This past Friday, the Federal Financial Institutions Examination Council (FFIEC) released new guidance to banks, credit unions, and other financial institutions regarding mobile financial services (MFS). These are the services that institutions provide to their customers through mobile devices, such as electronic payments, remote deposits, mobile apps, etc.
The timing couldn't be better. Just last week, we put the spotlight on a cybercriminal that is using malicious mobile applications to steal payment card credentials. The fraudster combines traditional, browser-based phishing attacks with the mobile platform to create convincing mobile applications that impersonate the institutions targeted in order to phish their customers. Eleven of these applications recently made it through Google's review process and were published to the Google Play Store where they were presented to individuals searching for legitimate applications.
The new guidance from the FFIEC makes it clear that regulators view the mobile channel as an area of significant and growing risk. In section AppE.3.b, the new appendix specifically calls out the risk of "rogue, corrupted, or malicious applications (or adding rogue code to applications)" as an operational risk that should be appropriately managed.
The risk of fraud and account takeover via mobile applications is real. And as our post from last week proves, it is entirely possible for cybercriminals to slip their malicious apps into even legitimate app stores -- such as the Google Play Store.
We actively monitor for malicious mobile applications that impersonate our clients. When a malicious app is detected, we analyze how it works and take immediate action to mitigate the threat and have it removed. To learn more, check out our Rogue Mobile App Protection service.