Mobile Banking Security Enhancements

I have been thinking about how Banks and Mobile Money providers can better protect customers during theft or carjacking situations. Imagine this: A customer has their normal PIN, but also a duress PIN. For example, if the real PIN is 2244, entering 4422 (the reverse) silently signals distress. What happens next? 1. The system displays a decoy balance (e.g. KShs. 100). 2. Withdrawals and transfers are limited. 3. The account is silently flagged on the bank’s end. No alerts, no alarm, just a quiet protection. In high-risk situations, customers are often forced to unlock phones or banking apps. A solution like this gives them a way to comply without escalating danger while still protecting their funds. Similar “panic codes” already exist in security systems so why not in everyday banking and mobile money? This could significantly improve customer safety, fraud prevention and trust in financial institutions. I’d love to see banks, fintechs and regulators explore ideas like this especially in regions where these risks are real and frequent. © Patrick Kiunyu (2026) - Facebook page

Being in the fraud prevention industry gives me an insider’s view of how fraud attacks work - including seeing new patterns emerge. Here are recent insights on how fraudsters are increasingly targeting people to take control of their bank accounts and initiate unauthorized wire transfers. 📞 The Phone Call Scam: Scammers exploit the vulnerability in PSTN to spoof caller IDs, making it seem like the call is coming from a trusted bank. A number of well-known VoIP providers make this possible. 🔓 Remote Access: Once they establish contact, scammers mention there is some suspicious activity or other important reason behind their call. They then persuade victims to install remote desktop applications like AnyDesk, or to turn on WhatsApp or Skype's screen sharing. This allows them to access banking apps and initiate transfers. This helps them to intercept login data and one-time passcodes. Banks also don't insure against such scams, leaving victims exposed. 🤖 AI in Voice Scams: Imagine combining voice recognition with GPT-based text-to-speech technology. Scammers scale their operations massively, this is a future risk we must prepare for now. So what proactive measures can banks and digital wallets take? 1. Customer Education: Many banks already do this; keeping their customers informed about official communication channels and the importance of calling back through their verified numbers. 2. One-Time Passcodes for Payments: OTPs aren’t just for logins but also useful for transactions, with detailed payment information included. 3. Being On a Call During Transactions: The top FinTechs are already looking into, or developing technology to detect if a customer is on a call (phone, WhatsApp, Skype) during banking activities. 4. Detect Remote Access: Implement detection mechanisms for any remote access protocol usage during banking sessions. 5. Behavior and Velocity-Based Rules: Sophisticated monitoring should be used to flag activities in real-time based on unusual behaviour and transaction speed. 6. Device, Browser, and Proxy Monitoring: This is a quick win, as there are many technologies available to flag unusual devices, browsers, and proxy usage that deviates from the customer's norm. 7. Multiple Users on Same Device/IP: Ability to identify and flag multiple customers who are using the same device or IP address in one way to detect bots. 8. Monitoring Bank Drops and Crypto Exchanges: Pay special attention to transactions involving neobanks, crypto exchanges, or other out-of-norm receiving parties, to identify potential fraud. Some of them might not ask for ID and even if they do, it can be easily faked with photoshopped templates. Hope you find that useful, and in the meantime, I’d love to hear what other emerging threats you’ve seen or heard of. Fostering these open conversations is what enables us all to unite together against combating fraud 👊 #FraudPrevention #CyberSecurity #DigitalBanking #ScamAwareness #AIinFraudDetection

Over the past few days, I’ve noticed multiple posts regarding fraudulent transactions related to Standard Chartered Bank (Bangladesh). As both a Quality Assurance professional and an Information Security practitioner, I decided to analyze the situation from a technical perspective. 🔍 Observations - Wallet Transfer via SCB App Daily limit: 30,000 BDT It generates eTAC (not OTP) → This path was not exploited. - MFS (bKash/Nagad) Add Money – Card to Wallet Daily limit: 50,000 BDT This is the entry point that the fraudsters exploited. - Transaction flow: User gets a 4-minute session time. User needs to input 4 confidential information related to the card: 1. Credit Card Number 2. Expiry Date 3. CVV/CVC 4. Cardholder Name Finally, when they all match, you will move to the OTP page, which has a 2-minute validity. 🚫Systemic Red Flags Fraudulent transactions occurred with different people, resulting in the highest daily transaction of 50,000 BDT from card to wallet. 🤔Possible causes: 1. OTP validation gaps 2. Payment switch vulnerabilities 3. Weak backend transaction monitoring 4. 3rd party vendor or insider activity 🎲Replication Attempt (Personal Test) Even with a wrong name, false expiry, and an invalid CVV, I was still able to proceed to the OTP stage and even received an SMS, just by providing a valid card number. I haven't verified the outcome of entering the right OTP in the input form with this flow. This alone highlights significant validation gaps within the payment system. ⚠️ Identified Risks Weak customer-side controls → clients cannot restrict MFS transfers, international transactions, etc., from the app. Vendor dependency → SSL Wireless, Genex Infosys, card processors, and bulk SMS providers all need monitoring. Outdated SDKs in mobile apps. 🔐 Recommendations 1. Backend Fixes 2. Enforce transaction-bound OTPs. 3. Stronger data validation before OTP generation. 4. Regularly circulating the awareness email/ sms 5. Automated phone verification for large/first-time transactions. 6. Security Enhancements 7. Regular audits of third-party vendors and internal audits. 8. Frequent SDK upgrades aligned with OS-level changes. 👨💼Customer Protections 1. App-level controls: Block/allow MFS transfers 2. Restrict international transactions 3. Enable one-click temporary card lock 4. Ensure transaction-related SMS delivery in real-time (High priority). 5. Mask PII properly. 💡 Final Thoughts I’ve been a Standard Chartered client since 2013. While their service consistency drastically dropped after 2020, I never expected to witness a systemic failure in this form. For a global bank, client trust is the ultimate asset — and this incident shows how fragile that can be if InfoSec and QA practices are not enforced vigilantly. This is not just about fraud. It’s about trust, accountability, and security maturity.

