SMS Banking FraudDenis Gorchakov, Olga KochetovaPositive Research CenterPositive Hack Days III
What is SMS banking?― checking your balance and receiving information about performed transactions― performing basic opera...
A common issue isa card linked to another subscribers number3
From: VasilyTo: SMS BankSEND 100 89161234567From: My BankRUR 100 have been added to yourphone account No. 89161234567.From...
Data collection by a malicious user― Accidental (link to another subscribers number):• Minimum harm — viewing financial da...
― Only a phone number is available:• A payment to a phone number (own or confirmed)Banks are already anxious http://www.fi...
$$$From: Vasilys numberTo: SMS BankSEND 500 89261234567Malware user Semyon:From: Mobile network operatorYour phone account...
$$$From: Vasilys numberTo: SMS BankSEND 3000 89261234567Malware user Semyon:From: Mobile network operatorYour phone accoun...
From: Vasilys numberTo: SMS BankSEND CUTEKITTENS 99999Malware user Semyon:From: SMS BankDear Vasily, thank you very much!Y...
Verification― Without verification (only by senders number) —easy and convenient, butinsecure― Verification by the last 4 ...
From: Vasilys numberTo: SMS BankSEND CUTEKITTENS 99999 0890Malware user Semyon:SMS gatewaySenders IMSI verification(linked...
Other vectors?• GSM alarm systems with default passwords• “Smart” houses — targeted attacksHow can users protect themselve...
Thank you for attention!Denis Gorchakov, Olga Kochetovadgorchakov@ptsecurity.ru, okochetova@ptsecurity.ruPositive Research...
Upcoming SlideShare
Loading in...5
×

Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.

1,227

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,227
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.

  1. 1. SMS Banking FraudDenis Gorchakov, Olga KochetovaPositive Research CenterPositive Hack Days III
  2. 2. What is SMS banking?― checking your balance and receiving information about performed transactions― performing basic operations:• Prepaid cellphone refill• Payment for various services: Internet, TV, utility bills• Funds transfer• Immediate card blocking if lost2
  3. 3. A common issue isa card linked to another subscribers number3
  4. 4. From: VasilyTo: SMS BankSEND 100 89161234567From: My BankRUR 100 have been added to yourphone account No. 89161234567.From: My BankPlease enter code 974365 toconfirm the paymentFrom: VasilyTo: SMS BankSEND 9999 89161234567From: My BankPlease specify the last 4 digits of yourcard to confirm the paymentFrom: VasilyTo: SMS BankSEND 9999 89161234567 0890From: My BankRUR 9,999 have been added to yourphone account No. 89161234567.Lack of transaction confirmation or confirmationinsecurity4
  5. 5. Data collection by a malicious user― Accidental (link to another subscribers number):• Minimum harm — viewing financial data of another person• Maximum harm — managing another persons bank accounthttp://pravo.ru/news/view/83503/• Consequences — criminal and administrative responsibility― For purpose:• Wastebaskets next to terminals and ATMs in public places• Cash register tapes available for shop assistants• Employees of communications service providershttp://www.securitylab.ru/news/377745.php5
  6. 6. ― Only a phone number is available:• A payment to a phone number (own or confirmed)Banks are already anxious http://www.finsb.ru/map/novosti/view/?tx_ttnews[tt_news]=1428• Social engineeringA common scheme with false payment to another persons number, when a paymentmessage from an operator/payment service is imitated• PrankingCard blockingIn addition:― OTP attacks (long expiration period)― Insecure verification methods (by the part of a card number)Exploitation6
  7. 7. $$$From: Vasilys numberTo: SMS BankSEND 500 89261234567Malware user Semyon:From: Mobile network operatorYour phone account has been refilled withRUR 500.From: SemyonTo: VasilyBro, a wrong number! Be a pal, refundthis amount to me!From: SemyonBro, a wrong number! Be a pal, refund thisamount to me!SMS gatewayFrom: SMS BankDear Vasily, 500 rubles have been deductedfrom your credit card for mobile phoneservices.REALREALFrom: SMS BankInvalid withdrawal from your card has beencanceled. The funds will be redeemed to theaccount in due time.FAKEFrom: SMS Bank numberTo: VasilyInvalid withdrawal from your card hasbeen canceled. The funds will beredeemed to the account in due time.SMS gatewaySocial engineering7
  8. 8. $$$From: Vasilys numberTo: SMS BankSEND 3000 89261234567Malware user Semyon:From: Mobile network operatorYour phone account has been refilled withRUR 3,000.SMS gatewayFrom: SMS BankDear Vasily, 3,000 rubles have been deductedfrom your credit card for mobile phoneservices.REALREALFrom: Bank security serviceA wrong transaction with your card has beenregistered. For immediatecancellation, please send the cancellationcommand to security service number 9900:CANCEL 79161235476FAKEFrom: Bank security serviceTo: VasilyA wrong transaction with your card hasbeen registered. For immediatecancellation, please send thecancellation command to securityservice number 9900:CANCEL 79161235476SMS gatewayDigital moneySMS aggregatorSocial engineering v.28
  9. 9. From: Vasilys numberTo: SMS BankSEND CUTEKITTENS 99999Malware user Semyon:From: SMS BankDear Vasily, thank you very much!Your donation to the kittenssupport fund in the amount of99,999 rubles has been received!Thank you!… of course other things can happen because malicious users are alreadyaware of this fact —such information is publicly available:1. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=1547882. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154785SMS gatewayDisorderly conduct9
  10. 10. Verification― Without verification (only by senders number) —easy and convenient, butinsecure― Verification by the last 4 digits of a card — insecure― OTP verification — better, but some security issues exist― Good banks — except for ОТР, IMSI* verification, IMSI linking to an accountnumber* IMSI means International Mobile Subscriber Identity linked to each user of mobile communicationof the GSM, UMTS or CDMA standard.The device of a subscriber transfers IMSI for identification atthe moment of registration in a network.The number is connected to the users SIM card.10
  11. 11. From: Vasilys numberTo: SMS BankSEND CUTEKITTENS 99999 0890Malware user Semyon:SMS gatewaySenders IMSI verification(linked to the account)DENIALI.II.From: SMS BankConfirm the transaction byreplying to the message with code754387.DENIALWTF?What is right?11
  12. 12. Other vectors?• GSM alarm systems with default passwords• “Smart” houses — targeted attacksHow can users protect themselves?• Never disable OTP and notifications about cardoperations• Attentiveness and vigilance• Using a client-bank application for smartphones12
  13. 13. Thank you for attention!Denis Gorchakov, Olga Kochetovadgorchakov@ptsecurity.ru, okochetova@ptsecurity.ruPositive Research Center

×