Follow Us

War on Error

'Eurograbber' SMS attack shows Android's vulnerability

We end 2012 with the alarming knowledge that the SMS two-factor authentication systems used to secure online banking have suffered their first major security failure and left a clutch of banks down to the tune of €36 million (£30 million).

Between roughly August and mid-October, a variant of the Zeus banking malware (ZeuS-in-the-Mobile) was able to compromise 30,000 online bank accounts on 30 different Italian, German, Dutch and Spanish banks, stealing tens of millions of Euros after siphoning money via account mules.

Online bank heists that rake in large sums are not new, but what has been dubbed “Eurograbber” by the security firm Check Point also defeated what was supposed to be an impregnable layer of security, namely 2FA authentication using one-time SMS passwords/PINs sent to mobile phones.

The principle of SMS security is sound enough. The user logs on as normal using a user name and password but can’t access their account until the bank sends a verification PIN (called a Mobile Transaction Authentication Number, or mTAN). An attacker that has compromised the PC and keylogged the user's credentials can’t know this second piece of data unless they can access the phone during the session.

Eurograbber smashed this (there’s no other description for it) using what now looks like an incredibly straightforward attack. After infecting the online bank user’s Windows PC, Zeus sprang into life when it detected a banking session, recording the login data. Victims were tricked into entering their mobile numbers via a bogus but plausible splash screen, after which they were sent a phishing link to an Android malware app hosted on a third-party site (i.e. not Google’s Play).

Having installed the malware believing it to be a security "update" by clicking on this link, the rogue app was able to intercept the real bank SMS message when it arrived, sending that back to the criminals.

The simplicity of the attack underlines two uncomfortable aspects of the story, the first being how easy it still is to infect large number of Windows users with malware. The second - and in some ways more disturbing - is how easy it is to infect large number of Android users with malware.

Today, Windows + Android just isn’t good news. Any Windows user who happened to use an iPhone or Windows Phone would have been unaffected by Eurograbber because Apple and Microsoft don’t allow third-party downloads. But, the attackers noticed, Google does.

But what about the rather basic design of the SMS authentication? Isn’t sending one-time PINs to old-fashioned inboxes rather insecure for an age of smartphone sophistication?

One prominent ‘tokenless’ vendor, SecurEnvoy believes that while the principle of 2FA via mobile remains strong the Eurograbber attack does points up weaknesses in implementation.

“We shouldn’t be writing off SMS - it is better than 'no-factor'. But it has to be more sophisticated,” suggests SecurEnvoy’s CTO, Andy Kemshall. “With tokenless you still have to compromise two devices.”

According to Kemshall, Eurograbber underlines the need for the industry to migrate SMS texts sent to messaging inboxes - a design compatible with old-style phones - to one based on a more secure app-based model that exploits the power of smartphones.

“What the banks should offer their users is the choice to use secure apps. The end user should be given the choice.”

Good point. Simple texts are too vulnerable; apps created using secure APIs (i.e. which can’t be cloned or impersonated by malware writers) offer a potential way forward. Under that design, the PIN would be received in a dedicated app, cutting out the possibility of interception by malware.

What remains inescapable is the relative vulnerability of Android in its current form, with its fragmented array of versions and an open model that permits third-party downloads. This is not to say that such attacks are technically impossible on Apple and Microsoft but they are far less likely.

The tendency of users to click ‘yes’ to everything and anything on smartphones can be countered with better education, but that will take time the online banking industry no longer has. Security can also do some of the job but that is the model of the PC industry which solved problems such as spam and malware by asking users to shell out for protection.

History tells us that this model of privatising security only works up to a point and leaves plenty of room for attackers to prey on the less well protected. As 2012 dawns, history could be about to repeat itself. Expect more Eurograbber-like attacks on mobile banking in the year ahead.

Enhanced by Zemanta

More from Techworld

More relevant IT news

Contact Us

For editorial queries:
Mike Simons

For website issues:

For commercial queries
Russell Kearney

For more contact details click here.

Email this to a friend

* indicates mandatory field

Techworld White Papers

Optimising data protection for virtual environments

VM environments require the same level of data protection as does the physical server environment. Companies may use data protection tools built for the physical environment in the virtual world, but this has serious disadvantages.

Download Whitepaper

PCI Compliance: Are UK businesses ready?

Exploring the results of a recent survey, including: ? Levels of understanding of the standard ? Current perceptions of actual compliance status ? Attitudes toward addressing compliance

Download Whitepaper

Mobility Management for Dummies

Your complete guide to managing and securing mobile devices such as laptops and smartphones.

Download Whitepaper

Magic Quadrant for midrange and high-end NAS solutions

It is difficult to find one midrange or high-end NAS product that can cater to all needs. File systems embedded in NAS are often designed to solve one major pain point, with additional features being added later to broaden use cases and benefits.

Download Whitepaper

Techworld UK - Technology - Business

Oracle Video

Enabling agile and intelligent businesses

 Changing markets, competitive pressures and evolving customer needs are placing increasing pressure on IT to deliver greater flexibility and speed. Explore truly flexible SOA foundations with this Oracle video.

COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Complete our survey and you could win a Sony E-book Reader.
Techworld have teamed up with HP to compile a survey relating to server virtualisation. Complete the short survey and you could be the lucky winner of a Sony E-book reader.

Complete the survey here

Site Map