The adoption of messaging platforms by banks is adding to the convenience of retail customers. Users should however beware of the risks of using such tools.
Banks increasingly are introducing popular messaging platforms to reach their mobile-savvy clients – DBS for instance launched its banking services on WhatsApp and WeChat in September while Citibank added its Facebook messenger banking chatbot a year ago.
«Banks are caught between a rock and a hard place. The reality is that customers are familiar with these everyday communication tools and would be reluctant to accept bespoke communication apps developed by the banks themselves,» said Paul Jackson, managing director, APAC leader of Cyber Risk at Kroll.
Banks have little choice but to rely on popular applications, because they help attract customers already familiar with their use. However, the convenience of such communication channels paves the way for fraud, impersonation and even hijacking of WhatsApp/WeChat accounts via social engineering.
Top Security Risks
In a 2018 survey undertaken by Synopsys, 36 percent of respondents indicated that customer-facing web applications remain the top security risk to businesses in Asia-Pacific. Last month's admission by Facebook that a security breach had affected more than 50 million accounts came as a timely reminder that even tech giants aren't spared.
Whilst the underlying technology powering chat platforms tend to be secure, criminals are looking closely at how the communication channels work in practice and what information is potentially being transmitted via them, Jackson said.
Criminal Ingenuity
Historically, fraudsters have long tried to trick users to visit fake bank website via e-mail messages pretending to be from the bank. In these fake websites, they try to trick account holders into revealing their access credentials. On mobile devices, the connection with the bank is typically via an App rather than a website.
Banks' usage of chat Apps raises the possibility that criminals could try impersonating the bank in social media chats and try to trick users into downloading and installing an «updated» version of the bank’s app but in actuality, such an app would be malicious and could help attackers steal credentials from the phone.
«Other social engineering scams have emerged which try and trick the genuine user into revealing the authentication code for their chat app (usually sent via SMS) and hence lose control of the account. Even if this is only temporary, it may allow enough time for a fraud to be perpetrated,» Jackson explained.
A Game of Cat and Mouse
The introduction of two factor authentication a few years ago was seen as the solution to impersonation in the online banking website world. However, attackers then developed more advanced ways to steal both of the two-factor credentials.
Other advanced attacks involve creating a layer in the victim’s computer to mask the identity and activities of the impersonator, and make it appear that any transactions were actually originating from the victim’s computer.
«As a result, security is a constant cat and mouse game that is pitted against the need for customer convenience. Time will tell whether there will be any successful campaigns to process-hack these new initiatives by the banks,» said Jackson.
Please Confirm
Following the launch of its banking services via chat, DBS will progressively introduce investment-related transactions in 2019. Hence, it has put in place safeguards to prevent erroneous keying of instructions.
«Relationship managers and assistant relationship managers will confirm each request with their client before placing an order,» Evy Theunis, head of digital wealth at DBS Private Bank, told finews.asia.
While clients and their relationship managers may delete or recall a message on WhatsApp and WeChat on their cellphones, all messages are still archived by the banks for compliance purposes.
User Beware
«Anything that makes our lives easier needs to be encouraged but this should come hand in hand with education and awareness. For example, users of legitimate platforms will never be redirected to websites which ask them to confirm their credentials,» said Jackson.
Neither should users ever be asked to reveal personal information via chat as a means of verification, or go to another site to download an updated version of the app, he added.
Other Precautions
Adding the bank’s official verified address in the chat application contacts inside the phone will also help to ensure that the customer knows that communications are with the authorised source and not via a fake forwarded message.
But this then means that customers must carefully guard access to the device – if physical access can be gained, then the official contact details could be changed to a fraudulent one.