back to article Mobile banking security bypassed in fiendish malware blag

Cyber-crooks are blagging SIM cards that allow them to circumvent mobile-based banking security measures and swipe cash from punters' accounts. Security biz Trusteer has uncovered two elaborate techniques that will defeat out-of-band authentication mechanisms such as SMS-delivered one-time passwords (OTP) for online banking …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Just as well I don't use Online Banking

    as I never trusted it in the first place, not even just "voice over the phone" banking facilities.

    1. Graham Marsden
      Facepalm

      Re: Just as well I don't use Online Banking

      Yes, and keeping your cash under your mattress is so much safer too...

      1. LinkOfHyrule
        Paris Hilton

        Re: Just as well I don't use Online Banking

        Unless you fall victim to a bedroom based man in the middle attack - aka a threesome with a thief!

    2. Anonymous Coward
      Anonymous Coward

      Re: Just as well I don't use Online Banking

      What is it with IT guys behaving like utter luddites and not being able to deal with change? I just don't get it, especially coming from such a fast moving industry.

      At my previous work we decided to stop mirroring disks (by default) in the enterprise disk arrays and RAID5 them. You would have thought the world was going to end, if you'd listened to the UNIX team, they had loads of reasons all of which betrayed their lack of storage knowledge. In the end, no-one noticed the difference as the speed wasn't needed and we saved the company millions.

      1. JimC

        Re: Just as well I don't use Online Banking

        The reason why I don't use on line banking is that I read the terms and conditions and thought "stuff that". Almost all the responsibility to prove fraud has been offloaded to the customer. Eeasier to wander down to the bank occasionally and, incidentally, have one more person in a local job and paying a share of my council tax.

        1. Anonymous Coward
          Anonymous Coward

          Re: Just as well I don't use Online Banking

          "...Almost all the responsibility to prove fraud has been offloaded to the customer..."

          No it hasn't, that is specifically illegal in the UK/EU and has been for several years now. The bank has to prove fraudulent activity on your part, not the other way round.

  2. John Robson Silver badge
    WTF?

    Why do OTA OTP not have an associated PIN?

    Oops - TLA overload....

    1. Jinxter
      Meh

      I can't speak for all but my phone banking does use a PIN system that is seperate to the cards issued by that bank.

    2. KitD

      OTP

      Because then it's not really OTP which should rely purely on pre-agreed PIN generation, normally time-based, with no per-transaction interaction.

      I think the target of these scams is eg PayPal who send PINs via SMS to the account holder's mobile as extra security over and above the usual userid/password, so they're not really talking about OTP either.

      I bank online with HSBC and they have separate physical OTP generator keycards which are immune from these sort of scams (but have other limitations).

    3. Richard Wharram
      Coat

      OTP is not a TLA as it's not an acronym, unless somehow you can pronounce it as a word. PIN is and OTA might be.

      TLA is not though. Which makes it kinda silly.

      Yes, I'm a Nitpicking Old Bastard.

      1. Severen

        TLA = (in this case) Three Letter Abbreviation rather than Three Letter Acronym.

        In which case OTP is very much a TLA.

        HTH.

        LOL.

        Etc.

        1. Anonymous IV
          Headmaster

          Three letters

          If we're really going to get pedantic (we are! we are!) then there are very few TLAs (3-letter acronyms) but a preponderance of TLIs (3-letter initialisms). An acronym has to be a meaningful word (like CAT, DOG, etc), so most of the 26^3 possibilities are necessarily initialisms.

          And no, I'm not going to finish with the usual deeply-infuriating concluding phrase, "There, sorted it for you"...

          1. Stratman

            Re: Three letters

            Being very pedantic TLA stands for Three Letter Abbreviation, making the original poster right.

            And yes, I am going to finish with the usual deeply-infuriating concluding phrase, "There, sorted it for you"...

            1. Severen

              Re: Three letters

              Google TLA and, after an ad for "TLA Video", it comes up with Three Letter Acronym as it's first return. Admittedly the link is to Wikipedia which, as we all know, isn't always the most reliable of sources.

              But, IMO, TLA stands for Three Letter Abbreviation as that's what the R.A.F. taught me and they're never, ever wrong. :-D

              Ever,

              1. Richard Wharram

                Re: Three letters

                The earliest recorded usage of TLA was as Three Letter Acronym. The other usage is just a ret-con :)

        2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Stupidity

    This is like murdering someone by convincing them to jump off a cliff in order to test a new invisible parachute.

  4. Turtle_Fan

    This sounds silly...

    The effects of this scam are so fishy it would be bound to raise some suspicions...

    On the other hand, I've yet to see a way to break my bank's (ubs in switzerland) e-banking.

    Not only do you need to know a special 8-digit login but the password is generated using a bespoke smart card reader which then produces a code by combining a) 8 digits given by the site, b) a 6-digit PIN to unlock the smart card and c) a signature on the card's chip. Those passwords are only valid for 30 seconds; be slow and you missed it.

    Finally, as a layer of security any payment to an account not paid to before requires the same authentication as above so even if someone hijacks a session they can't make payments to anything you haven't made a payment to before.

    So unless you a) know my special code, b) grab hold of my smartcard and c) know my card's PIN you're stuffed. If you get all the above though, then you truly deserve the goodies :)

    1. Lee Dowling

      Re: This sounds silly...

      Intercept your post. Ask bank for new smartcard because you've "put it through the washing machine". Wait for replacement to arrive and steal it before it gets to your door. Clear out your account before you can do anything about it.

      Skill needed: To work in the post office (or know someone who does) and be able to talk.

      That's basically what these scams do, if you read the article. It's not a question of technical hacking but social engineering and interception. Your IMEI and/or a replacement SIM can be silently gathered quite easily without you ever knowing in similar ways and then they are in. The hack described involved visiting a police station and reporting someone else's mobile lost in order to get the police report on that - we can safely say these people are quite brazen!

      The ways around it rely on the banks / phone companies to do their job - which is to VERIFY your identity for everything. That can't happen without falling into ridiculous scenarios (such as I've experienced) where companies WOULDN'T take a payment from me because I wasn't the account holder, but wouldn't take the payment from the account holder because it wasn't their card they were paying with. And try getting a PIN reset on a bank card you haven't used in 10 years and have forgotten all your codes and moved house in the meantime too.

      There are some genius hacks, and some genius technology, but there's always an "analogue hole" in that it's very hard to prove that the person in front of you or speaking to you on the phone *IS* the account holder in all situations without also locking out the GENUINE account holder who's just forgotten their details. And a simple post-office intercept can overcome almost anything if someone is determined enough to target you in particular.

      Don't be so complacent. Scams operate on your complacency. "This system is uncrackable" is akin to saying "This boat is unsinkable". Historically, it's been proved to be an incredibly stupid thing to say.

      1. Stoneshop Silver badge

        @Lee Dowling Re: This sounds silly...

        It says "Smart card reader", so presumably you need not only the reader, but the victim's bank card as well. At least, such is the case at my bank. And there's another bit of information involved which, afaik, you can't get at by skimming the card.

      2. Chemist

        Re: This sounds silly...

        I've also got a UBS account. Even if somehow you get hold of a replacement card you'd still need the personal agreement number and 6 digit PIN as well as the card reader.

        I'd guess they wouldn't send you a card without the agreement number.

        I think it's the best method I've seen although I'm fairly happy with the hideous 20 digit passwords I use for my other accounts.

        1. Turtle_Fan

          Re: This sounds silly...

          And to cap everything off, even if you could get the credentials OTP's are good for one single login and have a lifetime of 30 secionds.

          So your only option is hijacking my session as described. But even this is planned for as any transfer to hitherto unknown/unused account requires authentication anew.

          So at best you'd be able to pay my usual bills as those are the only account which have been credited by me in the past.

    2. Blofeld's Cat
      Facepalm

      Re: This sounds silly...

      Actually there is a well known way of getting around this, through human engineering. Basically it works like this:

      A man approaches you in a quiet street and tells you a hard luck story, how he has lost all his money, his return ticket etc. etc.

      He then explains that the only thing of value he has left in the world is this big shiny gun...

    3. Anonymous Coward
      Anonymous Coward

      Re: This sounds silly...

      unfortunately you might be open to a MITB (man in the browser) attack, this has been mentioned as a stealthy trojan that does nothing until it smells a bank website then opens up a real time channel to malware C&C centre sending screenshots/session cookies/everything to the far-end. Admittedly they'd have to be quick about it but there remains a risk!

      Worrying data from Denmark "Recently, three major banks, Danish Bank, Nordea and Royal Bank concurrence tell (EPN.dk/PCWorld) that about one in five of their network operations now going on a smartphone." http://www.computerworld.dk/art/213750/saadan-bruger-danskerne-bankens-mobil-loesning TWENTY PERCENT!!!

      Now try and implement your UBS level of security on a tiny mobe' screen whilst ambiental (or malware) CCTV from sixty metres away systems can accurately guess every PIN/OTP/RND number typed, whilst that fake-angry-birds app in parallel is busy chatting with criminals in Indonesia? money might start to leave the systems faster than even the banks can hose it in! but that only applies to 20% of online banking in Denmark...today...

  5. jake Silver badge

    I've been bypassing mobile banking for years ...

    ... by ticking the box that says "I don't want this account to be accessible online" when I set up the account.

    Seriously ... Who in their right mind does anything of a financial nature with TehIntreWebTubes[tm] as a go-between between themselves and a financial institution? The mind boggles.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've been bypassing mobile banking for years ...

      Oh I don't know, anyone that doesn't want to queue for 6 hours on a bank, just to set up a new standing order?

      Or doesn't fancy the idea of driving 10 miles to the nearest bank to transfer some money over to a friend.

      Or maybe the same sort of idiot that buys stuff about 30 - 50% cheaper online rather that but up with quesuing in a shop to buy the same product, but this time having to put up with some miserable git behind the till trying to flog you £9.99 insurance on a £15 item.

      You stick to the 1970's.

      I won't

      1. jake Silver badge

        Re: I've been bypassing mobile banking for years ...

        Thank you for underlining my point, Lost all faith. :-)

    2. RainForestGuppy
      FAIL

      Re: I've been bypassing mobile banking for years ...

      Somebody who doesn't live in the 1960's wearing a tin foil hat and who actually understands the real risks, rather then reading the sensationalist crap put out by the media.

      Do you use a debit/credit card to buy things either in store or online, then you are at risk. Do you take money out of ATM, you are at risk. Oh and you know that nice call center agent you gave all your details to, well of course the computer system she uses is secure (?) but what about the pad and pencil she just wrote all your details down on and will sell it on to fraudsters who then phone up your bank and empty your account, this actually happens.

      Trust me Online Banking is that last of your worries.

    3. cwningen
      Flame

      Re: I've been bypassing mobile banking for years ...

      Oh I don't know, me perhaps?

      Dealing with any bank face to face, is very much like trying to remove my eyes with a very small, very rusty pair of tweezers. Try being deaf. Dealing with most banks that demand you accept calls for transaction verification purposes isn't exactly my idea of fun.

      Some are better than others, but hey; it's okay, I'll just pop down the local branch and talk.. ah.

      So, yes. I'd rather use it online without involving anybody in a branch or telephone centre, thanks.

  6. RainForestGuppy
    Devil

    Scare Mongering

    "The one common thread in both schemes is that they are made possible by compromising the web browser with a Man in the Browser (MitB) attack to steal the victim’s credentials," explains Trusteer’s CTO Amit Klein."

    What do Trusteer produce "secure browser technology to prevent MitM attackes"

    Sorry but these Idiots who cry wolf every 5 minutes just to sell there own niche products just makes it harder for us that are trying to get businesses to take a better, measured approach to raise security in general, rather than make knee jerk reactions to the latest percieved threat.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scare Mongering

      Trusteer have previous as scaremongers and their 'Rapport' software is neither 'niche' (the big banks have bought in) nor much of a 'product' (it doesn't work: http://www.theregister.co.uk/2011/10/19/trusteer_rapport_follow_up/)

      More essential reading here - http://www.digit-security.com/blog/?p=333 - and the forum thread here - http://www.pprune.org/archive/index.php/t-394494.html .

  7. Frank Bitterlich
    WTF?

    In what country...

    ... can you report a mobile phone stolen without identifying yourself to the police properly? I mean, "name, telephone number, and other pesonal information" probably wouldn't cut it here in Germany. If you're not showing your ID card, passport or other solid identification, that wouldn't work.

    1. Tom 13

      Re: In what country...

      Any country with an automated internet system for reporting lost/stolen property because having police to actually verify things costs too much and is very inefficient. It's the "other personal information" on which they are primarily depending, and which was probably also compromised by the malware on the system.

    2. \\\

      Re: In what country...

      The UK! When my wife's bag was stolen (including mobile phone), all she did was telephone the local police station, tell them her name, where her bag was stolen from, and what was inside the bag, and they gave her a crime reference number there and then, over the phone.

