FDIC Reveals Banks Have Allowed for Theft of Mobile Banking Data

The world just got a little scarier.

The Federal Deposit Insurance Corp. has publicly acknowledged for the first time that banks in the United States have had consumers’ mobile banking data stolen during wireless transmissions.

The FDIC made the disclosure in a dark corner of a document it releases quarterly called Supervisory Insights, which advises its on-the-ground compliance regulators. In a section on “data transmission security” in the Supervisory Insights issue released last month, the FDIC acknowledged that “incidents have occurred where banking credentials were stolen from an unsecure [wireless local area network].”

According to the FDIC, wireless LANs pose a significant threat to mobile banking, because “neither the customer nor the financial institution can ensure a public [wireless LAN] is secure.”

As if that is not scary enough, the FDIC effectively gave criminals a step-by-step, how-to guide for breaching mobile banking security.

Mobile devices generally are designed to accept instructions from cell towers and search for the strongest cell tower signal. Mobile devices must authenticate themselves to the cell tower using the unique information on the device’s subscriber identity module (SIM) card to show it is a legitimate device. However, cell towers are not required to provide similar authentication to mobile devices. … Therefore, it is possible to build and operate a rogue cell phone tower, trick mobile devices into connecting to the rogue tower, and hijack the mobile session, potentially compromising mobile banking sessions.

This most recent issue of Supervisory Insights offers the FDIC’s latest guidance on mobile banking, and it focuses squarely on mobile banking security. And the reason for that is obvious, as the FDIC hints:

Although use of mobile banking services continues to grow, the rate of increase slowed during the past two years due in part to consumer concerns about security.

The fact that sensitive mobile banking data has already been stolen from banks might add another year to that trend.

The world just got a little scarier.

The Federal Deposit Insurance Corp. has publicly acknowledged for the first time that banks in the United States have had consumers’ mobile banking data stolen during wireless transmissions.

The FDIC made the disclosure in a dark corner of a document it releases quarterly called Supervisory Insights, which advises its on-the-ground compliance regulators. In a section on “data transmission security” in the Supervisory Insights issue released last month, the FDIC acknowledged that “incidents have occurred where banking credentials were stolen from an unsecure [wireless local area network].”

According to the FDIC, wireless LANs pose a significant threat to mobile banking, because “neither the customer nor the financial institution can ensure a public [wireless LAN] is secure.”

As if that is not scary enough, the FDIC effectively gave criminals a step-by-step, how-to guide for breaching mobile banking security.

Mobile devices generally are designed to accept instructions from cell towers and search for the strongest cell tower signal. Mobile devices must authenticate themselves to the cell tower using the unique information on the device’s subscriber identity module (SIM) card to show it is a legitimate device. However, cell towers are not required to provide similar authentication to mobile devices. … Therefore, it is possible to build and operate a rogue cell phone tower, trick mobile devices into connecting to the rogue tower, and hijack the mobile session, potentially compromising mobile banking sessions.

This most recent issue of Supervisory Insights offers the FDIC’s latest guidance on mobile banking, and it focuses squarely on mobile banking security. And the reason for that is obvious, as the FDIC hints:

Although use of mobile banking services continues to grow, the rate of increase slowed during the past two years due in part to consumer concerns about security.

The fact that sensitive mobile banking data has already been stolen from banks might add another year to that trend.