How Mobile App Security Helps Reduce Fraud in Fast Payments

By Dario Dallefrate

With more than half of all Americans using mobile banking and even higher usage rates in Asia, consumer demand for faster money transfers has skyrocketed. This has led to the rise of fast payment systems globally. Defined by the Committee on Payments and Market Infrastructures as near-instantaneous fund transfers, fast payments offer undeniable convenience but also introduce new security challenges for mobile app publishers. These challenges have prompted regulations from policymakers such as FedNow (US), the EU’s instant payment regulation, PIX (Brazil), UPI (India), and FAST (Singapore).

Unlike traditional methods, fast payments are irreversible, making them attractive targets for fraudsters. Real-time processing and 24/7 availability further exacerbate the risk, hindering intervention and recovery of stolen funds. The consequences of compromised fast payment transactions extend beyond consumers who are the targeted victims. It can result in bad press for app publishers leading to customer churn, damaged brand reputation, and, ultimately, revenue loss.

This blog dives into fast payment fraud on mobile apps and provides proactive strategies security professionals together with their app developer counterparts can take to mitigate these threats. We’ll explore how bad actors exploit vulnerabilities, discuss the security implications, and offer actionable advice for security professionals.

Understanding payment fraud: The Federal Reserve’s framework

The Federal Reserve has established a helpful framework for categorizing payment fraud. This framework can be applied to fast payments on mobile apps as well. There are two main types of payment fraud: authorized party fraud and unauthorized party fraud.

• Authorized party fraud happens when the payment is originated by someone who has the right to initiate the payment. That person could be deceived to start the payment by a threat actor (e.g. phishing scam, fake tech support), could act fraudulently (e.g. buying with no intention to pay), or, with reference to mobile app security, could use a cloned/ fake apps that modifies the payment information the person entered via an app form (e.g. the cloned app changes payment recipient info).
• Unauthorized party fraud occurs when the payment is originated by someone without the right to initiate the payment. This means someone steals payment information and uses it for unauthorized purchases during a different transaction. This includes account takeover (stolen login credentials), phishing for information (phishing emails/SMS, fake websites, cloned and fake apps), or data breaches (leaked payment information).

Mobile app threat vectors: How fraudsters exploit fast payments

Fast payment vulnerabilities often stem from mobile app security issues and careless user behavior. Here are common attack methods that could lead to both authorized and unauthorized party fraud.

Malware

Malicious apps like screen recorders or keyloggers steal logins or payment info during transactions. On Android devices, fraudulent apps can exploit accessibility services designed for disabled users to bypass login screens by implementing fake overlays to steal user credentials without the victim’s knowledge or to automatically approve fraudulent transactions.

Cloned and fake apps

Attackers create fake or cloned apps mimicking popular mobile banking or payment apps to steal user credentials. To distribute them, attackers trick users through phishing (e.g., fake SMS asking to install a new app version). Other tactics include exploiting sideloading from untrusted sources or alternative app stores.

Man-in-the-Middle (MitM) attacks

Fraudsters intercept communication between a user’s device and the mobile app server, capturing sensitive information like login credentials or payment details.

Real-world examples

Fast payment fraud with mobile apps isn’t hypothetical. Below are recent headlines showcasing the growing threat associated with fast payments:

• PIX malware (Brazil): Malware targeting Brazil’s PIX system steals user credentials, draining accounts. New variants exploit accessibility services for “authorized” fraud.
• Fake UPI apps (India): Fraudulent apps imitating India’s UPI platform tricked users into downloading and stealing login information.
• Banking malware in Singapore: Singapore is often in the news for malware attacking users to steal mobile banking credentials and perform unauthorized payments. This prompted the government’s Safe App Standard to provide financial services app developers with best practices to mitigate malware, fake apps, and other threats.

Mitigate fast payment fraud with a comprehensive mobile app protection strategy

To effectively mitigate fast payment fraud with mobile apps, security professionals should understand the attacker’s perspective. Let’s explore the four phases of a mobile app attack within the context of fast payments and how to mitigate them:

1. Understand the target

• Threat actor’s goal: Their objective is to learn how the targeted fast payment app works by leveraging tools to analyze the app’s code and behavior; this is accomplished by searching for vulnerabilities like exploitable security gaps. Threat actors often investigate login-in forms to understand the authentication process, screens dealing with payment data to hijack or intercept payment flow, and more
• Approaches to mitigate the threat: 1) Collaboration with developers to improve mobile app security is key. Tactics such as implementing code obfuscation and data encryption can hinder reverse engineering attempts. In addition, utilizing anti-debugging and anti-hooking measures can effectively slow down runtime analysis and tampering attempts. 2) Shifting security left by integrating security within the app’s development phase is another important approach. This can be achieved by utilizing application security testing tools specifically designed for mobile applications to identify and address security risks early in the development process.

2. Exploit the vulnerability

• Threat actor’s goal: Once vulnerabilities are identified, the attacker exploits them to obtain sensitive information such as user credentials to alter the payment data or abuse the payment APIs. This may involve patching the app with malicious code, creating fake clones to exploit the payment API backend, or creating ad-hoc malware to target the banking app.
• Approaches to mitigate the threat: Partnering with developers to implement measures such as code obfuscation and data encryption as well as run-time application self-protection can prevent mobile app repackaging and re-certification, hindering the creation of fake or cloned apps.

3. Reach the victims

• Threat actor’s goal: Attackers need channels to distribute their malicious tactics. This usually involves using third-party app stores to distribute cloned or fake apps or leveraging phishing techniques to trick users into downloading malware.
• Approaches to mitigate the threat: 1) By employing run-time application self-protection techniques, app repackaging and re-certification are difficult. 2) Implementing real-time threat monitoring tools once an app is released detects suspicious activity related to repackaging apps, like running the app in an insecure environment.

4. Scale the attack

• Threat actor’s goal: Threat actors seek to automate their attacks to scale their operations. As a result, they may target new app releases or apps with similar protections upon discovering a vulnerability.
• Approaches to mitigate the threat: 1) Implement robust mobile application protection measures which decrease the predictability of security measures. 2) Avoid static solutions such as repetition of the same security measures. 3) Utilize tools that dynamically change security configurations to disrupt automated attacks, forcing the attackers to re-strategize for each new app release. This process resets the attacker’s clock and forces new attack analysis with every release.

Conclusion

A holistic view of the 4 phases of a mobile app attack is crucial for mitigating fraud on fast payment mobile apps. Security professionals should collaborate with developers to implement a comprehensive mobile app security strategy that includes:

• Security testing to identify vulnerabilities early in the app development lifecycle
• Mobile application protection to hinder reverse engineering and tampering of the mobile app
• Real-time threat monitoring for continuous vigilance when the app is available in the market

With a clear understanding of each phase of the attack and a strategy to address the threats associated with each phase, security professionals can significantly reduce the risk of fraud in fast payment mobile apps.

To learn more about a comprehensive mobile app security strategy such as the one outlined above, connect with a Guardsquare expert.

Originally published at https://www.guardsquare.com on May 29, 2024.