Eurograbber Proves SMS Not Suited to Secure Bank Transactions
Last week, news was released that cyber-criminals executed a multi-stage attack that compromised user PCs and the SMS channel on their mobile phones to execute fraudulent transactions, affecting more than 30 different banks across Europe.
As online fraud attacks grew in sophistication, and desktop malware became capable of modifying and initiating transactions unbeknownst to the end-user, the process of confirming transaction on an out-of-band channel (something other than the PC) started to emerge.
While some security vendors and banks worked diligently to engineer an out-of-band solution that was secure and leveraged advanced capabilities in the mobile phone, other approaches took the “quick and dirty” route and made use of the SMS channel to confirm the transaction out-of-band.
While SMS vulnerabilities and fraud attacks first emerged more than two years ago with the Zeus MITMO (man in the mobile), banks continued to rely on the SMS channel believing the threats were too complex to execute and, therefore, treated them as “edge cases.”
With more than 30,000 customers across consumer and wholesale/commercial banking, I think it’s safe to say the criminals refined the attack vector.
So, does this mean out-of-band transaction verification is useless? Does this mean we ditch the mobile device as a secure mechanism to protect against advanced cyber threat?
No. The problems are not with the concept of out-of-band authentication or the mobile device. It’s about developing a security feature on an insecure channel (e.g., SMS) that provides a less than optimal user experience for reviewing transaction integrity.
A far better approach would be to develop native smartphone applications that leverage the security features built into the mobile OS (e.g., code-signed applications and application sandboxing) and can establish a secure, mutually authenticated encryption channel between the device, the transaction confirmation application and the bank server before transaction details are provisioned to the phone.
Couple that with a simple, easy-to-navigate user interface and you have effective protection against MITB and malware-based session-riding attacks. It’s a security approach that is both robust and simple to use.