As fast as banks are trying to outwit online hackers, the hackers are revising their strategies to evade the new security measures.
Banks have started to send one-time codes via SMS text messages to customers to use in addition to passwords for logging in to their accounts. So hackers have devised insidious software to steal the texted codes in real time.
Researchers at software security maker McAfee even found a pair of new malware programs that afflict users of Google’s (GOOG) Android phones by replacing official bank apps with hacked replacements. Victims think they’re logging in to their accounts legitimately, but the apps send all the info -- including the SMS codes -- back to the criminals.
Most of the action is in Asia, where customers are far more likely to use unofficial app stores that cater to their native language.
Overall, the number of malware programs attacking mobile users continues to skyrocket. McAfee researchers collected samples of more than 30,000 malicious mobile apps in the first half of 2013, almost exceeding the 35,000 apps seen in all of 2012.
Virtually all of the software attacks smartphones running Google’s Android operating system, mostly through unofficial app sites. Android users can install security software just like PC users to protect their phones, including several apps made by McAfee, a unit of Intel (INTC).
Hackers mainly rely on the unofficial app stores as Google has taken steps to make its Play store more secure. Android phones can easily install apps from beyond the official channel, however. That’s common practice in China, India and Japan.
“The drawback of the unofficial stores is they don’t have as good oversight or malware checking in most cases,” says Adam Wosotowsky, principal messaging operations engineer at McAfee.
Users of Apple's (AAPL) iPhone can’t install third-party apps easily. And Apple’s iTunes app store is tightly controlled and tough for hackers to penetrate, although it has been done.
Originally, most banks required a customer to log in with just a user name and password. Sometimes, the banks required additional security questions, such as the name of the customer’s first pet. But cyber criminals had an easy time placing rogue programs on bank customers’ computers to steal all of the required log in information.
So to combat the thieves, banks added so-called two-factor authentication. When a customer logs in with their password, the bank sends a special code in a text message to the customer’s smartphone. That was supposed to ensure that criminals with a stolen password couldn’t get into the account.
But with the text message-stealing apps, the criminals can get the texted code, as well.