Mobile authentication grants access to online banking – but it’s not exactly mobile banking. The main difference is that mobile banking is an app installed on a device that easily grants access to online banking. While the two are similar, they each have their own unique vulnerabilities and attack vectors. Specifically, I want to explore some of the new attack vectors for mobile authentication and how this affects SMBs.
Banks in Europe and Asia require two-factor authentication via SMS messages. This style of mobile authentication is also popular in the U.S. and continues its path to becoming the standard for online banking scams. What is important for SMBs to note is that they are one of the LARGEST targets for this type of attack. Last year, the tech world saw a large number of high-profile attacks and data breaches, and security experts say threats will evolve and escalate in the coming. BYOD, cloud and advanced persistent threats (APTs) remain top of mind for many, and experts agree that those threats will continue to play a significant role in the threat landscape in 2013.
The way this attack works is that when customers log into their bank’s website they are sent a mobile transaction authentication number (mTAN) in a text message. They then must enter that mTAN code to access their accounts. This extra step prevents attackers from stealing usernames and passwords, and more importantly their money, access to bank accounts and funds.
Attackers seeking to bypass two-factor authentication need to infiltrate the mTAN text message sent by the banks. Once the attacker has stolen a username and password from a victim, the attacked then needs to get the user to install SMS-forwarding malware.
A pair of malware, Android/FakeBankDropper.A and Android/FakeBank.A, takes the standard SMS forwarder malware a step further. Normally, we advise users to employ only the official app provided by their banks for any online banking. Android/FakeBankDropper.A counters that defense by replacing the bank’s official app with Android/FakeBank.A. While the victim thinks they have the original app installed, the attacker logs into the users’ accounts to get the latest SMS from the bank.
Below is a short list of examples of similar SMS forwarders:
- Android/Nopoc.A: Forwards incoming SMS messages to the attacker’s server
- Android/Pincer.A: Pretends to install a certificate on the user’s device. Forwards SMS messages to the attacker’s server.
- Android/Stels.A: Pretends to be an update to the Adobe Flash player. Collects sensitive user information and posts it to the attacker’s server.
- Android/Wahom.A: Pretends to be a legitimate app, but displays an error message to the user. The malware hides its icon to fool the user into thinking it was uninstalled. Collects sensitive user information and forwards SMS to the attacker’s server.
Mobile banking and mobile application security will also have its share of concerns. One particular area of concern is malware that buys apps from an app store without user permission. McAfee points to the Android/Marketpay. A Trojan, which already exists, and predicts we’ll see criminals add it as a payload to a mobile worm in 2013.
As suggested by McAfee Labs in its 2013 Threats Predictions report, buying apps developed by malware authors puts money in their pockets. The Labs team believes that a mobile worm that uses exploits to propagate over numerous vulnerable phones is the perfect platform for malware that buys such apps. Attackers will no longer need victims to install a piece of malware. If user interaction isn’t needed, there will be nothing to prevent a mobile worm from going on a shopping spree.
McAfee also has concerns about the near-field communications (NFC) capabilities that are appearing on an increasing number of mobile devices. The Labs team states that asusers are able to make “tap and pay” purchases in more locations, they’ll carry their digital wallets everywhere. That flexibility will, unfortunately, also be a boon to thieves. Attackers will create mobile worms with NFC capabilities to propagate (via the “bump and infect” method) and to steal money. Malware writers will thrive in areas with dense populations (airports, malls, theme parks, etc.). An NFC-enabled worm could run rampant through a large crowd, infecting victims and potentially stealing from their wallet accounts. McAfee also predicts that in 2013, malware that blocks mobile devices from receiving security updates is going to be a popular scam.
Stayed tuned for the value of mobile data…