An SMS can leave the bank account empty
Germany suffered a phishing attack in 2017 and this exercise has been the turn of the United Kingdom
In recent years, online services and financial services have established a double authentication system to improve the security of their users. It is an extra measure that often requires a code obtained from an application, or an SMS message, in addition to a password to access the service.
Double-factor authentication systems are much more secure than passwords. Last January, Metro Bank of the United Kingdom confirmed to the Motherboard website that some of its customers had been victims of an SS7 attack by intercepting SMS messages with code that banks sent to their customers to authenticate a transaction. .
To date, the financial sector continues to rely on this type of message and has become the preferred target of cybercriminals to access bank accounts. To the attack in the United Kingdom another one is added in Germany in the one of 2017.
Taking advantage of an error in the SS7 protocol, cybercriminals can access messages in different ways, according to Kaspersky Lab. This type of attack is possible while the SS7 network does not care who sends the request, therefore, if cybercriminals they manage to overcome the security systems, the network will follow their commands as if they were legitimate to direct the messages and calls.
Today, most banks request additional confirmation and send a verification code to the owner's account. If the bank does this operation through SMS, that's when the cybercriminals exploit the SS7 vulnerability, intercept the message and enter the text, as if they had your phone.
The cybercriminals obtain the user and password of the bank 'online', probably through 'phishing', 'keylogger' or banking Trojans. Then, they log in to the online bank and request a transfer.
Banks accept the transfer as legitimate, since the transaction has been authorized twice: with the customer's password and with the one-time code. The money ends up in the hands of the criminals.
Security experts say that this could be avoided if banks used double-factor authentication that did not depend on text messages.
Comments
Post a Comment