      Rang the telco with crime reference number and a new phone was dispatched there and then.

  8. SYNTAX__ERROR
    Alert

    "the IMEI number, which can be found on the phone’s battery"

    The IMEI number will not be found on the battery.

    1. Arthur Dent
      WTF?

      Re: "the IMEI number, which can be found on the phone’s battery"

      Not only will it not be found on the phone's battery (I just love the concept of the IMEI changing if you change the battery) but in a lot of cases #06# will not deliver any IMEI (produces an error message or a service not supported message instead). Also, I do some online things involving money and would immediately assume a scam if a bank/building society/pension fund manager/insurance company asked me for an IMEI (maybe I wouldn't be suspicious if I was taking out a new insurance policy to cover a mobile phone I hadn't previously insured with that company - but that never happens, since I don't buy expensive mobile phones and see no point in insuring the cheap ones I do buy).

  9. Andy Fletcher
    Happy

    Foolproof

    I've never had money taken from my account by a fraudster. By never having any.

  10. Anonymous Coward
    Anonymous Coward

    Actually this is a big problem...

    ... for UK and other large international banks. Yes, it is based on social manipulation, but it is ridiculously easy to 'swap' a SIM card (fraudulently). Just tell yout mobile operator that you lost/replaced your phone and want your number ported to a new SIM card; that's it and the 2nd factor of authentication is compromised. That is why this type of so-called 'SIM swap fraud' usually targets high-value customers in a one-off raid.

    There are technological measures banks can take against this sort of fraud.

    1. Captain Underpants

      Re: Actually this is a big problem...

      @AC 14:26

      Surely the simple solution there is to require someone to attend a $TELCO store in person and present ID before being given the replacement SIM? Especially if it's a business phone.

      I mean, yes, there are problems here, but mainly of the "Humans durr da durr durr" variety rather than the more-exciting-sounding-but-less-probable "ZOMG! THE TECHNOLOGY, IT HAS GONE EEEEEEEEVIL!" variety...

      1. Stuart

        Re: Actually this is a big problem...

        All you are doing here is shifting the point of failure. Telco store staff aren't going to be able to tell fake ID from real and producing convincing fake ID is hardly difficult.

    2. Chemist

      Re: Actually this is a big problem...

      My mobile operator requires a password for ANYTHING. Certainly for changing phone/SIM

  11. future seeker
    Thumb Up

    There's risks, of course there's risks

    It's inevitable malware makers will target mobile devices. The challenge really is -- especially as we look to NFC and the 'iWallet' -- the challenge will be to ensure that device security is 100% -- we can't have a repeat of the bad days of the Windows era. Thing is there's lots of things users -- especially enterprise users -- can do to improve the security of their BYOD gadgets, as detailed in this here, http://blogs.orange-business.com/connecting-technology/2012/03/infographic-security-byod.html

  12. crayon

    Re: Just as well I don't use Online Banking

    "What is it with IT guys behaving like utter luddites and not being able to deal with change?"

    I wonder if these luddites are the same group as those who rush to be the first to post a comment on any mobile phone review saying "All I want is a phone that can make and receive calls". Bloody annoying sods should go out and buy a phone already.

    1. jake Silver badge

      Re: Just as well I don't use Online Banking

      "I wonder if these luddites are the same group as those who rush to be the first to post a comment on any mobile phone review saying "All I want is a phone that can make and receive calls"."

      Probably. Enjoy your crayons. Adults use real communications tools.

This topic is closed for new posts.

Other stories you might like

  • Walmart accused of turning blind eye to transfer fraud totaling millions of dollars
    Store giant brands watchdog's lawsuit 'factually misguided, legally flawed'

    America's Federal Trade Commission has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "hundreds of millions of dollars."

    In a lawsuit [PDF] filed Tuesday, the regulator claimed the superstore giant is "well aware" of telemarketing fraudsters and other scammers convincing victims to part with their hard-earned cash via its services, with the money being funneled to domestic and international crime rings.

    Walmart is accused of allowing these fraudulent money transfers to continue, failing to warn people to be on their guard, and failing to adopt policies and train employees on how to prevent these types of hustles.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Capital One: Convicted techie got in via 'misconfigured' AWS buckets
    Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'

    Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.

    The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

    Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading

Biting the hand that feeds IT © 1998–2022