Shingirayi Padya and Graeme Neilson presented their work at Kiwicon 6

Feb 4, 2013 15:46 GMT  ·  By

Researchers Shingirayi Padya and Graeme Neilson of Aura Information Security have found a way to hack the audio one-time passwords used by many African banks to protect their customers against fraudsters.

While most financial institutions rely on applications or SMSs to send their customers one-time passwords when performing online transactions, African banks rely on audio tokens because SMS technology is not active and smartphones are not available for everyone.

The experts have managed to bypass the security mechanisms after they determined that the audio tokens could be predicted and played back to the online banking system to confirm a transaction, SC Magazine reports.

Furthermore, they have even demonstrated how cybercriminals could exploit the vulnerabilities they have uncovered for mass attacks.

For this purpose, they hacked into the victims’ voice mail and replaced the greeting messages with the audio token. When the verification call is made, the token is played back to the bank.

Then, all the attacker needs to do is to keep the line busy or set up a diversion to ensure that the bank goes to voicemail.

The slideshow presented by the experts at Kiwicon 6 is available here.