Banking Trojan hijacks out-of-band SMS security - Trusteer

Security outfit Trusteer has discovered a new attack used by the SpyEye Trojan that can circumvent mobile SMS security measures used by many banks.

In a blog post, Trusteer says it has found a two-step Web-based attack that allows fraudsters to change the mobile phone number in a victim's online banking account and reroute SMS confirmation codes used to verify transactions.

Firstly, SpyEye steals the victim's online banking details in the standard Trojan style.

It then changes the customer's phone number of record in the e-banking application to one of several random attacker controlled ones. To do this, the crooks need the confirmation code which is sent by the bank to the customer's original phone number.

To obtain the code, SpyEye injects a fraudulent page in the customer's browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now "required" by the bank and for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail.

Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake Web page in order to complete the registration process for the new security system.

This gives the crooks access to all future SMS transaction verification codes for the account, enabling them to divert funds from the customer's account without their knowledge and without triggering fraud detection alarms.

Says Trusteer: "This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems."

Related Companies

Trusteer

Channels

Retail banking Security Payments

Keywords

Mobile & online banking Authentication

Comments: (4)

David Divitt - VocaLink - London 07 October, 2011, 12:18

1 like

Fraudsters are always looking for new ways to steal money, and this is an example of how they are working across different platforms to breach security. However, I think it is wrong to say that this necessarily enables them to 'fly under the radar of fraud detection systems'. True - many financial institutions use out-of-band authentication - but it is rarely used in isolation.

The strongest fraud detection always comes back to one key premise - knowing your customer: knowing what transactions they do, who they send money to, what amounts they spend, where they log on to their online banking site from, when they typically do transactions etc. Banks have got, at their fingertips, everything they need to build up a detailed picture of normal behaviour for their customers and any transaction that falls outside of that, even if it has apparently been authenticated by a mobile phone, should still be treated as suspicious.

Of course, it is important to educate customers about threats, and ensure they know not to open suspicious messages or links - but the right security system needs to assume all these things will happen anyway, but the customer is still protected.

Report abuse

A Finextra member 07 October, 2011, 18:38

Be the first to give this comment the thumbs up

0 likes

Divitt, Your comment seemed to be the generally recommended practice today, it seemed to place more weight on SIEM systems than any authentication of identity. Does that mean, if one can only afford to implement one layer of protection, they should go for SIEM? or, let's do this exercise, how much relative weight will you put on each of the following:

* MFA (Identity authentication: OTP, cert., OOBA, etc.)

* Transaction authentication (against MITM)

* SIEM

What I'd like to see is an OTP that can protect against MITB and can have minimum SIEM functions :-) that would be an easy solution !

Report abuse

David Divitt - VocaLink - London 12 October, 2011, 11:26

0 likes

I think saying "if you could only do one" can be a dangerous game and is probably not beneficial since I really do believe in a layered approach.

With regards to giving a weight to the various options (event monitoring, multi-factor auth and transaction auth) I think event monitoring should probably comprise about 50% of your total solution (budget/efforts/etc) and the others spread evenly at 25% each.

If you implement a multi-factor auth solution to authenticate logons, then you should be definitely using the same system to authenticate payments or other key account activity as well, to maximise its value.

Report abuse

Pat Carroll - ValidSoft - London 13 October, 2011, 10:26

0 likes

I too, like David Divitt, I am a firm supporter of a layered approach to authentication. The attack, as described in the Finextra story, all centres on the fact that the bank allows users to change their registered mobile number and then sends a confirmation code via SMS (to the old number) which must be resubmitted into the browser to complete the change. They then use Man in the Browser and social engineering to get the real user to submit this code on another pretext. The fraudster then has his own number registered.

If the fraudsters have infected the users browser with a Man in the Browser attack, they could equally subvert transactions protected by hardware tokens or card readers.

In my view a real-time automated call to the mobile, incorporating authentication and transaction verification (i.e. the playback of the transaction received by the bank – in this case the requested to change his/her registered mobile), would enable the fraudulent transaction to be foiled at source and the customer would be immediately placed in contact with a resource at the bank to deal with such issues….such is the power of real-time telecommunications!