Friday, January 12, 2024

Businesses can do more to protect consumers from malware

Businesses can do more to protect consumers from malware    

https://www.straitstimes.com/opinion/businesses-can-do-more-to-protect-consumers-from-malware

2024-01-12

Jan Sysmans


If one were to compile a list of the major security concerns in 2023, the scourge of scams would easily sit among the top spots.

There were several reports throughout the year of people being scammed of their hard-earned savings after their phones were hacked. 

The Singapore Police Force and Cyber Security Agency of Singapore (CSA) reported that scam cases increased nearly 65 per cent, from 13,576 in the first half of 2022, to 22,339 in the same period in 2023, with victims reported to have been cheated of $330 million.

In November 2023, the Shared Responsibility Framework was proposed by the Monetary Authority of Singapore and Infocomm Media Development Authority. Under this, financial institutions and telecommunications operators can be held liable to reimburse scam victims if they are found to be negligent in fulfilling their duties to safeguard consumer funds and protect consumers from phishing SMSes. The framework is a welcome move that holds corporations, specifically banks and telcos, accountable and encourages businesses to play a more proactive role against phishing scams.

That was followed up in late November by the three big local banks DBS, OCBC and UOB rolling out a “money lock” security feature, enabling customers to lock up funds in their bank accounts and block the money from being transferred digitally.

But while the framework was laudable, there were still gaps that needed to be addressed. For example, the Shared Responsibility Framework excludes mobile malware from the list of regulated items. Just one single variant of malware in Singapore was reported to have scammed $10 million from 750 people in a span of six months. Phishing is also just one type of scam, and threat actors today have diversified and have many more sophisticated attacks in their toolbox.

To better protect consumers, the CSA launched on Jan 10 the Safe App Standard – guidelines to app developers to ensure better security through more stringent authentication, data encryption and malware detection measures, among others. The Safe App Standard represents a positive progression in addressing the gaps identified, drawing special attention to technological solutions on strengthening authentication, authorisation, data storage security and malware protection on devices.

The next crucial step would be for companies to remain proactive in looking to protect users of their apps, and go beyond the bare minimum of compliance with regulations.
Malware on phones

While exercising vigilance against scams can go a long way, the ordinary consumer does not have the capability to detect modern malware. That onus is on businesses and app makers.

Indeed, 41.2 per cent of Singaporeans in a recent Appdome survey stated that they want the best protections against malware and fraud from app makers, and 96 per cent of all local respondents advocated for apps that protect them against malicious actors.

Given the sheer number of websites we visit and apps we use on our smartphones, it is highly likely that most of us already have malware on our phones. Malware can remain dormant and monitor the device in the background until it finds a vulnerability.

When malware attacks, it is often too late for users to alert their banks or try to reset their smartphones, as hackers may have successfully blocked any attempts to regain control of their devices. Further complicating matters is the fact that cyberthreats have evolved beyond what even the most skilled user can contend with. For context, with each new mobile application update, the first attack occurs within less than two-10ths of a second. 

The democratisation of artificial intelligence (AI) through large language models such as ChatGPT has also made it easier for hackers, as they no longer need programming knowledge to devise and automate attacks.

Companies need to up their game when it comes to cyber defences. But fortifying cyber defences must entail technology that is available today.

For instance, while the “money lock” feature rolled out by the major banks rightly prioritises the safety of consumers, these institutions need to look for more advanced tech-driven solutions that would avoid regressive steps like necessitating visits to branches and ATMs.

Ideally, it should be about protecting consumers from fraud and malware while preserving the user-friendliness and convenience that Singaporeans have got used to. There are strategies that can help companies achieve those dual objectives while staying ahead of malicious actors.
More On This Topic
Can you spot a scam? Find out how well you know 6 common scams in S'pore
Must we lose convenience to stay safe from phishing scams?
Fostering collaboration between security and developer teams

The biggest challenge in mobile app development is the inherent conflict of interest between developers and security teams.

Developers want the most user-friendly and richest experience an app can provide to customers, while cyber-security teams are focused on ensuring compliance with regulations and preventing apps from going to production with known vulnerabilities.

With development teams occupied with building a better customer experience on the app, security can at times take a back seat. There have been cases where developers publish insecure apps to meet their release schedules, which increases the risk of successful malware attacks. In fact, eShard, a mobile app penetration testing company with offices in Europe and Singapore, did an extensive review in 2022 of over 100 mobile banking applications in Europe and found that none meets the most stringent cyber-security requirements as defined by the Open Worldwide Application Security Project.

Thus, app development can at times struggle to keep pace with evolving security needs. Businesses need to provide cyberteams with more control and visibility over the security model without developers having to do any extra work.

Automation and security implementations directly during the development process will go a long way in plugging the gaps.
Simplifying the security building process

To stay ahead of malicious actors, who can now leverage AI to improve their malware and automate their attacks to be continuous, businesses need to be constantly vigilant.

According to analyst firm Intellyx, in most DevSecOps (development, security and operations) models, the cyber-security team’s job is limited to “review”, “report” and “recommend” to the development team which security features need to be implemented. The cyber-security team is then entirely reliant on the development team to make the needed changes, updates or upgrades to the mobile application defences.

Likewise, any evidence of fraud, account loss, et cetera, as well as the effectiveness of any protections are often outside of the purview of the cyber-security team. Thus, they are unable to keep pace with the rapid evolution of modern-day malware.

Traditional cyber-security offerings also struggle to keep pace with the evolving diversity and sophistication of the mobile platform and applications, often trying to force-fit bot defence methods designed for Web applications onto mobile frameworks.

Moreover, several organisations today use malware detection tools that rely on signatures – unique thumbprints associated with each malicious code. However, malicious actors are creative and are constantly making tweaks to their designs to evade detection. This process is simplified with automation and machine learning.

Businesses therefore need to rely on real-time technology that keeps up with modern malware. They can automate the development and deployment of mobile app security processes to build anti-fraud and anti-malware protections directly into the app and upgrade it to match the latest application updates.
More On This Topic
New $20m initiative in S’pore to develop tools to detect deepfakes and misinformation
In desperate times, potential scam victims must take drastic measures
Establishing clear communications with customers

When OCBC launched a security update last August, users with side-loaded apps on their devices were not allowed to access its mobile banking app and the bank faced severe criticism.

Some customers were frustrated with the inconvenience and worried about data privacy infringements. This ironically undermined the objective of the update; security solutions are successful only if customers continue to use the mobile application, otherwise there will be no one left who needs to be protected.

App makers therefore need to update their customers with the latest security threat information and, in some situations, give them the freedom of choice to respond to these matters.

For example, when dealing with low-level threats like log-ins from a jailbroken or rooted mobile phone, app makers can allow users to continue using the service despite the warning or switch to an alternate device. As for high-level threats such as hacker frameworks, security teams should block access, explain the reason to the user, and provide the app maker’s contact details.

Delivering the best experience on a mobile platform requires companies and their app makers to study potential vulnerabilities and equip themselves with the tools to shield customers against malware-related scams and attacks. App makers also need to simplify the security building process so that they can meet both their release schedules and customers’ expectations to be protected.

With increased consumer protections under the new Safe App Standard, companies now have better guidelines to secure online transactions. The challenge now is implementing it without interrupting business continuity. Organisations must leverage automation tools and ensure synergy between the developers and security teams to plug the gaps even as consumers are advised to be vigilant. 

    *Jan Sysmans is mobile app security evangelist at cyber-security firm Appdome.*

No comments: