Between roughly August and mid-October, a variant of the Zeus banking malware (ZeuS-in-the-Mobile) was able to compromise 30,000 online bank accounts on 30 different Italian, German, Dutch and Spanish banks, stealing tens of millions of Euros after siphoning money via account mules.
Online bank heists that rake in large sums are not new, but what has been dubbed “Eurograbber” by the security firm Check Point also defeated what was supposed to be an impregnable layer of security, namely 2FA authentication using one-time SMS passwords/PINs sent to mobile phones.
The principle of SMS security is sound enough. The user logs on as normal using a user name and password but can’t access their account until the bank sends a verification PIN (called a Mobile Transaction Authentication Number, or mTAN). An attacker that has compromised the PC and keylogged the user's credentials can’t know this second piece of data unless they can access the phone during the session.
Eurograbber smashed this (there’s no other description for it) using what now looks like an incredibly straightforward attack. After infecting the online bank user’s Windows PC, Zeus sprang into life when it detected a banking session, recording the login data. Victims were tricked into entering their mobile numbers via a bogus but plausible splash screen, after which they were sent a phishing link to an Android malware app hosted on a third-party site (i.e. not Google’s Play).
Having installed the malware believing it to be a security "update" by clicking on this link, the rogue app was able to intercept the real bank SMS message when it arrived, sending that back to the criminals.
The simplicity of the attack underlines two uncomfortable aspects of the story, the first being how easy it still is to infect large number of Windows users with malware. The second - and in some ways more disturbing - is how easy it is to infect large number of Android users with malware.
Today, Windows + Android just isn’t good news. Any Windows user who happened to use an iPhone or Windows Phone would have been unaffected by Eurograbber because Apple and Microsoft don’t allow third-party downloads. But, the attackers noticed, Google does.
But what about the rather basic design of the SMS authentication? Isn’t sending one-time PINs to old-fashioned inboxes rather insecure for an age of smartphone sophistication?
One prominent ‘tokenless’ vendor, SecurEnvoy believes that while the principle of 2FA via mobile remains strong the Eurograbber attack does points up weaknesses in implementation.
“We shouldn’t be writing off SMS - it is better than 'no-factor'. But it has to be more sophisticated,” suggests SecurEnvoy’s CTO, Andy Kemshall. “With tokenless you still have to compromise two devices.”
According to Kemshall, Eurograbber underlines the need for the industry to migrate SMS texts sent to messaging inboxes - a design compatible with old-style phones - to one based on a more secure app-based model that exploits the power of smartphones.
“What the banks should offer their users is the choice to use secure apps. The end user should be given the choice.”
Good point. Simple texts are too vulnerable; apps created using secure APIs (i.e. which can’t be cloned or impersonated by malware writers) offer a potential way forward. Under that design, the PIN would be received in a dedicated app, cutting out the possibility of interception by malware.
What remains inescapable is the relative vulnerability of Android in its current form, with its fragmented array of versions and an open model that permits third-party downloads. This is not to say that such attacks are technically impossible on Apple and Microsoft but they are far less likely.
The tendency of users to click ‘yes’ to everything and anything on smartphones can be countered with better education, but that will take time the online banking industry no longer has. Security can also do some of the job but that is the model of the PC industry which solved problems such as spam and malware by asking users to shell out for protection.
History tells us that this model of privatising security only works up to a point and leaves plenty of room for attackers to prey on the less well protected. As 2012 dawns, history could be about to repeat itself. Expect more Eurograbber-like attacks on mobile banking in the year ahead.