Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Fictitious Transfers are Latest Bank Heist

September 2011 by Trusteer

A number of banks, in an effort to validate and secure financial transactions, are utilising transaction verification systems. They’re doing this in the belief that, even if malware manages to change transaction details on the fly, the customer has an out of band channel to verify that it has not been modified. This is based on the assumption that malware cannot infect the out of band channel, and therefore the bank or the customer will be able to detect fraudulent transfers.

What are Transaction Verification Systems

There are different types of transaction verification systems. The most common two are:

SMS based: with each transaction the banks sends an SMS text to the customer with details of the transaction and a confirmation code. In order to confirm the transaction, the customer then enters this confirmation code into their browser. The purpose of this process is to make sure the customer reads the details.

Card and Reader: with each transaction the customer uses a reader, there are a number of variants so it will depend on the bank. The customer enters the transaction sum and the beneficiary number and the reader displays a code that the customer enters into their browser.

Safe and Sound!

“However, the assumption that malware cannot influence the out of band channel is flawed,” said Amit Klein, Trusteer’s CTO. “The easiest way to defeat transaction verification systems is using social engineering attacks. Over the years Trusteer have seen a number of different variants against transaction verification systems.”

Now we’ve encountered a new scenario which Trusteer think is very interesting. The following attack is conducted by SpyEye against a Spanish bank:

Using malware fraudsters first gain control over the web channel. This means any information that customers view inside their browser, while connected to their bank, can be modified by the fraudsters. Unfortunately, customers are usually unable to distinguish whether what they are seeing was actually served by the bank, or in fact modified by malware!

This is giving fraudsters the ability to launch extremely effective social engineering attacks.

Amit Klein, continued, “In the attack we’ve recently seen, fraudsters were simply waiting for customers to log on to their bank’s website. The bank robber then ‘changed’ the content of the post login page, to a message, informing customers of an upgraded security system. The customer is invited to go through a training process that intends to help him/her deal with the bank’s upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user’s account will not be debited and the recipient’s account is fabricated. Of course, the transaction then happens, the money is transferred, and the criminal disappears off into the sunset.”

The text of the post login page is below

BANK NAME OBSCURED está mejorando su sistema de seguridad enviando claves de un sólo uso a su teléfono móvil. Le informamos que han sido completados los cambios para la versión actualizada de nuestro sitio. Pero, muchos de nuestros usuarios tienen dificultad y cometen errores al tratar con nuestro nuevo sistema. Con el fin de evitar estas situaciones y el bloqueo de su cuenta bancaria, le invitamos a realizar un pequeño aprendizaje de capacitacion. ¡ Este aprendizaje es obligatorio y su realización le llevará unos minutos!

El procedimiento es el siguiente:
 El sistema de BANK NAME OBSCURED creará una transferencia ficticia.
 El dinero de esta transferencia NO será debitado de su cuenta.
 Es necesario la confirmación de esta transacción de prueba, introduciendo su "clave de operaciones" y la "clave de confirmacion" que usted recibirá en su teléfono móvil.
 Los datos de la cuenta del receptor de la transferencia son ficticios!

Objetivo de esta operación:
 Evitar errores en el uso de nuestro sistema en el futuro.
 La comprobación de los datos de su teléfono móvil por el sistema.
Para comenzar el aprendizaje , haga clic en Continuar.

English translation:

BANK NAME OBSCURED is upgrading its security system by sending a one time key to your mobile phone. Please note that the changes have been implemented for the updated version of our site. Many of our users have experienced difficulty and made mistakes in dealing with our new system. In order to avoid any problems and the blocking of your bank account, we invite you to participate in a little training. This training is compulsory and will take just a few minutes!

The procedure is as follows:
 BANK NAME OBSCURED system will create an artificial transfer.
 The money from this transfer will not be debited from your account.
 You need confirmation of this transaction test, introducing its key "operations" and "password confirmation" that you receive on your mobile phone.
 Data from the account receiving the transfer are fictitious!

Objective of this operation:
 Avoid errors in the use of our system in the future.
 The verification of the data on your mobile phone by the system.
To begin learning, click Continue.

Advice from Trusteer

This and many other social engineering attacks against transaction verification systems demonstrate that:
 forewarned is forearmed – financial institutions need to find ways of making customers aware of the latest ‘heist’ criminals are performing
­- securing the endpoint and the browser is important regardless of other security controls you have in place – fraudsters continue to come up with new creative fraud schemes. As long as the computer is infected, financial malware is capable of finding new ways of bypassing even the most sophisticated security controls.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts