How hackers steal millions from bank accounts

The latest information from IBM Security Trusteer’s mobile security research team indicatesthat hackers have been using ‘mobile emulators’ to steal millions from financial institutions in Europe and the USA.

How they did it?

They set up a network of mobile device emulators that were behind thousands of spoof devices able to access thousands of compromised accounts. A set of set of mobile device identifiers was used to spoof an actual account holder’s device, and in each case it is likely that these accounts had been infected by malware, or collected via phishing.

The hackers have the victim’s username and password, and using an automatic process are able to “script the assessment of account balances.” They can then automate large numbers of fraudulent transfers. These are never large enough to trigger bank scrutiny at the time.

How does an emulator work?

It mimics the characteristics of several mobile devices. They are often used by developers to test applications, but in the wrong hands they are a crime tool.

According to Finextra: “IBM Trusteer says that the scale of the operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices.”

IBM added, “”The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack.”

IBM Trusteer’s intelligence team has also observed a trending fraud-as-a-service offer in underground venues, promising access to this type of operation to anyone willing to pay for it, with or without the required skill.

“This lowers the entry bar for would-be criminals or those who plan to transition into the mobile fraud realm,” says IBM, and is likely to become a growing trend amongst cybercriminals.

Neobanks grow in 2020

Some good news to come out of 2020 is the growth in neobanks. According to Finextra, Exton Consulting has produced data showing that there are currently 256 neobanks globally, and several more waiting to launch.

The data indicates that a new banking business opened every five days over the last three years, and that Europe is still the main location of innovation, with three of the five most advanced markets being in the region. They are the UK, which is recognised as a neobanking powerhouse, followed by France and Sweden. It also reports that 50 million people in Europe have opened a neobanking account.

Europe leads in neobank innovation

Other markets are catching up with Europe, most notably South Korea and Brazil, but there is also substantial movement in the USA. China is somewhat unique in its challenger bank development, but it is unrivalled in terms of its numbers of clients using the “financial super apps” available there.

On the downside, not all challenger banks have been able to stay the course. A significant number of players relied on payment interchange fees as a revenue stream, and there has also been vulnerability due to rising number of defaults on loans. As a result, more than 30 neobanks have been wound down since 2015, with Australia’s Xinja being and an example.

New routes to profitability

Exton says: “On their quest for monetizing customer relationships neobanks have learned a first lesson: payment transaction fees, premium account subscription fees, or open banking commissions from brokering 3rd party services will in most cases not be sufficient to generate profits or breach beyond operational break-even.” It added, “Our expectation much rather is that Neobanks will need to offer additional products to jump the gap to sizable profitability.”

Digital lending may be one opportunity where the neobanks can thrive. Another option is, “the morphing of the product outside of financial services via the development of a super app, ” and a third possible route to profitability “lies in providing investment services to the mass affluent market.”

Exton concludes, “Irrespective of which path neobanks will take, we remain convinced that they will need to shift into profitability mode quickly as investor patience will not be unlimited. But for those that select the paths right for them, stay focused on it and grow up as an organization, the future remains bright and full of opportunities.”

Can Google Plex win over banks and consumers?

It’s only a matter of days since I wrote about the relaunch of Google Pay. Now I turn my attention to Google Plex. With a beady eye on the way traditional banks are lagging in the mobile banking stakes, it has come up with a solution that enables the old boys to keep pace with the fintech challengers, or at least that is what it appears to promise.

Ron Shevlin quotes some observations from the Snark Tank, such as this summary of the Google Plex pitch: “You’re lagging in technology. Your current vendors are years behind. Consumers think you’re irrelevant. We’re hip, we’re cool, we have all the latest technologies, and boy have we’ve got data! Come partner with us on our new checking account!”

And to some extent the potential customers are buying it. Shevlin says “three big banks, four community banks, two credit unions, and two digital banks” have announced that they have formed partnerships with Google to use the Google Plex checking account tech in 2021.

Now let’s go back to Google Pay. Google Plex will be integrated into the app, which now has three new components.

