

"There's no doubt in my mind that the criminal side of the equation is after rich data," he says. And the availability of rich data goes beyond the data just on the mobile devices since their users have access to enterprise applications and databases. "That's also why phishing attacks are specifically on the rise within financial services organizations because it's the credentials that the attacker can get," Covington says. "Those provide them access to the data repositories in the cloud or in the data center."

Protecting your organization from employee mobile devices comes down to  better managing mobile devices. "They need to be making sure that when a user logs into a service that it is indeed that user. And they need to look at the devices that those users are coming from," he says. "Sometimes it's going to matter to an organization if it's a sanctioned device. Other times it won't."

Ultimately, though, it comes down to only giving verified and authorized users access to corporate resources from their mobile devices, and only if those devices are trustworthy, he says.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/30/2019 | 6:38:11 AM
Re: Kill the reliance
LOL, but their data is being harvested to fund the large corporate conglomerates and government entities every day. There are a few areas in which it is being done:
  • Microsoft - they have telemetry built into the OS where it sends information back to their location, it can be removed but most people don't know how (Google is your friend but even those guys are doing the same thing)
  • Phones - Amazon (mobile tool sends data back based on your shopping patterns), Google sends information back based on your location and browsing searches
  • Governments - they take information from a number of different sources including the ones mentioned and prioritize this data using tools called "Boundless Informant", "Prism", "XKeyScore" and "Facia"

Readings - Boundless Informant

So to be honest, nothing is private anymore, but I digress, the conversation has gotten off track. The financial firms and the information associated with mobile devices can be managed and controlled by tools from Aruba Networks, Airwatch, SOTI MobileControl and others (reference - MDM Mgmt Tools).

But you brought up some good points.


User Rank: Moderator
7/30/2019 | 2:24:18 AM
Kill the reliance
There's definitely something to be worried about since I don't know of anybody who isn't already connected by some sort of mobile device. But it's not just being connected on such technology but the dependence of people on it! I reckon there are a lot of people who would totally freak out if their devices crashed, least of all to know that all their private information was being harvested and collected to feed the greedy corporate commercialist companies!
User Rank: Ninja
7/22/2019 | 7:22:41 AM
Re: Basic security

Yes, that is good but what if you are dealing with a disgruntled employee or someone leaving the office (I have seen attorneys take case files). Also, if they copy files to the computer, disconnect it from the network, connnect the phone to the computer and then upload a file to and from the computer. Having a policy is good, but there is a thing called human nature which will always be the problem. - Todd

User Rank: Moderator
7/22/2019 | 1:32:43 AM
Basic security
At all my previous workplaces, employees would always be reminded that external networks cannot be connected to our work network. This is to prevent any potential risks from external sources. It has become more of a common practice and almost a common sense from then on. Employees need to know basic security concerns without even having to be told.
User Rank: Ninja
7/14/2019 | 9:45:19 PM
Alternative way of looking at potential attacks
One thing that is not mentioned is the fact that the user can unplug the machine from the network, connect the phone to the computer and download or upload files from or to the phone. The phone can act as a wireless beacon and sharing device where users from different regions can access the phone over a long-distances.

Also, the phone can be installed with application software to perform a network assessment of the environment, there are discussions about Raspberry PI being on a network for a period of 10 months, I am sure a phone would not even be considered an issue because NASA did not find that device and it sticks out, not so sure they would even think to look for a phone if configured right.

A way to address this issue would be a number of ways:
  • Disable USB using AD GPOs (Group Policies)
    • Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR\" -Name "start" -Value 4
  • Install and Configure "Comodo" to block PowerShell items on the network (any respected HIDS is good)
    • https://antivirus.comodo.com/
  • Configure the network to disable port if it has been disable for a period of time
    • SW1>enable
      SW1#configure terminal
      Enter configuration commands, one per line.  End with CNTL/Z.
      SW1(config)#interface range fastEthernet 0/1-2
      SW1(config-if-range)#switchport mode access
      SW1(config-if-range)#switchport port-security
      SW1(config-if-range)#switchport port-security maximum 1
      SW1(config-if-range)#switchport port-security mac-address sticky
      SW1(config-if-range)#switchport port-security violation restrict

There are a number of ways to address these issues but the addage is that we need to be forever vigilant.

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
PUBLISHED: 2021-05-13
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.