Eurograbber, a Trojan that transfers itself from a user’s PC to their mobile phone has come to light, reportedly having so far defrauded banking customers out of over €36m. The simple reason for this is that many banks are reliant on SMS as a means of authenticating the user and hence authorising online transactions. Because Trojans such as Eurograbber intercept SMS messages, such systems are inherently insecure. Another attack technique, SIM Swap, whilst very different in its technique, achieves the same aim of intercepting SMS messages carrying online banking authorisation codes.                     

The volume of those speaking out against this danger of relying on SMS based systems is picking up, and not just in Europe. Only last month, a lobby group for Australian telcos declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction after numerous reports came to light of Australians being defrauded.

The problem is that fraudsters can intercept an SMS, so they are not a secure means of authenticating the user.

Whilst the idea of utilising the customer’s mobile phone as a means of strong authentication is absolutely valid, the delivery mechanism needs to be carefully reviewed in the light of such attack vectors. For instance, interactive voice is not a store-and-forward protocol and as such is far less susceptible to mobile Trojans. However, even voice can be compromised by attacks such as SIM Swap and therefore, any Out-of-Band solution requires the necessary invisible detection techniques to combat such attacks. Solutions do exist to securely enable the ubiquitous mobile phone to remain an effective authentication tool.