Out of Band Authentication - How Fraudsters Circumvent Sophisticated Security Measures
In “The Matrix,” Morpheus tells Neo during training that some of the Matrix’s rules can be bent while others can be broken. While this line may only be an excuse to use clever special effects, it does have a grain of truth to it. When solving computer problems, you don’t always have to play by the rules. Sometimes it’s much easier to circumvent a problem rather than solving. For example, if you need an installation file from a disc and your drive’s tray won’t open, instead of getting the tray to work you can simply download the file that you need from the internet. It wouldn’t solve the drive’s problem, but at least you’ll get the software that you need installed.
The world of identity theft is no different. Fraudsters also encounter “problems”. They are constantly going up against anti-fraud measures designed to stop their efforts and they need to bypass them in order to make a profit. In some cases, it’s easier for them to simply avoid those defenses rather than try to pass through them.
A very popular anti-fraud measure financial institutions are now implementing in their online banking services is Out of Band Authentication. When a customer wants to make a transaction, a text message or phone call is sent to the mobile phone number the bank has on file. The customer is given through the phone a “TAN” or one-time password that must be provided on the website in order to complete the transaction.
This method has proven to be quite challenging for fraudsters to overcome. One of the main methods used includes a highly sophisticated Man-in-the-Browser Trojan (MITB) that must be installed on the victim’s machine. The Trojan automatically executes a pre-defined script when the victim logs into the online banking service which initiates a transfer to a mule account without the victim knowing. It then uses social engineering to fool the victim into divulging the one-time password that was sent to his/her phone (a pop-up asking for the passcode and explaining that this is a new security measure implemented by the bank, for example).
Another method fraudsters use to beat out of band authentication is to hijack text messages. While not that common, there were cases in the past where fraudsters had this ability, in certain geographies. This could be attributed to insiders at the telco companies or the exploitation of old mobile phones.
Back in the days of Darkmarket, such a service was offered for fraudsters targeting Turkish banks
Most fraudsters don’t possess the technical sophistication to hijack text messages or operate a MITB Trojan and even those that do must invest a lot of resources in order to complete a transaction secured with out of band authentication. Therefore, it is not surprising that when possible, fraudsters try going around out of band authentication by taking advantage of the enrollment process to the service.
For out of band authentication to work well the bank must have the customer’s accurate phone number on file. If not, come the day of the transfer the customer will not be able to receive the TAN and complete the transaction. The enrollment for this service is often done online, and generally doesn’t require a lot of tough authentication questions – leaving an opening for the fraudster.
If the customer hasn’t enrolled into the service yet, the fraudster could enroll to the service on their behalf, providing a phone number that the fraudster controls. Once registered, the fraudster could simply issue a fraudulent money transfer to his mule account, receive the TAN, use it and complete the transaction.
Should a fraudster obtain the credentials of someone who is already registered to the out of band authentication service – they could attempt to cash out in other ways including selling the credentials to another fraudster.
This method has become so popular that there’s a recent increase in “SMS forwarders” services offered to fraudsters in the underground. These services offer their users phone numbers from all over the world that would immediately forward any text message to the fraudster’s phone -- streamlining the process of obtaining a local number (you don’t want to provide a US bank with a Russian phone number) to accept TANs sent by the banks.
Even though it’s not bulletproof, out of band authentication is an effective tool to stop fraudsters at bay. But just like any idea, implementation has a very big part of whether it succeeds or fails. For out of band authentication to become even more effective, a more secure enrollment processes must be put into effect in order to ensure that the person opting-in to the service is the legitimate customer and not a fraudster. For example, banks can opt-in all users automatically, supplement the process with additional anti-fraud measures, or implement a stronger authentication during the enrollment stage. Asking personal questions that can not be easily obtained through Phishing, keylogging or background checks will help authenticate the user and make out of band authentication that much more effective.
Eventually, when the routes used to bypass security measures are themselves secured, most fraudsters will have no choice but to circumvent the problem in a different way – by targeting someone else.