Although only used by a handful of banks in the UK and US, text message authentication is increasingly being used by financial institutions across Europe as a means of transmitting on-time TANs (transaction authentication numbers) to banking users. These TANs are then used to authenticate and authorize a given transaction, typically a transfer or payment to another account or utility company.
According to Amit Klein, Trusteer's CTO, after stealing an online banking users' account credentials, the malware changes the victim’s phone number of record in the online banking application to one of several random attacker-controlled numbers using a stolen confirmation code.
Now comes the nasty bit, as SpyEye injects a fraudulent page in the customer’s browser. The page appears to be from the online banking application and indicates that a new security system is now 'required' by the bank, for which customers must register.
Under the 'new security process' the customer will be assigned a unique telephone number and that they will receive a special SIM card via the mail. The user is then instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system.
It's at this point, said Klein, that the criminals steal the confirmation code they need to authorize changing the customer’s mobile number, meaning they receive all future SMS transaction verification codes for the hijacked account via their own cellular service.
The Trusteer CTO asserted that the only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks man-in-the-browser techniques. Without a layered approach to security, he said, even the most sophisticated schemes can be negated under the right circumstances.
Klein added that this latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including text-based solutions, are not fool-proof.
“Using a combination of man in the browser injection technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time, since the transactions have been verified and fly under the radar of fraud detection systems”, he explained.