Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Blogs

War on Error

John E Dunn

'Eurograbber' SMS attack shows Android's vulnerability

Article comments

Does your online bank use SMS authentication? If yes, consider using an iPhone in future.

We end 2012 with the alarming knowledge that the SMS two-factor authentication systems used to secure online banking have suffered their first major security failure and left a clutch of banks down to the tune of ‚¬36 million (£30 million).

Between roughly August and mid-October, a variant of the Zeus banking malware (ZeuS-in-the-Mobile) was able to compromise 30,000 online bank accounts on 30 different Italian, German, Dutch and Spanish banks, stealing tens of millions of Euros after siphoning money via account mules.

Online bank heists that rake in large sums are not new, but what has been dubbed “Eurograbber” by the security firm Check Point also defeated what was supposed to be an impregnable layer of security, namely 2FA authentication using one-time SMS passwords/PINs sent to mobile phones.

securenvoy.jpg
The principle of SMS security is sound enough. The user logs on as normal using a user name and password but can’t access their account until the bank sends a verification PIN (called a Mobile Transaction Authentication Number, or mTAN). An attacker that has compromised the PC and keylogged the user's credentials can’t know this second piece of data unless they can access the phone during the session.

Eurograbber smashed this (there’s no other description for it) using what now looks like an incredibly straightforward attack. After infecting the online bank user’s Windows PC, Zeus sprang into life when it detected a banking session, recording the login data. Victims were tricked into entering their mobile numbers via a bogus but plausible splash screen, after which they were sent a phishing link to an Android malware app hosted on a third-party site (i.e. not Google’s Play).

Having installed the malware believing it to be a security "update" by clicking on this link, the rogue app was able to intercept the real bank SMS message when it arrived, sending that back to the criminals.

The simplicity of the attack underlines two uncomfortable aspects of the story, the first being how easy it still is to infect large number of Windows users with malware. The second - and in some ways more disturbing - is how easy it is to infect large number of Android users with malware.

Today, Windows + Android just isn’t good news. Any Windows user who happened to use an iPhone or Windows Phone would have been unaffected by Eurograbber because Apple and Microsoft don’t allow third-party downloads. But, the attackers noticed, Google does.

But what about the rather basic design of the SMS authentication? Isn’t sending one-time PINs to old-fashioned inboxes rather insecure for an age of smartphone sophistication?

One prominent ‘tokenless’ vendor, SecurEnvoy believes that while the principle of 2FA via mobile remains strong the Eurograbber attack does points up weaknesses in implementation.

“We shouldn’t be writing off SMS - it is better than 'no-factor'. But it has to be more sophisticated,” suggests SecurEnvoy’s CTO, Andy Kemshall. “With tokenless you still have to compromise two devices.”

According to Kemshall, Eurograbber underlines the need for the industry to migrate SMS texts sent to messaging inboxes - a design compatible with old-style phones - to one based on a more secure app-based model that exploits the power of smartphones.

“What the banks should offer their users is the choice to use secure apps. The end user should be given the choice.”

Good point. Simple texts are too vulnerable; apps created using secure APIs (i.e. which can’t be cloned or impersonated by malware writers) offer a potential way forward. Under that design, the PIN would be received in a dedicated app, cutting out the possibility of interception by malware.

What remains inescapable is the relative vulnerability of Android in its current form, with its fragmented array of versions and an open model that permits third-party downloads. This is not to say that such attacks are technically impossible on Apple and Microsoft but they are far less likely.

The tendency of users to click ‘yes’ to everything and anything on smartphones can be countered with better education, but that will take time the online banking industry no longer has. Security can also do some of the job but that is the model of the PC industry which solved problems such as spam and malware by asking users to shell out for protection.

History tells us that this model of privatising security only works up to a point and leaves plenty of room for attackers to prey on the less well protected. As 2012 dawns, history could be about to repeat itself. Expect more Eurograbber-like attacks on mobile banking in the year ahead.

Enhanced by Zemanta


Share:

More from Techworld

More relevant IT news

Comments

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *