DIY : A new way mobile banking apps are used to fraud – Trevier Gits – Medium
These past few weeks I’ve seen more and more news articles about how people are scammed using fake banking apps pop up. These apps are used by fraudsters to ‘buy’ things from classified advertising websites such as Ebay.com or the Dutch Marktplaats.nl.
How does this trick work?
Sinds I’ve seen the most stories about this scam in The Netherlands, so we’ll use that as our example scenario.
Let me introduce Pete, Pete bought a new laptop and wants to sell his old one. So he creates a listing on Marktplaats.nl (the dutch equivalent of ebay.com). Very quickly our lovely neighbourhood fraudster responds to the listing and asks whether it is possible to transfer the money on the spot if he decides to buy it. Since Pete is selling a very nice laptop from a fruity brand and the ‘buyer’ doesn’t want to walk around with a lot of cash. When Pete agrees the fraudster asked which bank Pete uses. The fraudster then indicates that he has an account at a different bank. Then it always takes a day before the money is credited to the other bank and the seller can not immediately check whether the money is credited or not.
The fraudster comes to Pete’s house to view the product and indicates that he is interested. He pulls out his smartphone to transfer the money and tells Pete that he can watch while he transfers the money. The fraudster opens his mobile banking app. Everything seems fine. There is enough money in the account shown and depreciations have been made. The fraudster will enter Pete’s name and account number. You can then see that the money is actually being debited from the account. The fraudster will take another picture of the payment screen as reassurance. But since he has a different bank than Pete, the money will only be credited to his account the next day. Since Pete saw the transaction happen in front of him, he thinks it’s okay. But nothing is less true…
How hard is it to create a fake banking app?
So, since this happens more and more often, I started to wonder how hard it would be to actually create such a fake banking app?
Of course purely for educational purposes, I tried to recreate the mobile banking app of the Dutch ING Bank (all icons and imagery belong to ING Groep N.V.). I set the language of the app to English to help non-dutch speaking readers understand this article better.
I started by taking screenshots of the actual app in order to obtain the right icons and user interface items. Using popular image manipulation software I cut out the necessary items and used some basic Google search skills to get the right icon etc.
After determining the flow of the payment process, I created an Xcode project since I am replicating the iOS version of the app.
In this project, I added the icons, the right startup screens and started to create my first screen.
The app has the ablity to be authenticated using FaceID so that’s what I incorporated into the first screen. Once authenticated the user is able to find there payment account screen. This show the name, bank account number, current balance and transactions history. The screens for the transactions were copies of the screenshots, where the dynamic fields (the ones that need to be filled in in order to mimic an actual transactions were placed over the screenshots.
Since I needed to be able to set my own information I created a hidden screen (which you would open by using a special gesture) where I could set the name, bank account number, and current balance which would be shown throughout the app. which is just stored locally on the app.
In order to make the app more convincing it deducts the amount from the bank balance just like the actual app would. The seller would be convinced that they will receive the money the next day. Since they saw the transaction happen in front of them and the money got deducted from the buyer’s account.
Basically, everyone with basic programming and image manipulation skills can create a convincingly looking mobile banking app and use that to scam merchants and unfortunately more and people are doing so. Please keep this in mind when a potential buyer wants to transfer the money on the spot and alternatively use conventional payment methods methods like cash payments or bank transfers in an actual bank.