Tuesday, 10 December 2013

Cyber Criminals crack supposedly "safe" mTAN procedure

For years, bankers praise the so-called mTAN procedure as safe. This is not true - with involuntary help of mobile operators evacuate foreign criminals online bank accounts empty. Olaf From Pursche
"Online Banking by mTAN is safe," Banker worship their customers for years like a mantra before. That would be nice! But how "Computer Bild" research shows, the online money transfer system can deal with a few tweaks: Cyber ​​criminals catch the sent SMS transaction numbers, so mTAN, and derive from the money secretly to their accounts in order. In recent cases came together up to six-figure sums damage.
The scam works like this: The first gangsters hijack the computers of their victims, by obtaining a banking Trojan. This is very simple: building blocks for assembling Click especially harmful programs like Carberb, Zeus or Citadel there is a ton for download in hacker forums.
On the PC the victim then the Trojans come about through e-mails infected. Once on the hard drive, they are looking for bank info, passwords to spy out, recognize ongoing online bank accounts and log keystrokes. Attacker get all the data in order to remove the foreign account remotely empty.
Involuntary accomplices
To plunder the mTAN account, a Trojan is not enough of course. For every transfer is a separate mTAN necessary, sent by the Bank only to a pre-registered phone number. To tap the mTAN, the perpetrators would therefore have to get the phone in the fingers - insure any case the banks.
But far from it: The criminals around the problem with a simple trick and involuntary accomplices. And sitting in the telephone exchanges of the wireless provider.
The offender registers namely just at the provider hotline under the name of his victim and ordered a new SIM card for the phone number, preferably a multi-SIM card. For in contrast to a replacement SIM can be operating in another device without the card of the victim is turned off.
After receiving the card the gangster turned it into his cell phone, it is a multi-SIM, he can also easily set as a receiver card for SMS, which falls less quickly to the victims. Since he has full access to the trojan infected PC, it can now log into the foreign online account, place a transfer order into his own account - and thereby receives the requested mTAN on his cell phone.
Gross negligence of the Provider
Does it really that easy? "Computer Bild" ordered the four network operators and the much-used provider 1 & 1 SIM cards for mobile foreign ports. Frightening: Almost all vendors moved the SIM card without naming the customer password out!
To simulate a false identity, often ranging name, date of birth and address of the victim. Such data can be themselves without access trojan on social networks such as Facebook to determine. The fact that the delivery address for the SIM card was different from the billing address of the victim, the hotline staff would not be noisy.
So the testers got SIM cards by express delivered free (see table) - except O2. Although even here the query of the customer password was circumnavigate, O2 sent SIM cards but only to the stored customer address.
Now, everything is safer?
On request of "Computer Bild" promise all providers to tighten their security measures immediately. So they want to stop the shipment of SIM cards to foreign addresses immediately. And at the outgoing Multi-SIM cards, it should now give warning SMS from.
The fact that customer passwords were deal, they reasoned with "personal employee misconduct." "Computer Bild" will consider whether to keep the mobile provider on their promise.

No comments:

Post a Comment