Content deleted Content added
Wavelength (talk | contribs) changing adverb "in" and preposition "to" —> preposition "into"—wikt:in—wikt:wikt:to—wikt:into—http://public.wsu.edu/~brians/errors/into.html—User:Wavelength/About English/Expressions "into" and "in to" |
→Mobile TAN (mTAN): 2017 attach via SS7 |
||
Line 32:
mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, the Netherlands, Poland, Russia, Singapore, South Africa, Spain, Switzerland and some in New Zealand, Australia and Ukraine. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by [[SMS]]. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to [[Identity theft|impersonate]] the victim, and obtain a replacement [[SIM card]] for the victim's phone from the [[mobile network operator]]. The victim's user name and password are obtained by other means (such as [[keylogging]] or [[phishing]]). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.<ref>[http://www.iol.co.za/news/south-africa/victim-s-sim-swop-fraud-nightmare-1.385531 ''Victim's SIM swop fraud nightmare''] iol.co.za, Independent Online, January 12, 2008</ref> In 2016 a [https://theantisocialengineer.com/sim-swap-fraud-porting-your-digital-life-in-minutes/ study was conducted on SIM Swap Fraud] by a [[Social engineering (security)|social engineer]], revealing weaknesses in issuing porting numbers.
In 2014, a weakness in the [[Signalling System No. 7]] used for SMS transmission was published, which allows interception of messages. It was demonstrated by Tobias Engel during the 31st [[Chaos Communication Congress]]<ref>{{cite web|title=31C3: Mobilfunk-Protokoll SS7 offen wie ein Scheunentor|url=https://www.heise.de/newsticker/meldung/31C3-Mobilfunk-Protokoll-SS7-offen-wie-ein-Scheunentor-2506892.html|date=2014-12-28|language=German}}</ref>. At the beginning of 2017, this weakness was used successfully in Germany to intercept SMS and fraudulently redirect fund transfers<ref>
{{cite web| url=https://www.heise.de/newsticker/meldung/Deutsche-Bankkonten-ueber-UMTS-Sicherheitsluecken-ausgeraeumt-3702194.html| title=Deutsche Bankkonten über UMTS-Sicherheitslücken ausgeräumt| author=Fabian A. Scherschel| date=2017-05-03|language=German}}</ref>.
Also the rise of [[smartphone]]s led to malware attacks trying to simultaneously infect the PC and the mobile phone as well to break the mTAN scheme.<ref>[http://news.techworld.com/security/3415014/eurograbber-sms-trojan-steals-36-million-from-online-banks/ ''Eurograbber SMS Trojan steals €36 million from online banks''] techworld.com, December 5, 2012</ref>
|