SMS banking fraud

SMS Banking Fraud

Denis Gorchakov, Olga KochetovaPositive Research Center

Positive Hack Days III

3

What is SMS banking?― checking your balance and receiving information about performed

transactions

― performing basic operations:• Prepaid cellphone refill• Payment for various services: Internet, TV, utility bills• Funds transfer• Immediate card blocking if lost

4

A common issue isa card linked to another subscriber's number

5

From: VasilyTo: SMS BankSEND 100 89161234567

From: My BankRUR 100 have been added to your phone account No. 89161234567.

From: My BankPlease enter code 974365 to confirm the payment

From: VasilyTo: SMS BankSEND 9999 89161234567

From: My BankPlease specify the last 4 digits of your card to confirm the payment

From: VasilyTo: SMS BankSEND 9999 89161234567 0890

From: My BankRUR 9,999 have been added to your phone account No. 89161234567.

Lack of transaction confirmation or confirmation insecurity

6

Data collection by a malicious user― Accidental (link to another subscriber's number):

• Minimum harm — viewing financial data of another person• Maximum harm — managing another person's bank account

http://pravo.ru/news/view/83503/• Consequences — criminal and administrative responsibility

― For purpose:• Wastebaskets next to terminals and ATMs in public places• Cash register tapes available for shop assistants• Employees of communications service providers

http://www.securitylab.ru/news/377745.php

7

― Only a phone number is available:• A payment to a phone number (own or confirmed)

Banks are already anxious http://www.finsb.ru/map/novosti/view/?tx_ttnews[tt_news]=1428

• Social engineeringA common scheme with false payment to another person's number, when a payment message from an operator/payment service is imitated

• PrankingCard blocking

In addition:― OTP attacks (long expiration period)― Insecure verification methods (by the part of a card number)

Exploitation

8

$$$

From: Vasily's numberTo: SMS BankSEND 500 89261234567

Malware user Semyon:

From: Mobile network operatorYour phone account has been refilled with RUR 500.

+ $$$

From: SemyonTo: VasilyBro, a wrong number! Be a pal, refund this amount to me!

From: SemyonBro, a wrong number! Be a pal, refund this amount to me!

+ $$$

SMS gateway

From: SMS BankDear Vasily, 500 rubles have been deducted from your credit card for mobile phone services.

REAL

REAL

From: SMS BankInvalid withdrawal from your card has been canceled. The funds will be redeemed to the account in due time.

FAKE

From: SMS Bank numberTo: VasilyInvalid withdrawal from your card has been canceled. The funds will be redeemed to the account in due time.

SMS gateway

Social engineering

9

$$$

From: Vasily's numberTo: SMS BankSEND 3000 89261234567

Malware user Semyon:

From: Mobile network operatorYour phone account has been refilled with RUR 3,000.

+ $$$

+ $$$

SMS gateway

From: SMS BankDear Vasily, 3,000 rubles have been deducted from your credit card for mobile phone services.

REAL

REAL

From: Bank security serviceA wrong transaction with your card has been registered. For immediate cancellation, please send the cancellation command to security service number 9900:CANCEL 79161235476

FAKE

From: Bank security serviceTo: VasilyA wrong transaction with your card has been registered. For immediate cancellation, please send the cancellation command to security service number 9900:CANCEL 79161235476

SMS gateway

Digital moneySMS aggregator

Social engineering v.2

10

From: Vasily's numberTo: SMS BankSEND CUTEKITTENS 99999

Malware user Semyon:

From: SMS BankDear Vasily, thank you very much!Your donation to the kittens support fund in the amount of 99,999 rubles has been received!

Thank you!… of course other things can happen because malicious users are alreadyaware of this fact —such information is publicly available:1. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=1547882. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154785

SMS gateway

Disorderly conduct

11

Verification― Without verification (only by sender's number) —easy and

convenient, but insecure― Verification by the last 4 digits of a card — insecure― OTP verification — better, but some security issues exist― Good banks — except for ОТР, IMSI* verification, IMSI linking to an

account number

* IMSI means International Mobile Subscriber Identity linked to each user of mobile communication of the GSM, UMTS or CDMA standard. The device of a subscriber transfers IMSI for identification at the moment of registration in a network.The number is connected to the user's SIM card.

12

From: Vasily's numberTo: SMS BankSEND CUTEKITTENS 99999 0890

Malware user Semyon:SMS gateway

Sender's IMSI verification

(linked to the account)

DENIALI.

II.

From: SMS BankConfirm the transaction by replying to the message with code 754387.

DENIALWTF?

What is right?

13

Other vectors?• GSM alarm systems with default passwords• “Smart” houses — targeted attacks

How can users protect themselves?• Never disable OTP and notifications about card

operations• Attentiveness and vigilance• Using a client-bank application for

smartphones

Thank you for attention!

Denis Gorchakov, Olga Kochetova

[email protected], [email protected]

Positive Research Center