A trending internal control concern involves the use of mobile devices to access banking and financial services. The increasing frequency of stolen bank credentials via mobile devices has caught the attention of U.S. bank regulators and the Federal Bureau of Investigation, according to recent media sources. The availability of the malware to cyber criminals is a setback for U.S. financial institutions that are increasingly promoting customers' use of digital access as a way to reduce costs and improve operational efficiencies.
The malware attack begins with a text message to your smartphone purportedly from your banking institution asking you to click on a text message or it may be initiated when you click on a link on a fake banking institution web site. Once installed the malware lays dormant until the mobile device user opens a banking app. The malware then creates a customized overlay on top of the authentic banking app screen and proceeds to record your logon name, password and other information you enter.
According a U.S. Federal Reserve study, approximately 53% of mobile device users have used their device to access their bank account online. Other studies have disclosed that only one-third of mobile device owners have installed anti-malware software. This issue is especially serious for mobile device owners who jailbreak their device to replace the factory-installed operating system to use “unauthorized” software and apps.
It is recommended that your school district request that employees cease using mobile devices to access to the district’s bank and financial services until the district’s technology services staff can scan the employees’ mobile devices for malware. The district’s policies and procedures in this area need to be reviewed and updated. The technology services staff should also provide training to educate the district’s employees on steps to take to prevent the theft of funds by malware on mobile devices, and provide or recommend anti-malware software. The district should also periodically test compliance with policies and procedures in addition to scanning mobile devices of employees granted logon access to the district’s banking and financial services accounts.