Wired 12.20.2020 Online 09:00 AM |Security| “A Massive Fraud Operation Stole Millions From Online Bank Accounts” “The crooks used emulators to mimic the phones of more than 16,000 customers whose mobile bank accounts had been compromised” by Dan Goodin
See article for full detail
Summary of Article
In general terms what happened?
Using “mobile device emulators” crooks “drained millions of dollars from online bank accounts in a matter of days” from accounts in American and Europe.
How did the perpetrators gain access to accounts?
“Accounts were compromised using either malware or phishing attacks.” It’s unclear how they were able to “steal SMS messages and device IDs”
How can accounts be protected from such action?
1) Use strong passwords
2) Beware of phishing scams
3) Keep your devices “free of malware”
4) Review your bank statements frequently to identify “fraudulent transactions.”
5) Banks ideally should provide “multi-factor authentication using a “medium other than SMS.”
In simple terms how exactly did these hacks happen?
“Emulators are used by legitimate developers…to test how apps run…on mobile devices”. In the wrong hands the fraud was enabled by entering usernames and passwords “into banking apps running on emulators and initiated fraudulent money orders…”. Banking safeguards were circumvented by using “device identifiers corresponding to each compromised account holder and spoofed GPS locations.” The device IDs and SMS messages, used in two-factor authentication, were likely obtained from the hacked devices.
The process was automated;
1) Access the account
2) Start a transaction
3) Receive and steal a 2nd factor from SMS
4) Use codes to complete the “illicit transactions”
Figure 1: Source IBM Trusteer
Automation sped up the process and then the fraudsters performed tasks to cover their tracks by wiping data traces and performing other maneuvers. “The crooks intercepted communications between the spoofed devices and the banks’ application servers” enabling them to perfect their methods on an incremental and ongoing basis.