A new Android trojan dubbed RatOn is raising the bar on mobile banking/crypto fraud. This combines: overlay phishing, NFC relay hacks, and automated money-transfer capabilities. It masquerades as legit apps, demands powerful device permissions, and can operate almost invisibly once payloads are installed. Here are mitigations & defensive steps: - Avoid side-loading apps: only install from trusted sources (Google Play, etc.), unless absolutely necessary and verified. - Check app permissions carefully, especially Accessibility, Device Admin, “install unknown apps”, etc. If an app asks for broad access that seems unrelated to its function, be very wary. - Be suspicious of spoofed websites and apps that mimic known brands, or those using adult-themes/scare tactics. - Enable Google Play Protect and/or use reputable mobile antivirus/anti-malware tools. The bottom line: mobile security must keep pace. Avoid sideloading, scrutinize app permissions, keep NFC off when not needed, and use reputable protection tools. For banks and security teams, it’s time to beef up detection of anomalous transactions and overlay abuse. https://lnkd.in/g_7FuxMH #auguryit

🔐 Protect Yourself from Account Takeover Fraud One of the growing threats we’re seeing across the industry is account takeover fraud, where criminals gain access to your online or mobile banking and move your hard-earned funds before you even realize it. Here are a few simple but powerful steps you can take to help keep your accounts secure: ✅ Use strong, unique passwords — Avoid reusing passwords across different accounts. A password manager can make this easier. ✅ Turn on multi-factor authentication (MFA) — This extra step stops criminals even if they’ve stolen your password. ✅ Stay alert to scams — Fraudsters often pose as bank employees, using urgent or emotional language to trick you into transferring funds or sharing a one-time passcode. If something feels off, hang up and call your bank directly using a verified number. ✅ Monitor your accounts regularly — Set up transaction alerts so you can spot suspicious activity fast. Early detection makes a huge difference. ✅ Keep your devices updated — Regular updates protect against known security flaws that scammers exploit. Remember — we will never ask you to move money to “safe accounts,” share verification codes, or disclose your password. Even with all our safeguards in place, you are the first line of defense. Stay vigilant, ask questions, and don’t hesitate to contact us if something doesn’t look right. David Baker Chief Information Security Officer Volunteer Bank

I keep hearing the same problem from every bank security team. Last month, another one reached out - and their situation was textbook. 15 mobile apps. Millions of users. Zero commercial security tools. Here's what the situation looked like: MobSF and Frida for testing. Custom payloads for each app. Weeks of work per app. 15 apps in active development. The security lead knew exactly what they needed: - SAST + DAST scanning in one tool - Proof-of-concept for every finding - Low false positive rate - Full coverage for both Android and iOS - Something that would meet Central Bank compliance requirements and pass internal IT security audits The problem they couldn't solve: manual testing doesn't scale. They had the expertise. They had the tools (open-source). But the math was impossible: 15 apps × weekly releases × manual testing = perpetual backlog. They found us on LinkedIn while researching mobile security tools. What caught their attention wasn't the technology - it was the credibility: - Our work with Samsung and TikTok - My background (#1 Google Play Security Researcher) - DAST with automatic PoC generation (not just "potential vulnerability" flags) Here's what we did: We offered a free demo scan on one of their actual apps. The scan found real vulnerabilities they hadn't caught manually - with screen recordings, stack traces, and working proof-of-concept exploits. Why this matters: This bank isn't unique. Almost every fintech and banking security team we talk to has the same story: - Growing mobile app portfolio  - Pressure from regulators and auditors - Manual processes that don't scale - Open-source tools that create more work than they solve The gap between business velocity and security capabilities continues to widen. Mobile apps are how customers access their money. A vulnerability isn't just technical debt - it's business risk at scale. Security teams need tools that deliver answers: "Here's how it's exploited." "Here's the vulnerability." "Here's the proof." When you eliminate the validation overhead, security becomes an enabler, not a bottleneck. P.S. If you're managing mobile security for a bank or fintech and this sounds familiar, let's talk. Book a free demo scan: https://lnkd.in/eKbtZ8yK

The Central Bank of the United Arab Emirates has taken a groundbreaking step in financial security: it is now mandating the phase-out of SMS and email one-time passwords (OTPs).   Under the new regulation, all licensed financial institutions must replace OTPs with stronger, phishing-resistant methods, including: > Cryptographic-enabled tokens (passkeys) > Biometric verification (Emirates Face Recognition) > Secure in-app approvals > Behavioral biometrics These measures must be implemented for critical operations such as device registration, card provisioning into digital wallets, and payment initiation. The deadline for compliance is March 31, 2026.   The move comes amid growing concerns about the vulnerabilities of OTPs.    According to industry data, SMS-based fraud cost the financial sector $6.7 billion globally in 2023, with OTPs being the weak link in 15–20% of all account takeover attacks.   As governments worldwide tighten cybersecurity and identity assurance requirements, many may follow the UAE’s lead in banning OTPs and enforcing modern authentication standards like passkeys, biometrics, and verifiable credentials.   Could this mark the beginning of the end for OTPs around the world?   One of the world's largest telecom providers, Telefónica, is piloting a caller authentication solution that eliminates OTPs and security questions.    They're joining us live on the podcast to demo this innovative solution and  discuss the results of the project. Register here, it's free: https://lnkd.in/g-2DsC3S