SlideShare a Scribd company logo

Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.

Positive Hack Days
Positive Hack Days
TechnologyEconomy & FinanceBusiness
1 of 13
SMS Banking Fraud Denis Gorchakov, Olga Kochetova Positive Research Center Positive Hack Days III
What is SMS banking? ― checking your balance and receiving information about performed transactions ― performing basic operations: • Prepaid cellphone refill • Payment for various services: Internet, TV, utility bills • Funds transfer • Immediate card blocking if lost 2
A common issue is a card linked to another subscriber's number 3
From: Vasily To: SMS Bank SEND 100 89161234567 From: My Bank RUR 100 have been added to your phone account No. 89161234567. From: My Bank Please enter code 974365 to confirm the payment From: Vasily To: SMS Bank SEND 9999 89161234567 From: My Bank Please specify the last 4 digits of your card to confirm the payment From: Vasily To: SMS Bank SEND 9999 89161234567 0890 From: My Bank RUR 9,999 have been added to your phone account No. 89161234567. Lack of transaction confirmation or confirmation insecurity 4
Data collection by a malicious user ― Accidental (link to another subscriber's number): • Minimum harm — viewing financial data of another person • Maximum harm — managing another person's bank account http://pravo.ru/news/view/83503/ • Consequences — criminal and administrative responsibility ― For purpose: • Wastebaskets next to terminals and ATMs in public places • Cash register tapes available for shop assistants • Employees of communications service providers http://www.securitylab.ru/news/377745.php 5
― Only a phone number is available: • A payment to a phone number (own or confirmed) Banks are already anxious http://www.finsb.ru/map/novosti/view/?tx_ttnews[tt_news]=1428 • Social engineering A common scheme with false payment to another person's number, when a payment message from an operator/payment service is imitated • Pranking Card blocking In addition: ― OTP attacks (long expiration period) ― Insecure verification methods (by the part of a card number) Exploitation 6
$$$ From: Vasily's number To: SMS Bank SEND 500 89261234567 Malware user Semyon: From: Mobile network operator Your phone account has been refilled with RUR 500. From: Semyon To: Vasily Bro, a wrong number! Be a pal, refund this amount to me! From: Semyon Bro, a wrong number! Be a pal, refund this amount to me! SMS gateway From: SMS Bank Dear Vasily, 500 rubles have been deducted from your credit card for mobile phone services. REAL REAL From: SMS Bank Invalid withdrawal from your card has been canceled. The funds will be redeemed to the account in due time. FAKE From: SMS Bank number To: Vasily Invalid withdrawal from your card has been canceled. The funds will be redeemed to the account in due time. SMS gateway Social engineering 7
$$$ From: Vasily's number To: SMS Bank SEND 3000 89261234567 Malware user Semyon: From: Mobile network operator Your phone account has been refilled with RUR 3,000. SMS gateway From: SMS Bank Dear Vasily, 3,000 rubles have been deducted from your credit card for mobile phone services. REAL REAL From: Bank security service A wrong transaction with your card has been registered. For immediate cancellation, please send the cancellation command to security service number 9900: CANCEL 79161235476 FAKE From: Bank security service To: Vasily A wrong transaction with your card has been registered. For immediate cancellation, please send the cancellation command to security service number 9900: CANCEL 79161235476 SMS gateway Digital money SMS aggregator Social engineering v.2 8
From: Vasily's number To: SMS Bank SEND CUTEKITTENS 99999 Malware user Semyon: From: SMS Bank Dear Vasily, thank you very much! Your donation to the kittens support fund in the amount of 99,999 rubles has been received! Thank you! … of course other things can happen because malicious users are already aware of this fact —such information is publicly available: 1. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154788 2. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154785 SMS gateway Disorderly conduct 9
Verification ― Without verification (only by sender's number) —easy and convenient, but insecure ― Verification by the last 4 digits of a card — insecure ― OTP verification — better, but some security issues exist ― Good banks — except for ОТР, IMSI* verification, IMSI linking to an account number * IMSI means International Mobile Subscriber Identity linked to each user of mobile communication of the GSM, UMTS or CDMA standard.The device of a subscriber transfers IMSI for identification at the moment of registration in a network. The number is connected to the user's SIM card. 10
From: Vasily's number To: SMS Bank SEND CUTEKITTENS 99999 0890 Malware user Semyon: SMS gateway Sender's IMSI verification (linked to the account) DENIALI. II. From: SMS Bank Confirm the transaction by replying to the message with code 754387. DENIAL WTF? What is right? 11
Other vectors? • GSM alarm systems with default passwords • “Smart” houses — targeted attacks How can users protect themselves? • Never disable OTP and notifications about card operations • Attentiveness and vigilance • Using a client-bank application for smartphones 12
Thank you for attention! Denis Gorchakov, Olga Kochetova dgorchakov@ptsecurity.ru, okochetova@ptsecurity.ru Positive Research Center

Recommended

Sms bank eng
Sms bank engSms bank eng
Sms bank engPositive Hack Days
 
200K LETTER OF CONFIRM MT799 PAYMENT 2
200K LETTER OF CONFIRM MT799 PAYMENT 2200K LETTER OF CONFIRM MT799 PAYMENT 2
200K LETTER OF CONFIRM MT799 PAYMENT 2MUSA Sir DR IR FEROZ
 
Smard cardform
Smard cardformSmard cardform
Smard cardformwmy tranfornation consultancy & resources
 
MSDMB--MT103_OF_100M_(1)
MSDMB--MT103_OF_100M_(1)MSDMB--MT103_OF_100M_(1)
MSDMB--MT103_OF_100M_(1)MUSA Sir DR IR FEROZ
 
760 swift confirmationUSCPB
760 swift confirmationUSCPB760 swift confirmationUSCPB
760 swift confirmationUSCPBMichael Sheffield
 
BUSINESS LOAN CONTRACT MOU
BUSINESS LOAN CONTRACT MOUBUSINESS LOAN CONTRACT MOU
BUSINESS LOAN CONTRACT MOUMUSA Sir DR IR FEROZ
 
Share2 win member policy agreement
Share2 win member policy agreementShare2 win member policy agreement
Share2 win member policy agreementOrville Seroy
 
INVESTOR INFORMATION SUMMARY
INVESTOR INFORMATION SUMMARYINVESTOR INFORMATION SUMMARY
INVESTOR INFORMATION SUMMARYMUSA Sir DR IR FEROZ
 

Recommended

Sms bank eng
Sms bank engSms bank eng
Sms bank engPositive Hack Days
 
200K LETTER OF CONFIRM MT799 PAYMENT 2
200K LETTER OF CONFIRM MT799 PAYMENT 2200K LETTER OF CONFIRM MT799 PAYMENT 2
200K LETTER OF CONFIRM MT799 PAYMENT 2MUSA Sir DR IR FEROZ
 
Smard cardform
Smard cardformSmard cardform
Smard cardformwmy tranfornation consultancy & resources
 
MSDMB--MT103_OF_100M_(1)
MSDMB--MT103_OF_100M_(1)MSDMB--MT103_OF_100M_(1)
MSDMB--MT103_OF_100M_(1)MUSA Sir DR IR FEROZ
 
760 swift confirmationUSCPB
760 swift confirmationUSCPB760 swift confirmationUSCPB
760 swift confirmationUSCPBMichael Sheffield
 
BUSINESS LOAN CONTRACT MOU
BUSINESS LOAN CONTRACT MOUBUSINESS LOAN CONTRACT MOU
BUSINESS LOAN CONTRACT MOUMUSA Sir DR IR FEROZ
 
Share2 win member policy agreement
Share2 win member policy agreementShare2 win member policy agreement
Share2 win member policy agreementOrville Seroy
 
INVESTOR INFORMATION SUMMARY
INVESTOR INFORMATION SUMMARYINVESTOR INFORMATION SUMMARY
INVESTOR INFORMATION SUMMARYMUSA Sir DR IR FEROZ
 
Criteria computer loan (1)
Criteria computer loan (1)Criteria computer loan (1)
Criteria computer loan (1)laricecampbell
 
Sms booking 139
Sms booking 139Sms booking 139
Sms booking 139Alstom Bharat Forge Power Limited
 
Internet gambling in serbia
Internet gambling in serbiaInternet gambling in serbia
Internet gambling in serbiaVladimir Djukanovic
 
Common driving offences and their punishments
Common driving offences and their punishmentsCommon driving offences and their punishments
Common driving offences and their punishmentsvendelajar
 
Gujrat HC on custodial torture.pdf
Gujrat HC on custodial torture.pdfGujrat HC on custodial torture.pdf
Gujrat HC on custodial torture.pdfsabrangsabrang
 
Denuncia contra Miguel Roure
Denuncia contra Miguel Roure Denuncia contra Miguel Roure
Denuncia contra Miguel Roure carlos garcia garcia
 
Monopod
MonopodMonopod
MonopodZalina Ali
 
Telangana hc order june 17 police brutality covid
Telangana hc order june 17 police brutality covidTelangana hc order june 17 police brutality covid
Telangana hc order june 17 police brutality covidsabrangsabrang
 
Monkeetech Security Swipe System©
Monkeetech Security Swipe System©Monkeetech Security Swipe System©
Monkeetech Security Swipe System©MonkeeTech LLC
 
Picture6
Picture6Picture6
Picture6saeed862917
 
Weekly news
Weekly news Weekly news
Weekly news rayman0209
 
Cyber crimes
Cyber crimes Cyber crimes
Cyber crimes Neha Borkar
 
5 Ways to Win over Wholesale SMS Fraud
5 Ways to Win over Wholesale SMS Fraud 5 Ways to Win over Wholesale SMS Fraud
5 Ways to Win over Wholesale SMS Fraud Claire Cassar
 
Dragon Lady
Dragon LadyDragon Lady
Dragon LadyLookout
 
Mctel sms firewall
Mctel sms firewallMctel sms firewall
Mctel sms firewallDaud Suleiman
 
Hurtado diaz doraliza
Hurtado diaz doralizaHurtado diaz doraliza
Hurtado diaz doralizaMatematica2APV
 
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиРositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиDenis Gorchakov
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Dinidu Weeraratne
 
Fraud principles1
Fraud principles1Fraud principles1
Fraud principles1Sevisa Isufaj
 
SMS banking fraud
SMS banking fraudSMS banking fraud
SMS banking fraudDenis Gorchakov
 
Fraud in USSD
Fraud in USSD Fraud in USSD
Fraud in USSD Oluwatobi Olowu
 

More Related Content

What's hot

Criteria computer loan (1)
Criteria computer loan (1)Criteria computer loan (1)
Criteria computer loan (1)laricecampbell
 
Common driving offences and their punishments
Common driving offences and their punishmentsCommon driving offences and their punishments
Common driving offences and their punishmentsvendelajar
 
Gujrat HC on custodial torture.pdf
Gujrat HC on custodial torture.pdfGujrat HC on custodial torture.pdf
Gujrat HC on custodial torture.pdfsabrangsabrang
 
Telangana hc order june 17 police brutality covid
Telangana hc order june 17 police brutality covidTelangana hc order june 17 police brutality covid
Telangana hc order june 17 police brutality covidsabrangsabrang
 
Monkeetech Security Swipe System©
Monkeetech Security Swipe System©Monkeetech Security Swipe System©
Monkeetech Security Swipe System©MonkeeTech LLC
 

What's hot (12)

Criteria computer loan (1)
Criteria computer loan (1)Criteria computer loan (1)
Criteria computer loan (1)
 
Sms booking 139
Sms booking 139Sms booking 139
Sms booking 139
 
Internet gambling in serbia
Internet gambling in serbiaInternet gambling in serbia
Internet gambling in serbia
 
Common driving offences and their punishments
Common driving offences and their punishmentsCommon driving offences and their punishments
Common driving offences and their punishments
 
Gujrat HC on custodial torture.pdf
Gujrat HC on custodial torture.pdfGujrat HC on custodial torture.pdf
Gujrat HC on custodial torture.pdf
 
Denuncia contra Miguel Roure
Denuncia contra Miguel Roure Denuncia contra Miguel Roure
Denuncia contra Miguel Roure
 
Monopod
MonopodMonopod
Monopod
 
Telangana hc order june 17 police brutality covid
Telangana hc order june 17 police brutality covidTelangana hc order june 17 police brutality covid
Telangana hc order june 17 police brutality covid
 
Monkeetech Security Swipe System©
Monkeetech Security Swipe System©Monkeetech Security Swipe System©
Monkeetech Security Swipe System©
 
Picture6
Picture6Picture6
Picture6
 
Weekly news
Weekly news Weekly news
Weekly news
 
Cyber crimes
Cyber crimes Cyber crimes
Cyber crimes
 

Viewers also liked

5 Ways to Win over Wholesale SMS Fraud
5 Ways to Win over Wholesale SMS Fraud 5 Ways to Win over Wholesale SMS Fraud
5 Ways to Win over Wholesale SMS Fraud Claire Cassar
 
Dragon Lady
Dragon LadyDragon Lady
Dragon LadyLookout
 
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиРositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиDenis Gorchakov
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Dinidu Weeraratne
 

Viewers also liked (8)

5 Ways to Win over Wholesale SMS Fraud
5 Ways to Win over Wholesale SMS Fraud 5 Ways to Win over Wholesale SMS Fraud
5 Ways to Win over Wholesale SMS Fraud
 
Dragon Lady
Dragon LadyDragon Lady
Dragon Lady
 
Mctel sms firewall
Mctel sms firewallMctel sms firewall
Mctel sms firewall
 
Hurtado diaz doraliza
Hurtado diaz doralizaHurtado diaz doraliza
Hurtado diaz doraliza
 
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиРositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud Evolution
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
 
Fraud principles1
Fraud principles1Fraud principles1
Fraud principles1
 

Similar to Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.

Id Theft
Id TheftId Theft
Id Theftmojo_5
 
Fraud seminar for charities
Fraud seminar for charitiesFraud seminar for charities
Fraud seminar for charitiesBlake Morgan LLP
 
Economic and social council
Economic and social councilEconomic and social council
Economic and social councilvalkica
 
AndranikKarapetyanSlides.ppt
AndranikKarapetyanSlides.pptAndranikKarapetyanSlides.ppt
AndranikKarapetyanSlides.pptHilsonyusuf
 
eCommerce Summit Atlanta Moneybookers Presentation
eCommerce Summit Atlanta Moneybookers PresentationeCommerce Summit Atlanta Moneybookers Presentation
eCommerce Summit Atlanta Moneybookers PresentationeCommerce Merchants
 
Bank frauds vk (2)
Bank frauds vk (2)Bank frauds vk (2)
Bank frauds vk (2)Prashant raj
 
August 05 2018 Digital Payments and Security
August 05 2018 Digital Payments and SecurityAugust 05 2018 Digital Payments and Security
August 05 2018 Digital Payments and SecurityVicky Shah
 
Atm Service in bangladesh
Atm Service in bangladeshAtm Service in bangladesh
Atm Service in bangladeshSultan Mahmood
 
Credit cards ppt
Credit cards pptCredit cards ppt
Credit cards pptsukhpal0015
 

Similar to Denis Gorchakov, Olga Kochetova. SMS Banking Fraud. (20)

SMS banking fraud
SMS banking fraudSMS banking fraud
SMS banking fraud
 
Fraud in USSD
Fraud in USSD Fraud in USSD
Fraud in USSD
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
 
Credit card frauds
Credit card frauds Credit card frauds
Credit card frauds
 
Credit card ppt
Credit card pptCredit card ppt
Credit card ppt
 
credit card theft
credit card theftcredit card theft
credit card theft
 
Id Theft
Id TheftId Theft
Id Theft
 
Fraud seminar for charities
Fraud seminar for charitiesFraud seminar for charities
Fraud seminar for charities
 
Economic and social council
Economic and social councilEconomic and social council
Economic and social council
 
AndranikKarapetyanSlides.ppt
AndranikKarapetyanSlides.pptAndranikKarapetyanSlides.ppt
AndranikKarapetyanSlides.ppt
 
Account Kit and Internet Banking
Account Kit and Internet BankingAccount Kit and Internet Banking
Account Kit and Internet Banking
 
Credit card fraud(1)
Credit card fraud(1)Credit card fraud(1)
Credit card fraud(1)
 
eCommerce Summit Atlanta Moneybookers Presentation
eCommerce Summit Atlanta Moneybookers PresentationeCommerce Summit Atlanta Moneybookers Presentation
eCommerce Summit Atlanta Moneybookers Presentation
 
Credit Card Fraud
Credit Card FraudCredit Card Fraud
Credit Card Fraud
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
 
Bank frauds vk (2)
Bank frauds vk (2)Bank frauds vk (2)
Bank frauds vk (2)
 
August 05 2018 Digital Payments and Security
August 05 2018 Digital Payments and SecurityAugust 05 2018 Digital Payments and Security
August 05 2018 Digital Payments and Security
 
All What You Need To Know About Merchant Account
All What You Need To Know About Merchant AccountAll What You Need To Know About Merchant Account
All What You Need To Know About Merchant Account
 
Atm Service in bangladesh
Atm Service in bangladeshAtm Service in bangladesh
Atm Service in bangladesh
 
Credit cards ppt
Credit cards pptCredit cards ppt
Credit cards ppt
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.

  • 1. SMS Banking Fraud Denis Gorchakov, Olga Kochetova Positive Research Center Positive Hack Days III
  • 2. What is SMS banking? ― checking your balance and receiving information about performed transactions ― performing basic operations: • Prepaid cellphone refill • Payment for various services: Internet, TV, utility bills • Funds transfer • Immediate card blocking if lost 2
  • 3. A common issue is a card linked to another subscriber's number 3
  • 4. From: Vasily To: SMS Bank SEND 100 89161234567 From: My Bank RUR 100 have been added to your phone account No. 89161234567. From: My Bank Please enter code 974365 to confirm the payment From: Vasily To: SMS Bank SEND 9999 89161234567 From: My Bank Please specify the last 4 digits of your card to confirm the payment From: Vasily To: SMS Bank SEND 9999 89161234567 0890 From: My Bank RUR 9,999 have been added to your phone account No. 89161234567. Lack of transaction confirmation or confirmation insecurity 4
  • 5. Data collection by a malicious user ― Accidental (link to another subscriber's number): • Minimum harm — viewing financial data of another person • Maximum harm — managing another person's bank account http://pravo.ru/news/view/83503/ • Consequences — criminal and administrative responsibility ― For purpose: • Wastebaskets next to terminals and ATMs in public places • Cash register tapes available for shop assistants • Employees of communications service providers http://www.securitylab.ru/news/377745.php 5
  • 6. ― Only a phone number is available: • A payment to a phone number (own or confirmed) Banks are already anxious http://www.finsb.ru/map/novosti/view/?tx_ttnews[tt_news]=1428 • Social engineering A common scheme with false payment to another person's number, when a payment message from an operator/payment service is imitated • Pranking Card blocking In addition: ― OTP attacks (long expiration period) ― Insecure verification methods (by the part of a card number) Exploitation 6
  • 7. $$$ From: Vasily's number To: SMS Bank SEND 500 89261234567 Malware user Semyon: From: Mobile network operator Your phone account has been refilled with RUR 500. From: Semyon To: Vasily Bro, a wrong number! Be a pal, refund this amount to me! From: Semyon Bro, a wrong number! Be a pal, refund this amount to me! SMS gateway From: SMS Bank Dear Vasily, 500 rubles have been deducted from your credit card for mobile phone services. REAL REAL From: SMS Bank Invalid withdrawal from your card has been canceled. The funds will be redeemed to the account in due time. FAKE From: SMS Bank number To: Vasily Invalid withdrawal from your card has been canceled. The funds will be redeemed to the account in due time. SMS gateway Social engineering 7
  • 8. $$$ From: Vasily's number To: SMS Bank SEND 3000 89261234567 Malware user Semyon: From: Mobile network operator Your phone account has been refilled with RUR 3,000. SMS gateway From: SMS Bank Dear Vasily, 3,000 rubles have been deducted from your credit card for mobile phone services. REAL REAL From: Bank security service A wrong transaction with your card has been registered. For immediate cancellation, please send the cancellation command to security service number 9900: CANCEL 79161235476 FAKE From: Bank security service To: Vasily A wrong transaction with your card has been registered. For immediate cancellation, please send the cancellation command to security service number 9900: CANCEL 79161235476 SMS gateway Digital money SMS aggregator Social engineering v.2 8
  • 9. From: Vasily's number To: SMS Bank SEND CUTEKITTENS 99999 Malware user Semyon: From: SMS Bank Dear Vasily, thank you very much! Your donation to the kittens support fund in the amount of 99,999 rubles has been received! Thank you! … of course other things can happen because malicious users are already aware of this fact —such information is publicly available: 1. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154788 2. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154785 SMS gateway Disorderly conduct 9
  • 10. Verification ― Without verification (only by sender's number) —easy and convenient, but insecure ― Verification by the last 4 digits of a card — insecure ― OTP verification — better, but some security issues exist ― Good banks — except for ОТР, IMSI* verification, IMSI linking to an account number * IMSI means International Mobile Subscriber Identity linked to each user of mobile communication of the GSM, UMTS or CDMA standard.The device of a subscriber transfers IMSI for identification at the moment of registration in a network. The number is connected to the user's SIM card. 10
  • 11. From: Vasily's number To: SMS Bank SEND CUTEKITTENS 99999 0890 Malware user Semyon: SMS gateway Sender's IMSI verification (linked to the account) DENIALI. II. From: SMS Bank Confirm the transaction by replying to the message with code 754387. DENIAL WTF? What is right? 11
  • 12. Other vectors? • GSM alarm systems with default passwords • “Smart” houses — targeted attacks How can users protect themselves? • Never disable OTP and notifications about card operations • Attentiveness and vigilance • Using a client-bank application for smartphones 12
  • 13. Thank you for attention! Denis Gorchakov, Olga Kochetova dgorchakov@ptsecurity.ru, okochetova@ptsecurity.ru Positive Research Center