Feeds

Mobile banking security bypassed in fiendish malware blag

Bloody SIMple when you know how

Internet Security Threat Report 2014

Cyber-crooks are blagging SIM cards that allow them to circumvent mobile-based banking security measures and swipe cash from punters' accounts.

Security biz Trusteer has uncovered two elaborate techniques that will defeat out-of-band authentication mechanisms such as SMS-delivered one-time passwords (OTP) for online banking websites. These scams involve crooks getting their hands on duplicate SIM cards to execute fraudulent transactions.

The extra effort is worthwhile because accounts protected by OTP systems typically have higher transfer limits, making them more valuable to crooks. In addition, banks tend to treat transactions given the go-ahead by OTP authorisation as less likely to be fraudulent and are therefore far less likely to be subjected to additional anti-fraud screening, according to Trusteer.

How the scams work

The first attack involves a combination of online and physical fraud: the crook either runs a phishing expedition or uses malware to obtain a victim’s bank account details and credentials. As well as requesting login details, the fraudster also seeks to obtain the intended victim's name, phone number and other personal information.

Armed with these details the crim impersonates a victim to report the mark's mobile as lost or stolen to the cops. This allows the fraudster to get their hands on a police report.

The criminal then calls the victim to notify them that their mobile phone service will be interrupted for few hours. In the meantime, the criminal visits a mobile service provider’s retail outlet, presenting the police report on the supposedly lost or stolen mobile.

The victim’s SIM card is deactivated by the mobile provider while the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number.

Trusteer came across the elaborate scheme in an underground carder forum.

In the second attack, a variant of the Gozi Trojan uses a web page injection hack on infected Windows PCs that prompts victims to enter their mobile's unique IMEI number when they attempt to access their online bank account. The malicious script explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialling *#06# onto a mobile keypad.

Using this number, the fraudster then reports the mobile phone as lost or stolen to a mark's mobile service provider and requests a new SIM card. Once the crook gets his hands on the duplicate SIM cards, OTPs intended for the victim are sent to the fraudster-controlled device instead.

"The one common thread in both schemes is that they are made possible by compromising the web browser with a Man in the Browser (MitB) attack to steal the victim’s credentials," explains Trusteer’s CTO Amit Klein. "By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions."

"They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorising these transactions themselves," he added.

More details of both scams can be found in a blog post by Trusteer here. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.