First, it has a P2P and retail payments component that essentially mimics the Venmo model. This will allow users to, “Set up group payments, put multiple people in a chat and let them send and request money from each other. It will also track who has and hasn’t paid their share and let you tap a button to pester them,” according to The Verge.

Users can also use tap-to-pay, which is pretty old hat now, except that Google has added two new features – ‘Get gas’ and ‘Order food’. Apparently the latter refers to a food ordering system that will work with more than 100,000 restaurants. And consumers will be able to use the ‘get gas’ tab to pay for gas and parking via the app in 30,000 locations.

The ‘Explore’ feature will allow Google Pay app users to browse aggregated merchant offers, and they can receive merchant offers based on their spending activity. It sounds a little like Google ads and Facebook advertising all over again.

There’s also an ‘Insights’ tab which is described by Shevlin as “Google’s version of a personal financial management (PFM) tool,” similar to those available on other digital banking platforms.

Why is Google likely to win over banks to using Google Plex: It’s quite simple: Google has access to more data than any bank; Goggle has more merchant relationships, and it has more tech resources.

Of course, while the traditional banks might see Google’s offer as the fast and easy way to catch up with digital challengers, there is one critical factor to consider: will the consumer want a Google checking account?

Is Google Pay a bank-killer app?

Google has relaunched the Google Pay app. The new app, allows consumers and businesses to send and receive money. In the case of individuals, they can send money to anyone on their phone contact list, and businesses can accept payments with just their name or a QR code. Most importantly, the new version of Google Pay allows us to do all this without having to purchase any additional hardware and doesn’t depend on payments being made through via a card terminal. As Daniel Döderlein writes at Forbes: “The difference from the old Google Pay is massive, not only in features and focus, but in the effects it will have on the market.”

He illustrates the difference the new Google Pay will make when compared with, say, a system like Apple Pay. He says, “If Company A serves consumers with a payment tool, such as an app on a device that can hold a card they serve the consumer side.” This is because the merchants need to have hardware to accept a payment. This model limits Company A to using existing networks such as Visa and Mastercard. The old Google Pay used this NFC wallet model, which is called ‘one-sided’.

Google has now shifted its focus away from NFC wallets and made a decision to go ‘two-sided’. This flies in the face of the received wisdom coming from the major card issuers. “The card industry, with Visa and MasterCard at the helm, has spent billions on telling the world that NFC is the best thing since sliced bread and that contactless payments will rule the world,” Döderlein writes, adding that while tapping your card on a card terminal might seem amazing, it’s hardly “mind blowing.” Consumer expectations are rising, and the physical store-bound hardware-based payment scenario is becoming outdated. Döderlein argues, “you can’t ignore the fact that people browse, explore, interact with and shop on their phone, often miles away from the merchant.”

People want payment methods to be even easier and more streamlined. They may want to buy and pay for something on their phone, and then collect it at the store. Removing the card payment hardware from the equation makes that possible.

This is what Google is aware of, although it is by no means the first. “AliPay, Venmo, Zelle, Swish, Mobilepay and a handful of others around the world have already reached more than 1.5 billion users based on this model,” Döderlein reminds us. He added, “The new Google Pay is a bank killer and it also brings a huge stab to the card networks on its path.”

The new Google Pay is a two-sided, proprietary mobile payment network that will address its clients directly, both consumers and merchants, rather than through a partnership with a bank, for example. This could make a big dent in the existing card payment network businesses, because payments will be pulled from a person’s account without the card networks being involved.

It will certainly affect the banks, traditional and challenger. Having a bank account was the main way to obtain a debit or credit card, now Google Pay makes it unnecessary to carry that card around with you.

The model has already been proved to work in China with AliPay and in the Nordic countries it has made payment networks bigger than that of cards.

Google clearly knows it will have a fight on its hands with the card networks, but its willingness to go forward with it, indicates that it is looking to the long term. And as Döderlein says, “it means business.”

There will be a number of losers in the banking world, but the winners are merchants and consumers. Real mobile payments are on their way and that’s a winner for all of us.