Soon enough banks will have to come up with a better authentication system

Mar 15, 2012 13:59 GMT  ·  By

Many bank customers know that when they want to make online transactions from their accounts, the financial institution sends a one-time password (OTP) to their mobile phone to ensure the safety of the operation. However, crooks came up with clever ways to gain access to the passwords without raising any suspicion.

Trusteer experts report that they came across two attack scenarios used by the fraudsters to get the bank to send them the OTP instead of the real customer.

In both scenarios, the con artists use a man-in-the-browser of a phishing attack to obtain the basic information like bank account number, credentials, names, and phone numbers.

These types of schemes are common, which is why financial institutions introduced the OTP authorization system.

So how do the crooks get the OTP?

In the first situation, they use the Gozi Trojan to steal the mobile phone’s IMEI (international mobile equipment identity) from the victims. Gozi does this by prompting the user to enter his/her IMEI before logging in to the online banking account.

Because not everyone knows how to find the phone’s IMEI, the webpage that requests it gives detailed instructions.

Once they’re in the possession of the IMEI, the criminals can contact the victim’s wireless carrier, report the device as being stolen and request a new SIM card. The old SIM card, which is in the possession of the account holder, is deactivated and all the OTPs coming from the bank are sent to the fraudster.

The second scenario is even more complex. The fraudsters use the stolen information (name, address, phone number, etc) to file a report at the local law enforcement agency, saying that the phone has been stolen.

With the police report in hand, the criminal goes to the wireless service provider and requests a new SIM card, but not before calling the victim to notify him/her that there will be a 12 hour service interruption.

When the victim’s SIM is deactivated, it doesn’t raise any suspicion, because he/she was informed, allegedly by the phone company, that the service is about to be interrupted. Until the accountholder picks up on the scam, the crooks have enough time to cause serious damage.