The world is going mobile. The ability to offer banking services, including the ability to make purchases, via mobile devices is increasingly becoming a competitive requirement for financial institutions. According to a 2009 report by analyst firm Informa Telecoms and Media, the number of mobile banking transactions will grow to more than 300 billion by 2013 with an estimated value of $860 billion. Research also estimates the number of mobile users conducting regular banking on their devices will rise to an astonishing 977 million by 2013.
As user acceptance of mobile banking becomes more mainstream, attacks against this communication channel will increase. Just as PC malware is now widespread, smart phone users will also be susceptible to drive-by downloads and phishing attacks from SMS messages with attachments. Although this type of attack is not yet a reality, it's only a matter of time it is. In fact, a PC version of the Zeus Trojan exists today that allows fraudsters to trick users into installing code on their handset that can intercept and forward certain voice calls (i.e., those from a bank) to phone numbers they control.
Zeus is one of the most popular malware programs that specifically targets financial institutions in order to harvest sensitive information, including user names and passwords, from their customers in order to commit fraud. This Trojan infects PCs, waits for users to log onto their banking online application and then steals their credentials. The information is then sent to a remote server in real-time. The Trojan can also create its own HTML content, tricking users to divulge even more personal information -- such as their social security number or PIN.
According to our estimates, ZeuS has infected between 0.5% and 1% of all PCs in the western world. As recently as December 2010, a major ZeuS attack left millions of Facebook users susceptible to identity theft.
With banks liable for most consumer fraud losses under regulation E, the need for new methods to thwart these cyber thefts is urgent. One such initiative is to use mobile devices to authenticate online transactions. In theory, mobile handsets can be used not just to send SMS messages to authenticate individual transactions, but also to contact customers if there is suspected fraudulent activity on their account.
However, even before its launch, this approach could be defeated.
The Man-in-the-Mobile (MitMo) Attack
Hackers behind the ZeuS Trojan have modified its attack code to stage remote take-overs of smartphones, which in turn allows them to launch a man-in-the-mobile (MitMo) attack. Here's how it is done:
Step 1: ZeuS first infects the user's PC and steals the user's online banking credentials. It then mimics a message from the bank requesting the user to supply their mobile telephone number, make and model to 'set up' the authentication method.
Step 2: The attacker then sends an SMS message to the user's mobile device asking them to download a new digital certificate to complete the process.
Step 3: The user follows the link and downloads the 'digital certificate.'
Step 4: The 'digital certificate' is actually a smartphone applet that creates a backdoor into the handset that, when triggered, instructs the handset to not display a given text message (i.e., the authentication code from the bank) on the phone's screen, but instead forward it to the hacker's own mobile device or computer across the Internet.
Step 5: The elements necessary to carry out a MitMo attack are now in place. The difference between MitMo and a 'conventional' Man-in-the-Browser attack routine is that hackers effectively control the browser session AND the users' smartphone giving them 'authenticated' access to online banking sessions.
Step 6: The hacker then initiates a banking transaction.
Step 7: The bank sends a SMS to the mobile device linked to that account to authenticate the transaction. However, this SMS is intercepted and remotely streamed to a device controlled by the attacker.
Step 8: The attacker provides authentication and the bank completes the transaction. The user is completely unaware of what has just taken place until they next check their bank balance or receive a statement.
Much has been made of the "Walled Garden" approach used by the iPhone and other mobile platforms, which are designed to provide users with only "approved" applications and theoretically stem the threat of mobile attacks. But the "walled" approach is not foolproof. Some users, becoming frustrated with this approach, purposely unlock their devices to install unlicensed applications. Once the device is unlocked, security crumbles, making it just as vulnerable to malicious software as "un-walled" devices. Users are never 100 percent protected from attack, "Walled Garden" or not.
What can be done? As the scenario above illustrates, two-factor authentication doesn't protect against all threats, such as ZeuS MitMo and MitB attacks. These attacks allow cyber criminals to hijack online banking sessions and render many multi-factor and strong authentication measures meaningless. To ensure that criminals aren't able commandeer the mobile platform before it even has the chance to get off the ground, banks should consider:
1. New methods for securing browser communications with their customers on both PC and mobile handset platforms
2. Providing end-user education on safe online practices
3. Implementing tough authentication standards
Amit Klein is a malware researcher and CTO of secure browsing service provider Trusteer.