Driving Behavioral Change for Information Management through Data-Driven Gree...
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
1. SMS Banking Fraud
Denis Gorchakov, Olga Kochetova
Positive Research Center
Positive Hack Days III
2. What is SMS banking?
― checking your balance and receiving information about performed transactions
― performing basic operations:
• Prepaid cellphone refill
• Payment for various services: Internet, TV, utility bills
• Funds transfer
• Immediate card blocking if lost
2
3. A common issue is
a card linked to another subscriber's number
3
4. From: Vasily
To: SMS Bank
SEND 100 89161234567
From: My Bank
RUR 100 have been added to your
phone account No. 89161234567.
From: My Bank
Please enter code 974365 to
confirm the payment
From: Vasily
To: SMS Bank
SEND 9999 89161234567
From: My Bank
Please specify the last 4 digits of your
card to confirm the payment
From: Vasily
To: SMS Bank
SEND 9999 89161234567 0890
From: My Bank
RUR 9,999 have been added to your
phone account No. 89161234567.
Lack of transaction confirmation or confirmation
insecurity
4
5. Data collection by a malicious user
― Accidental (link to another subscriber's number):
• Minimum harm — viewing financial data of another person
• Maximum harm — managing another person's bank account
http://pravo.ru/news/view/83503/
• Consequences — criminal and administrative responsibility
― For purpose:
• Wastebaskets next to terminals and ATMs in public places
• Cash register tapes available for shop assistants
• Employees of communications service providers
http://www.securitylab.ru/news/377745.php
5
6. ― Only a phone number is available:
• A payment to a phone number (own or confirmed)
Banks are already anxious http://www.finsb.ru/map/novosti/view/?tx_ttnews[tt_news]=1428
• Social engineering
A common scheme with false payment to another person's number, when a payment
message from an operator/payment service is imitated
• Pranking
Card blocking
In addition:
― OTP attacks (long expiration period)
― Insecure verification methods (by the part of a card number)
Exploitation
6
7. $$$
From: Vasily's number
To: SMS Bank
SEND 500 89261234567
Malware user Semyon:
From: Mobile network operator
Your phone account has been refilled with
RUR 500.
From: Semyon
To: Vasily
Bro, a wrong number! Be a pal, refund
this amount to me!
From: Semyon
Bro, a wrong number! Be a pal, refund this
amount to me!
SMS gateway
From: SMS Bank
Dear Vasily, 500 rubles have been deducted
from your credit card for mobile phone
services.
REAL
REAL
From: SMS Bank
Invalid withdrawal from your card has been
canceled. The funds will be redeemed to the
account in due time.
FAKE
From: SMS Bank number
To: Vasily
Invalid withdrawal from your card has
been canceled. The funds will be
redeemed to the account in due time.
SMS gateway
Social engineering
7
8. $$$
From: Vasily's number
To: SMS Bank
SEND 3000 89261234567
Malware user Semyon:
From: Mobile network operator
Your phone account has been refilled with
RUR 3,000.
SMS gateway
From: SMS Bank
Dear Vasily, 3,000 rubles have been deducted
from your credit card for mobile phone
services.
REAL
REAL
From: Bank security service
A wrong transaction with your card has been
registered. For immediate
cancellation, please send the cancellation
command to security service number 9900:
CANCEL 79161235476
FAKE
From: Bank security service
To: Vasily
A wrong transaction with your card has
been registered. For immediate
cancellation, please send the
cancellation command to security
service number 9900:
CANCEL 79161235476
SMS gateway
Digital money
SMS aggregator
Social engineering v.2
8
9. From: Vasily's number
To: SMS Bank
SEND CUTEKITTENS 99999
Malware user Semyon:
From: SMS Bank
Dear Vasily, thank you very much!
Your donation to the kittens
support fund in the amount of
99,999 rubles has been received!
Thank you!
… of course other things can happen because malicious users are already
aware of this fact —such information is publicly available:
1. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154788
2. http://www.banki.ru/forum/index.php?PAGE_NAME=read&FID=34&TID=154785
SMS gateway
Disorderly conduct
9
10. Verification
― Without verification (only by sender's number) —easy and convenient, but
insecure
― Verification by the last 4 digits of a card — insecure
― OTP verification — better, but some security issues exist
― Good banks — except for ОТР, IMSI* verification, IMSI linking to an account
number
* IMSI means International Mobile Subscriber Identity linked to each user of mobile communication
of the GSM, UMTS or CDMA standard.The device of a subscriber transfers IMSI for identification at
the moment of registration in a network.
The number is connected to the user's SIM card.
10
11. From: Vasily's number
To: SMS Bank
SEND CUTEKITTENS 99999 0890
Malware user Semyon:
SMS gateway
Sender's IMSI verification
(linked to the account)
DENIALI.
II.
From: SMS Bank
Confirm the transaction by
replying to the message with code
754387.
DENIAL
WTF?
What is right?
11
12. Other vectors?
• GSM alarm systems with default passwords
• “Smart” houses — targeted attacks
How can users protect themselves?
• Never disable OTP and notifications about card
operations
• Attentiveness and vigilance
• Using a client-bank application for smartphones
12
13. Thank you for attention!
Denis Gorchakov, Olga Kochetova
dgorchakov@ptsecurity.ru, okochetova@ptsecurity.ru
Positive Research Center