Security giant Symantec has detailed an emerging new threat capable of stealing user financial information protected by two-factor authentication (2FA) systems.
In a typical 2FA system, the second factor is normally a one-time passcode (OTP) sent to the user's registered mobile number through SMS. The new Android.Bankosy malware goes one step further and is able to intercept information from 2FA systems that use voice calls.
A thinning smokescreen?
Now that OTP smokescreen techniques have been around for awhile, some financial organisations including banks have started delivering OTP through voice calls instead of ‘text message' SMS. Unfortunately, malware initiators have already concocted methods to hack into this layer of protection.
Symantec explains that once the malware is installed on the victim's device, it opens a backdoor, collects a list of system-specific information and sends it to the command and control (C&C) server to register and get a unique identifier for the infected device.
“If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands,” writes Symantec's Dinesh Venkatesan
Although the majority of the commands supported by this malware are ‘common and trivial' such as intercepting or deleting SMSs and wiping data, the most malevolent action among the Android.Bankosy arsenal is a call forwarding payload. This action locks the user's device and enables silent mode, so that the victim is not alerted during an incoming call.
How to victimise the victim
Venkatesan details the hack process: “Once the unconditional call forwarding is set on the victim's device, the attacker who has already stolen the victim's credentials (the first factor in two-factor authentication and authorisation) can then initiate a transaction. As part of the design, when the system demands the victim to enter the second factor (ie, the authorisation token sent through a voice call), the attacker will get the call through call forwarding and enter the second factor as well to complete the transaction.”
In terms of mitigating against this attack, Symantec joins other firms in advising that users keep operating system software up to date, only download applications from reputable trusted sources and pay close attention to the permissions requested by an app.
An internecine war
Clive Longbottom, co-founder and service director at technology analyst house Quocirca, told SCMagazineUK.com: “In the internecine war between commercial organisations and organised crime, it will always be difficult for the organisation to keep up – never mind to try and be one step ahead.”
Longbottom asserts that as further levels of security are brought to market and then broken, it becomes harder to see where organisations can go next. He asks – will we see three and four factor authentication? But he warns, within the financial sector, it is not really that type of security we see as the problem.
“It staggers me that in today's transactional world, it seems impossible for the full path of financial transfers to be traced. Banks need to step up to the plate and ensure that cash transfers can be traced – and those banks that are opaque, allowing such transactions to ‘disappear', should be removed from the global cash transfer markets. For other transactional organisations, it is unfortunately just a case of making it as hard for the criminal as possible,” concluded Longbottom.
Fundamental lack of functional control
Also speaking to SC to analyse this story, Robert Capps, vice president of business development at NuData Security, said he doesn't think we should be shocked that a miscreant has found a way to intercept information on a mobile device.
“The issues uncovered with the Android.Bankosy malware illustrate a fundamental lack of appropriate security, functional controls and positive user consent to manage such fundamental and sensitive changes to a mobile device's function. Unfortunately, such risks are not contained solely to the Android ecosystem,” he said.
Capps says that what is shocking is that so many organisations are repeating their earlier authentication mistakes by deploying new physical biometric-based single-point authenticators, such as voice, iris and fingerprints, to solve their security challenges.
“While the use of these physical biometric factors have been a boon for physical security, the recent attacks on the Android platform show that many such factors quickly lose effectiveness on their own when a user is not physically present for authentication. To provide effective security using physical biometric authenticators, one must pair them with a comprehensive interpretation of real-time signals to evaluate risk, along with a deeper understanding of the actual user behind the keyboard using behavioural analytics,” he argues.
As Capps points out, attacks on physical authenticators prove that as soon as you enact an effective barrier to fraudsters, they will look for ways to circumvent them.
If our barriers are not resilient with a single method authentication, we may end up making the resulting situation worse than what we started with.