Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Online Bank Fraud Exploits Mobile Users

Trusteer : 14 March, 2012  (Technical Article)
Trusteer details the latest bank fraud techniques employing the one-time-password technology using mobile phones
Online Bank Fraud Exploits Mobile Users
Trusteer recently uncovered two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks. Unlike a previous attack Trusteer discussed that involved changing the victim’s mobile number to redirect OTPs to the fraudster’s phone, in these new scams the criminals are stealing the actual mobile device SIM (subscriber identity module) card.

In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a
OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device.

In the Gozi configuration file Trusteer obtained, the malware uses a web page injection that prompts the victim to enter their IMEI number before they can access their online bank account. The fraudulent injection explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialing *#06# on the device keypad.

The second attack combines online and physical fraud to achieve the same goal. Trusteer discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc.

Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen.

The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is deactivated by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and
OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions he/she executes.

Since accounts protected by
OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them.

The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered
OTPs by authorizing these transactions themselves.  
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo