Feeds

Mobile banking security bypassed in fiendish malware blag

Bloody SIMple when you know how

Securing Web Applications Made Simple and Scalable

Cyber-crooks are blagging SIM cards that allow them to circumvent mobile-based banking security measures and swipe cash from punters' accounts.

Security biz Trusteer has uncovered two elaborate techniques that will defeat out-of-band authentication mechanisms such as SMS-delivered one-time passwords (OTP) for online banking websites. These scams involve crooks getting their hands on duplicate SIM cards to execute fraudulent transactions.

The extra effort is worthwhile because accounts protected by OTP systems typically have higher transfer limits, making them more valuable to crooks. In addition, banks tend to treat transactions given the go-ahead by OTP authorisation as less likely to be fraudulent and are therefore far less likely to be subjected to additional anti-fraud screening, according to Trusteer.

How the scams work

The first attack involves a combination of online and physical fraud: the crook either runs a phishing expedition or uses malware to obtain a victim’s bank account details and credentials. As well as requesting login details, the fraudster also seeks to obtain the intended victim's name, phone number and other personal information.

Armed with these details the crim impersonates a victim to report the mark's mobile as lost or stolen to the cops. This allows the fraudster to get their hands on a police report.

The criminal then calls the victim to notify them that their mobile phone service will be interrupted for few hours. In the meantime, the criminal visits a mobile service provider’s retail outlet, presenting the police report on the supposedly lost or stolen mobile.

The victim’s SIM card is deactivated by the mobile provider while the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number.

Trusteer came across the elaborate scheme in an underground carder forum.

In the second attack, a variant of the Gozi Trojan uses a web page injection hack on infected Windows PCs that prompts victims to enter their mobile's unique IMEI number when they attempt to access their online bank account. The malicious script explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialling *#06# onto a mobile keypad.

Using this number, the fraudster then reports the mobile phone as lost or stolen to a mark's mobile service provider and requests a new SIM card. Once the crook gets his hands on the duplicate SIM cards, OTPs intended for the victim are sent to the fraudster-controlled device instead.

"The one common thread in both schemes is that they are made possible by compromising the web browser with a Man in the Browser (MitB) attack to steal the victim’s credentials," explains Trusteer’s CTO Amit Klein. "By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions."

"They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorising these transactions themselves," he added.

More details of both scams can be found in a blog post by Trusteer here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.