Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Financial Firms Face Threats from Employee Mobile Devices

A new report says that phishing and man-in-the-middle attacks are major risks to financial institutions - via mobile devices in the hands of their employees.

Financial services is a highly regulated industry, but that doesn't mean it's immune to cybersecurity woes. According to a new report, financial services organizations experience higher rates of phishing and man-in-the-middle (MiTM) attacks via mobile devices than other industries, and technology trends are making the issues even more complex.

The financial services mobile security report, published by Wandera, draws on data from 4.7 million events across 225 financial services customers. Wandera compares incidents such as phishing attacks (57% of organizations in financial services have seen these, compared to 42% across all industries) and MiTM attacks (36% in financial services compared to 24% all industries) involving mobile devices.

The specifics of the threats come in the context of rising overall threats. In the UK alone, the number of breaches in the financial services industry increased by 480% from 2017 through 2018.

One of the important findings in the report, according to Michael Covington, vice-president od product strategy at Wandera, is what is not a major issue: "I think a lot of people, when they think of threats on mobile, they think of malware, and it just isn't there," he says. "I think it's largely because the mobile devices themselves are fairly well-built."

Instead of malware, criminals are using phishing attacks to gain access to financial services networks, but not just any attacks. "We're seeing more targeted attacks within financial services instead of kind of the scattershot approach where you send out a phishing attack to everybody in the organization," he explains.

The success of phishing attacks on mobile devices in financial services may be part of a larger pattern of risky mobile behavior by those in the industry. According to the report, 42% of the organizations represented had devices with "side-loaded" apps — apps downloaded and installed from sites other than the app stores approved for the device. Covington says, "You start to see the implications of letting employees manage their own device."

And those employees are managing their devices in tremendous numbers, he says. Employee-owned devices, used to conduct company business, are targets because of the sensitive data they contain.

"There's no doubt in my mind that the criminal side of the equation is after rich data," he says. And the availability of rich data goes beyond the data just on the mobile devices since their users have access to enterprise applications and databases. "That's also why phishing attacks are specifically on the rise within financial services organizations because it's the credentials that the attacker can get," Covington says. "Those provide them access to the data repositories in the cloud or in the data center."

Protecting your organization from employee mobile devices comes down to  better managing mobile devices. "They need to be making sure that when a user logs into a service that it is indeed that user. And they need to look at the devices that those users are coming from," he says. "Sometimes it's going to matter to an organization if it's a sanctioned device. Other times it won't."

Ultimately, though, it comes down to only giving verified and authorized users access to corporate resources from their mobile devices, and only if those devices are trustworthy, he says.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/30/2019 | 6:38:11 AM
Re: Kill the reliance
LOL, but their data is being harvested to fund the large corporate conglomerates and government entities every day. There are a few areas in which it is being done:
  • Microsoft - they have telemetry built into the OS where it sends information back to their location, it can be removed but most people don't know how (Google is your friend but even those guys are doing the same thing)
  • Phones - Amazon (mobile tool sends data back based on your shopping patterns), Google sends information back based on your location and browsing searches
  • Governments - they take information from a number of different sources including the ones mentioned and prioritize this data using tools called "Boundless Informant", "Prism", "XKeyScore" and "Facia"

Readings - Boundless Informant

So to be honest, nothing is private anymore, but I digress, the conversation has gotten off track. The financial firms and the information associated with mobile devices can be managed and controlled by tools from Aruba Networks, Airwatch, SOTI MobileControl and others (reference - MDM Mgmt Tools).

But you brought up some good points.

T

 
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/30/2019 | 2:24:18 AM
Kill the reliance
There's definitely something to be worried about since I don't know of anybody who isn't already connected by some sort of mobile device. But it's not just being connected on such technology but the dependence of people on it! I reckon there are a lot of people who would totally freak out if their devices crashed, least of all to know that all their private information was being harvested and collected to feed the greedy corporate commercialist companies!
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 7:22:41 AM
Re: Basic security

Yes, that is good but what if you are dealing with a disgruntled employee or someone leaving the office (I have seen attorneys take case files). Also, if they copy files to the computer, disconnect it from the network, connnect the phone to the computer and then upload a file to and from the computer. Having a policy is good, but there is a thing called human nature which will always be the problem. - Todd

 
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
7/22/2019 | 1:32:43 AM
Basic security
At all my previous workplaces, employees would always be reminded that external networks cannot be connected to our work network. This is to prevent any potential risks from external sources. It has become more of a common practice and almost a common sense from then on. Employees need to know basic security concerns without even having to be told.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/14/2019 | 9:45:19 PM
Alternative way of looking at potential attacks
One thing that is not mentioned is the fact that the user can unplug the machine from the network, connect the phone to the computer and download or upload files from or to the phone. The phone can act as a wireless beacon and sharing device where users from different regions can access the phone over a long-distances.

Also, the phone can be installed with application software to perform a network assessment of the environment, there are discussions about Raspberry PI being on a network for a period of 10 months, I am sure a phone would not even be considered an issue because NASA did not find that device and it sticks out, not so sure they would even think to look for a phone if configured right.

A way to address this issue would be a number of ways:
  • Disable USB using AD GPOs (Group Policies)
    • Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR\" -Name "start" -Value 4
  • Install and Configure "Comodo" to block PowerShell items on the network (any respected HIDS is good)
    • https://antivirus.comodo.com/
  • Configure the network to disable port if it has been disable for a period of time
    • SW1>enable
      SW1#configure terminal
      Enter configuration commands, one per line.  End with CNTL/Z.
      SW1(config)#interface range fastEthernet 0/1-2
      SW1(config-if-range)#switchport mode access
      SW1(config-if-range)#
      SW1(config-if-range)#switchport port-security
      SW1(config-if-range)#
      SW1(config-if-range)#switchport port-security maximum 1
      SW1(config-if-range)#switchport port-security mac-address sticky
      SW1(config-if-range)#switchport port-security violation restrict


There are a number of ways to address these issues but the addage is that we need to be forever vigilant.

Todd
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.