After the recent incidents is seems that SMS is not very secure second factor for authentication.
Australian Telcos Declare SMS Unsafe For Bank Transactions. Telcos declare SMS ‘unsafe’ for bank transactions article tells that the lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.
SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication. Security experts have warned about the inherent lack of security posed by SMS technology for several years. SMS was not designed to act as a second authentication factor. There are numerous reports of Australians being defrauded via a phone porting scam: With only a few phone calls to a victim’s workplace or home address, a fraudster can gain enough information (date of birth and mobile phone number) to port a victim’s mobile phone number to a new SIM device and intercept one-time passwords sent via SMS for online banking sessions. Banks have said that SMS should be considered part of a “layered” security solution.
Many European banks leverage a two factor authentication approach for logging into their online portals. In addition to a standard password, an SMS message is typically sent to the user providing the required second factor for authentication. SMS text message turns 20 years and world around it has changed. Earlier SMS was received with mobile phones where the software running them was stable and did not change for no reason. Now in the smartphone age different applications and malware can have effect on how the smartphone handles your SMS messages (can easily do something to them without you knowing on that). SMS is not designed to be a secure communications channel. And it is not a very secure channel. Security experts have warned about the inherent lack of security posed by SMS technology for several years. SMS was not designed to act as a second authentication factor but it is used as such.
Last week Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million Euros ($47 million) from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process.
The Eurograbber Trojan employs a feature designed to help users feel more secure about their online banking to rip them off: When you are on banking web site the Trojan requests that the user provides their mobile phone number in order to complete a required upgrade. A user who falls for the ruse and provides the mobile phone number will then receive an SMS on their phone, purportedly from their bank. That SMS directs the user to click a link which downloads a Zeus mobile Trojan. At that point the user is basically owned, and the next time they access their bank account the attack initiates a transaction to transfer money out of the account to the attacker’s account.
For more details how this Eurograbber worked, read How the Eurograbber attack stole 36 million euros. For even more detailed information read a report published by security vendors Versafe and Check Point Software Technologies: A Case Study of Eurograbber: How 36 Million Euros was Stolen via Malware.
Article links on Eurograbber:
- How the Eurograbber attack stole 36 million euros.
- Zeus Botnet Eurograbber Steals $47 Million
- Inside Eurograbber: How SMS Was Used to Pilfer Millions
- Miljoonavarkaus Euroopassa: Virus vei rahat tileiltä
- Hakkerit nappasivat 36 miljoonaa nettipankeista
- Virus vei 36 miljoonaa euroa verkkopankkitileiltä
The Eurograbber attack is a dangerous one, but it can be prevented if users take the right steps: Mmake sure they keep everything on their phones and desktops up to date (that includes both the operating system as well as software plugins such as Java and Flash).
Security is all about layers. You can’t ever block everything on one place so you need layers of security to protect yourself. The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.
F-Secure’s Hypponen points out that hackers have not even tried to break into the computer systems of banks. None of the hackers use lots of effort to break the bank systems when there are lots of unprotected home computers are easily available.