14 DAY TRIAL // Researchers recently discovered that by using a combination of the infamous SpyEye Trojan and social engineering techniques, hackers can easily take over someone's bank account without their knowledge, proving that OOBA systems which were once believed to be foolproof are actually not too difficult to bypass.
According to Trusteer, even though the operation is a bit more complex, it's not really hard to put in practice as the social engineering involved doesn't raise much suspicion.
The first step of the process is pretty standard when it comes to account-stealing Trojans as they are deployed by the cybercriminals to steal the bank credentials of the future victim.
After obtaining the log-in details, all the masterminds have to do is change the customers phone number record used in the online banking application. To do this they require a confirmation code which is sent by the bank to the client's mobile and this is where the social engineering steps in.
SpyEye injects a fake page that seems to be coming from the financial institution into the victim's browser. As in most cases, the perpetrators pretend to be introducing a new security system that needs them to register.
To complete the registration, they have to enter the code received via SMS into the online form which allegedly will allow them to receive a special SMS card on their email address. After they lay their hands on the confirmation code, it's all downhill from there, as they can easily reassign their own phone number for future operations.
All the transaction confirmation messages will arrive on their selected numbers, allowing them to make as many payments as they desire.
The proof-of-concept highlights the fact that out-of-band authentication (OOBA) systems are not as reliable as everyone thought so far. Fraudsters can easily bypass the security measure and even gain more time as the operation is hard to detect by both the institution and the customer.
Make sure not to trust webpages that require you to give out any bank account information as you've witnessed the cunning schemes hackers will deploy in order to gain your trust.