Eurograbber Proves SMS Not Suited to Secure Bank Transactions

December 12, 2012 by Mike Byrnes     No Comments

no_sms21From where I blog, the €36 million ($46.8 million) take of Eurograbber is a pretty successful bank heist.

Last week, news was released that cyber-criminals executed a multi-stage attack that compromised user PCs and the SMS channel on their mobile phones to execute fraudulent transactions, affecting more than 30 different banks across Europe.

As online fraud attacks grew in sophistication, and desktop malware became capable of modifying and initiating transactions unbeknownst to the end-user, the process of confirming transaction on an out-of-band channel (something other than the PC) started to emerge.

While some security vendors and banks worked diligently to engineer an out-of-band solution that was secure and leveraged advanced capabilities in the mobile phone, other approaches took the “quick and dirty” route and made use of the SMS channel to confirm the transaction out-of-band.

While SMS vulnerabilities and fraud attacks first emerged more than two years ago with the Zeus MITMO (man in the mobile), banks continued to rely on the SMS channel believing the threats were too complex to execute and, therefore, treated them as “edge cases.”

With more than 30,000 customers across consumer and wholesale/commercial banking, I think it’s safe to say the criminals refined the attack vector.

So, does this mean out-of-band transaction verification is useless? Does this mean we ditch the mobile device as a secure mechanism to protect against advanced cyber threat?

No. The problems are not with the concept of out-of-band authentication or the mobile device. It’s about developing a security feature on an insecure channel (e.g., SMS) that provides a less than optimal user experience for reviewing transaction integrity.

A far better approach would be to develop native smartphone applications that leverage the security features built into the mobile OS (e.g., code-signed applications and application sandboxing) and can establish a secure, mutually authenticated encryption channel between the device, the  transaction confirmation application and the bank server before transaction details are provisioned to the phone.

Couple that with a simple, easy-to-navigate user interface and you have effective protection against MITB and malware-based session-riding attacks. It’s a security approach that is both robust and simple to use.

Mike Byrnes

About

Entrust product manager Mike Byrnes has more than 20 years’ experience in product management and technology marketing with a focus on internet security and business communication systems. Mike drives product marketing for the Entrust IdentityGuard authentication platform with a significant focus on mobile solutions. In addition to mobile, his background covers identity and access management, fraud detection, malware protection, and email encryption solutions. Mike serves as vertical market prime for Entrust financial services segment, working with large banks across the globe to roll out solutions to their consumer- and corporate-banking client base.

Add to the Conversation