The issue regarding Phishing and Online Banking is one that has been discussed allot in recent times. Banks in South Africa have been especially plagued by this, every once in a while I have heard from friends and family that they received strange email messages, instructing them to fill in their internet banking credentials, as far as I can I have evangelized the anti-Phishing gospel, and have had success, my mother recently received an email message instructing her to change her Online Banking Credentials, lucky for her I had been brain washing her to just ignore any email which asks any information with regards to Online Banking! She took a printed copy of the email to her bank branch and at enquirers the person told her: “The bank sometimes sends out emails like that and that she didn’t have to worry about it”, I was shocked beyond believe when I heard this, how could a employee of the bank who works at enquirers, not know that this was a scam? Are the banks people not educated in the matters at hand!!
A slew of new and much improved attacks!
Recently many more reports of Phishing scams have surfaced, all targeting the major Banks in South Africa. It also seams that the attackers are getting more and more geared for the process. The first Phishing scam mail I saw was very suspect, bad language and grammar and just in plain text or some very poor attempt at html forms, all to Nigerian Scam looking. But the newest onslaught is one very different, I looks like it is an official communication from the bank! Now this means one of two things either some guy stole absa’s CSS and designs of previous mails or from the website itself, or some really talented guys are pooling of these heists. The honest developer in me wants to believe it is the first option but some part of me is starting to believe that it my just be the second option!
A true story?!
One of my mother’s very good friends and colleges was a victim of one of the latest attacks. She receives allot of mail form her bank and general matters regarding her finances and so on, so given that and the fact that the message was so authentic looking and the fact that she uses online banking almost daily, fooled her into filling in her details, almost automatically! She received the all to familiar sms notifications, and then realized what she had done, she immediately phoned the support number as provided on the sms but she could not get anyone on the other end! The bottom line, she lost R2000, lucky she had a daily limit!
Three worrisome facts arise form this:
- The number she dialed had no response! She held for almost half an hour, and nothing, no ok this could just be the volume of calls etc. but it is a factor!
- The employees of the banks are not sufficiently educated on the dangers and threats regarding Online Banking Scams and threats!
- How do they do it? How did they manage to transfer R2000 from the account even if they did have the login details? The one time pin is then useless?!?
The bank needs to rethink its security measures!
The one time pin (OTA) is effectively useless!
Yes it provides some type of security in the form of authentication, but it is not sufficient! The only way I have come to think someone can transfer funds out of an account without my credentials and cellphone is, that the had all of this! The newest way to scam is actually not a simple matter, but a very well planed system.
The process I would use:
- Trick the person into supplying you with the login credentials. This is the process of designing a branded email message in the same tone and style as all Bank official communications. How to do this is to study current communications from the bank and copy it’s style, style as in writing style and look and feel. For added potency make it have the same kind of feel as the website login page, to trigger the automatic password typer! Obviously identifying the victims are also a part, the easiest way to do this is choose some well known domain or institution, for example @mweb.co.za or @transnet.co.za and have a dictionary and choose random name surname combinations or both, or harvest a mailing list, most companies have a staff@XXX email address or the like! I have been able to identify hundreds of email addresses just by looking at email messages with text, “…send this to 10 friends or you will die”, type chain email messages. This is one of the reasons I never reply to those!
Hint for all of you! - Now for the hard part! You have the credentials but at some stage you will have to supply the OTA? You don’t have the victims cellphone or do you? In the email it could just request the cellphone number used for ota. Then armed with personal information you go to the cellphone service provider and request a sim swap, telling them a sad story of how everything was stolen! you could also easily have some official police documents strengthening your claim, that is why foreign governments are no longer accepting documents verified and authenticated at the South African Police Service! and they want to take away the scorpions!, but thats another story! Now you have the sim card of the victims phone and also the login credentials. Now you have full control! Transfer to some network of accounts setup earlier and you are stealing money without too much effort. FICA, The Financial Intelligence Centre Act is also a measure introduced to protect people but it too can be circumvented.
That is how I would do it and is most likely the way most scam outfits are operating!
Who is to blame?
There are a number of factors which are involved here.
Lets name the role players:
- YOU, yes you as a user of Online Banking, unfortunately it all starts with you. I have never, “touch wood”, been a victim of Online baking scams, because I am knowledgeable in the field of I.T. and computer security, if I do say so myself You need to develop a gut feel of what is suspect and what not, this holds true in all walks of life! Be in the know! Or simply put don’t do anything with an email message that asks you for sensitive information, think about it the bank will never ask you for information they already have, and they will never ask you for your login credentials at that!
- The bank. Yes the banks hold some responsibility too! It is a service they are providing to their customers and as such they should take every measure to protect it. They are constantly giving information about the risks involved in using Online Banking and all the scams so on the informing of the user part they are doing a good job, but and this is a big obese but! I feel that the entire methodology that is Online Banking needs to change, or at least in terms of the security model it uses. Simply put it doesn’t work!! Think out of the box here! back to the old drawing board, how many people being victims is it gonna take before this happens!? I am in the process of rethinking this and will post later on what I have come up with.
- An unexpected player enters the field! The cellphone service providers. The risk and also the blame have been shifted from the banks to the cellphone companies! Because the banks make use of sms messaging it becomes an external factor in the security model! The cellphone service providers have to enforce strict controls to prevent people form doing a sim swap, easily! This is unfortunately due to the fact that it is a vulnerability in the security model! This is the problem of having external factors in a security model! It is out of your control and as such can create holes in security, faster than an Electronic Funds Transfer.
So it is more of a shared blame, than anything else and finger pointing and blame shifting will continue for a while still, as everybody tries to protect their own interests!
Wow, what a big post, anyway I hope this information will help prevent that more people are victims of the virus that is, Online Banking fraud!
Recent Comments