Well before the pandemic, mobile financial services were on their way up. But, in the wake of the digital banking boom, cyber-criminals are upping their own game to take advantage of all the financial customers who are new to the mobile platform or accessing it more frequently.

Financial service institutions large and small are being preyed upon by malware operators, who see the recent boom in digital channel usage (as customers’ access to branches is limited) as a boon to their efforts to implement Trojans and other malware within financial mobile web sites and applications, according to Helen Brooks, vice president of secure innovation and resiliency for Navy Federal Credit Union, and David Tuyo, president and CEO for University Credit Union. Both credit union executives were presenters at the SC Finance eConference event Tuesday, discussing the growing risk and the importance of mitigating risk from mobile malware.

“Banking Trojans have increased, and they’re more prevalent in Android because of its fragmentation,” Brooks said, adding that there are still security issues with the iPhone platform. In terms of ensuring good cyber-hygiene from the start, it is critical to make sure credit unions members “are using the right application” since many bad actors will infiltrate the application download stores themselves.

But, she added, the onus of good security maintenance cannot lay upon the FSI alone. “It’s common sense... you need to patch correctly, and you do not want to use a rooted or jailbroken phone... or sideload a third-party application.”  

Brooks, whose credit union boasts $150 billion in assets and 11 million members (most employees of the Department of Defense), pointed out that there’s a lot that their user-members can do to better protect their information and prevent against illegitimate mobile access — including simply not using a public WiFi network when banking, and making their passwords more difficult.

Tuyo, whose credit union holds $1.1 billion in assets and has 50,000 members, said that with a “member-owned” financial institution like a credit union, there’s a presumption of “a little different responsibility” — a greater need to meet members where they’re at, and a greater reliance on members to consider their own cyber-hygiene. To that end, Tuyo recommended that when changing the platform or systems, FSIs conduct a “pre-mortem” to determine what aspects could fail and better prepare.  

“We have a finite number of resources. We want to make sure we can allocate them to our core business and as close to the member as we can,” Tuyo said. “We need to put security first and imagine that that will lead to a frictionless experience for the member.”  

However, as bad actors continue to “figure out how to integrate as little malicious code as possible and still get access,” Brooks said that FSIs need to stay on their toes. “We need to really figure out the deep dive into security review to make sure the malicious code is not in the applications” that customers are downloading directly from the Google or Apple stores online — sites they tend to trust. 

One basic cybersecurity measure that Tuyo and Brooks both endorsed and recommend other FSIs suggest to their customers is the basic “spring cleaning” of mobile applications.

“If you haven’t used an application for a year, delete it,” Brooks advised, adding that many customers are very trusting of QRscanning applications in general.