08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
1. SMS Banking Fraud
Denis Gorchakov, Olga Kochetova
Positive Research Center
Positive Hack Days III
2. What is SMS banking?
― checking your balance and receiving information about performed transactions
― performing basic operations:
• Prepaid cellphone refill
• Payment for various services: Internet, TV, utility bills
• Funds transfer
• Immediate card blocking if lost
2
3. A common issue is
a card linked to another subscriber's number
3
4. From: Vasily
To: SMS Bank
SEND 100 89161234567
From: My Bank
RUR 100 have been added to your
phone account No. 89161234567.
From: My Bank
Please enter code 974365 to
confirm the payment
From: Vasily
To: SMS Bank
SEND 9999 89161234567
From: My Bank
Please specify the last 4 digits of your
card to confirm the payment
From: Vasily
To: SMS Bank
SEND 9999 89161234567 0890
From: My Bank
RUR 9,999 have been added to your
phone account No. 89161234567.
Lack of transaction confirmation or confirmation
insecurity
4
5. Data collection by a malicious user
― Accidental (link to another subscriber's number):
• Minimum harm — viewing financial data of another person
• Maximum harm — managing another person's bank account
http://pravo.ru/news/view/83503/
• Consequences — criminal and administrative responsibility
― For purpose:
• Wastebaskets next to terminals and ATMs in public places
• Cash register tapes available for shop assistants
• Employees of communications service providers
http://www.securitylab.ru/news/377745.php
5
6. ― Only a phone number is available:
• A payment to a phone number (own or confirmed)
Banks are already anxious http://www.finsb.ru/map/novosti/view/?tx_ttnews[tt_news]=1428
• Social engineering
A common scheme with false payment to another person's number, when a payment
message from an operator/payment service is imitated
• Pranking
Card blocking
In addition:
― OTP attacks (long expiration period)
― Insecure verification methods (by the part of a card number)
Exploitation
6
7. $$$
From: Vasily's number
To: SMS Bank
SEND 500 89261234567
Malware user Semyon:
From: Mobile network operator
Your phone account has been refilled with
RUR 500.
From: Semyon
To: Vasily
Bro, a wrong number! Be a pal, refund
this amount to me!
From: Semyon
Bro, a wrong number! Be a pal, refund this
amount to me!
SMS gateway
From: SMS Bank
Dear Vasily, 500 rubles have been deducted
from your credit card for mobile phone
services.
REAL
REAL
From: SMS Bank
Invalid withdrawal from your card has been
canceled. The funds will be redeemed to the
account in due time.
FAKE
From: SMS Bank number
To: Vasily
Invalid withdrawal from your card has
been canceled. The funds will be
redeemed to the account in due time.
SMS gateway
Social engineering
7
8. $$$
From: Vasily's number
To: SMS Bank
SEND 3000 89261234567
Malware user Semyon:
From: Mobile network operator
Your phone account has been refilled with
RUR 3,000.
SMS gateway
From: SMS Bank
Dear Vasily, 3,000 rubles have been deducted
from your credit card for mobile phone
services.
REAL
REAL
From: Bank security service
A wrong transaction with your card has been
registered. For immediate
cancellation, please send the cancellation
command to security service number 9900:
CANCEL 79161235476
FAKE
From: Bank security service
To: Vasily
A wrong transaction with your card has
been registered. For immediate
cancellation, please send the
cancellation command to security
service number 9900:
CANCEL 79161235476
SMS gateway
Digital money
SMS aggregator
Social engineering v.2
8
9. From: Vasily's number
To: SMS Bank
SEND CUTEKITTENS 99999
Malware user Semyon:
From: SMS Bank
Dear Vasily, thank you very much!
Your donation to the kittens
support fund in the amount of
99,999 rubles has been received!
Thank you!
… of course other things can happen because malicious users are already
aware of this fact —such information is publicly available:
1. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154788
2. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154785
SMS gateway
Disorderly conduct
9
10. Verification
― Without verification (only by sender's number) —easy and convenient, but
insecure
― Verification by the last 4 digits of a card — insecure
― OTP verification — better, but some security issues exist
― Good banks — except for ОТР, IMSI* verification, IMSI linking to an account
number
* IMSI means International Mobile Subscriber Identity linked to each user of mobile communication
of the GSM, UMTS or CDMA standard.The device of a subscriber transfers IMSI for identification at
the moment of registration in a network.
The number is connected to the user's SIM card.
10
11. From: Vasily's number
To: SMS Bank
SEND CUTEKITTENS 99999 0890
Malware user Semyon:
SMS gateway
Sender's IMSI verification
(linked to the account)
DENIALI.
II.
From: SMS Bank
Confirm the transaction by
replying to the message with code
754387.
DENIAL
WTF?
What is right?
11
12. Other vectors?
• GSM alarm systems with default passwords
• “Smart” houses — targeted attacks
How can users protect themselves?
• Never disable OTP and notifications about card
operations
• Attentiveness and vigilance
• Using a client-bank application for smartphones
12
13. Thank you for attention!
Denis Gorchakov, Olga Kochetova
dgorchakov@ptsecurity.ru, okochetova@ptsecurity.ru
Positive Research Center