Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Out of Band Authentication: How Fraudsters Circumvent Sophisticated Security Measures

Out of Band Authentication – How Fraudsters Circumvent Sophisticated Security Measures

Out of Band Authentication – How Fraudsters Circumvent Sophisticated Security Measures

In “The Matrix,” Morpheus tells Neo during training that some of the Matrix’s rules can be bent while others can be broken. While this line may only be an excuse to use clever special effects, it does have a grain of truth to it. When solving computer problems, you don’t always have to play by the rules. Sometimes it’s much easier to circumvent a problem rather than solving. For example, if you need an installation file from a disc and your drive’s tray won’t open, instead of getting the tray to work you can simply download the file that you need from the internet. It wouldn’t solve the drive’s problem, but at least you’ll get the software that you need installed.

The world of identity theft is no different. Fraudsters also encounter “problems”. They are constantly going up against anti-fraud measures designed to stop their efforts and they need to bypass them in order to make a profit. In some cases, it’s easier for them to simply avoid those defenses rather than try to pass through them.

A very popular anti-fraud measure financial institutions are now implementing in their online banking services is Out of Band Authentication. When a customer wants to make a transaction, a text message or phone call is sent to the mobile phone number the bank has on file. The customer is given through the phone a “TAN” or one-time password that must be provided on the website in order to complete the transaction.

This method has proven to be quite challenging for fraudsters to overcome. One of the main methods used includes a highly sophisticated Man-in-the-Browser Trojan (MITB) that must be installed on the victim’s machine. The Trojan automatically executes a pre-defined script when the victim logs into the online banking service which initiates a transfer to a mule account without the victim knowing. It then uses social engineering to fool the victim into divulging the one-time password that was sent to his/her phone (a pop-up asking for the passcode and explaining that this is a new security measure implemented by the bank, for example).

Another method fraudsters use to beat out of band authentication is to hijack text messages. While not that common, there were cases in the past where fraudsters had this ability, in certain geographies. This could be attributed to insiders at the telco companies or the exploitation of old mobile phones.

Darkmarket for fraudsters targeting Turkish banks

Back in the days of Darkmarket, such a service was offered for fraudsters targeting Turkish banks

Most fraudsters don’t possess the technical sophistication to hijack text messages or operate a MITB Trojan and even those that do must invest a lot of resources in order to complete a transaction secured with out of band authentication. Therefore, it is not surprising that when possible, fraudsters try going around out of band authentication by taking advantage of the enrollment process to the service.

Advertisement. Scroll to continue reading.

For out of band authentication to work well the bank must have the customer’s accurate phone number on file. If not, come the day of the transfer the customer will not be able to receive the TAN and complete the transaction. The enrollment for this service is often done online, and generally doesn’t require a lot of tough authentication questions – leaving an opening for the fraudster.

If the customer hasn’t enrolled into the service yet, the fraudster could enroll to the service on their behalf, providing a phone number that the fraudster controls. Once registered, the fraudster could simply issue a fraudulent money transfer to his mule account, receive the TAN, use it and complete the transaction.

Should a fraudster obtain the credentials of someone who is already registered to the out of band authentication service – they could attempt to cash out in other ways including selling the credentials to another fraudster.

This method has become so popular that there’s a recent increase in “SMS forwarders” services offered to fraudsters in the underground. These services offer their users phone numbers from all over the world that would immediately forward any text message to the fraudster’s phone — streamlining the process of obtaining a local number (you don’t want to provide a US bank with a Russian phone number) to accept TANs sent by the banks.

Even though it’s not bulletproof, out of band authentication is an effective tool to stop fraudsters at bay. But just like any idea, implementation has a very big part of whether it succeeds or fails. For out of band authentication to become even more effective, a more secure enrollment processes must be put into effect in order to ensure that the person opting-in to the service is the legitimate customer and not a fraudster. For example, banks can opt-in all users automatically, supplement the process with additional anti-fraud measures, or implement a stronger authentication during the enrollment stage. Asking personal questions that can not be easily obtained through Phishing, keylogging or background checks will help authenticate the user and make out of band authentication that much more effective.

Eventually, when the routes used to bypass security measures are themselves secured, most fraudsters will have no choice but to circumvent the problem in a different way – by targeting someone else.

Related Reading: Stopping The Next Money Mule: How Banks Can Identify Mule Accounts as They are Opened

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.