Despite MDM, Financial Services Plagued by Phishing, Malware

Mobile device management (MDM) deployments haven’t exactly put the kibosh on threats to financial services.

In fact, even while MDM adoption rose 50%, quarterly exposure to phishing between 2019 and 2020 jumped by 125%, according to the Lookout Financial Services Threat Report. That’s certainly noteworthy, but the 400% increase in malware and app exposure is especially sobering.

More specifically, about 20% of mobile banking customers were using a trojanized app on a mobile device when they tried to log in to a personal mobile banking account.

Lookout found that many users have been slow to update their iPhones and Androids to the latest operating systems. The research showed 21% of iOS devices still used iOS 13 or earlier instead of iOS 14, which has been out for seven months, as has Android 11. Nearly one third (32%) of Androids use Android 9 or earlier. That’s particularly dangerous, considering that more than 350 vulnerabilities have been reported for those two older operating systems. Lagging behind in updates is an open invitation for miscreants to gain entry into an organization’s infrastructure where data is there for the taking.

Phishing attacks designed to steal corporate login credentials accounted for nearly 50% of all phishing attempts, the report said.

That attackers are upping their assault on phones, tablets and Chromebooks should come as a surprise to exactly no one. Those targets represent points of vulnerability; just one successful phish or ransomware attack can put valuable information, like client financials, investment strategies, even cash, in the hands of hackers.

Financial services are plum pickings for cybercriminals, who “have the opportunity to go after both employees and customers,” said Hank Schless, senior manager, security solutions, at Lookout. “This means security teams have to cover an incredibly broad threat landscape.”

So while targeting financial services isn’t surprising, Schless tells me the massive jump in exposure rates between 2019 and 2020 was. The 125% increase in exposure to mobile phishing “was significantly higher than any other industry.”

Mobile Device Management – Not Security

That activity, despite the investment in MDM, “proves that MDM should only be used for managing devices, not securing them,” Schless said. “These solutions can’t secure devices against cyberthreats like mobile phishing.”

The problem was exacerbated during the pandemic. “In order to keep some semblance of control over mobile access to corporate infrastructure, security teams expanded the capacity of their corporate VPNs and rolled out MDM to more mobile users,” said Schless. “The first issue is that MDMs cannot secure mobile devices. VPNs also don’t check if there are any threats on the device before allowing it to access the corporate resources and infrastructure.”

Attackers caught on quickly, and built their malware and phishing campaigns to evade the basic management policies established by MDM solutions, which accounts for “the increase in mobile threat exposures despite organizations leveraging MDM more heavily,” Schless explained.

A shift to remote work raised employees’ expectations among that they should be able to seamlessly access resources from any device. “This inevitably led to more personal and unmanaged devices accessing corporate infrastructure” and loosened corporate data access policies, creating more risk, Schless said. “Attackers know that this means more users are leveraging devices that are either outside the traditional corporate perimeter or that aren’t protected by enterprise security solutions.”

Failure to Update

The failure to update mobile operating systems is as unforgivable as it is baffling because, as Schless pointed out, “almost every mobile OS update has to do with security.” Two of Apple’s recent OS versions, 14.4 and 14.5, “had critical vulnerabilities in the WebKit browser engine, which were being actively exploited,” prompting Apple to release “emergency patches because a successful exploit could allow malicious websites to perform arbitrary cross-scripting on the device,” he said. “This means that an attacker could easily redirect you to a malicious page they built, phish login credentials for personal or corporate accounts, or deliver malware to the device to spy on the user or exfiltrate files from any cloud-based service that user has access to.”

Schless stressed the importance of keeping mobile devices up to date. “Not installing updates that patch these vulnerabilities gives attackers a backstage pass to your personal data as well as any corporate infrastructure that device is connected to,” he said.

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson