Banks in the United Kingdom are battling fraudsters that have found a way to compromise out-of-band authentication-an approach supported by many fraud experts - by redirecting authentication calls or texts intended to be sent to a consumer's phone to the attacker's phone, and then approving fraudulent transactions, sources say.
The problem, sometimes called phone jacking, appears to be more serious in the UK because telecom technology and processes make the attacks easier to pull off. None of Britain's major banks, responded to inquiries about the attack mode; at least one major U.S. bank is rumored to also be plagued by the problem.
The anatomy of the attack involves a fraudster using social engineering to convince a telecom customer service representative to forward a victim's phone calls to a number controlled by the attacker. Then, when the fraudster uses other stolen data to impersonate that customer and log into his or her bank account - similar to a spear phishing attack - the criminal is able to confirm the out-of-band authentication request, or affirm a suspicious transaction if called directly by the bank, and transactions can proceed.
Mark Bowerman, a spokesman APACS (Association for Payment Clearing Services, the UK payments association), confirmed the incidents among UK banks, and says his organization is working with both British Telecom and the mobile networks to "tackle this issue."
"Banks regularly review and update their front-end fraud controls and continue to monitor activity and engage with the telecoms industry to mitigate losses through this type of fraud," Bowerman says, adding he wasn't aware of any specific rules changes at telecom vendors that would be implemented in response.
The problem is more prevalent in the UK than in the US for several reasons, says John Zurawski, vp of sales at US-based authentication vendor Authentify. First, provisions of Gramm-Leach-Bliley Act include regulations on pretexting that require carriers to get confirmation before changing critical data on an account. Second, in the U.S. authentication vendors are able to use the SS7 telecom protocol to identify when calls are being forwarded, and banks can choose to either add this as a factor in their risk scoring or not let transactions approved by forwarded numbers go through. That particular feature works much better in North America than in the UK, Zurawski says. In addition, the overseas payment ecosystem is much closer to real-time than it is in the U.S., meaning that by the time a UK bank's fraud system identifies a possible problem, the consumer's money is often already gone.
Out-of-band authentication vendors contend this attack vector is pure social engineering, reliant on the crooks manipulating people into turning over sensitive information. In other words, the technology isn't entirely to blame for the new wave of attacks. "There's no technical defense you can put up that a social engineer isn't going to find a way around once or twice," says Steve Dispensa, CTO and co-founder of PhoneFactor. "The good news about social engineering is it's hard to do in bulk."
Authentify's Zurawski, who provides out-of-band to HSBC, among other institutions, says "This particular approach was both unique and somewhat brazen. The way we've seen it in the past are situations that banks would refer to as 'friends and family' fraud."
Some banks are adapting to the attacks by changing back-end fraud scoring engines to give less weight to out-of-band authentication, particularly when other risk factors are high, says Amir Orad, CMO for Actimize, which sells back-end fraud detection technology.
Out-of-band authentication using a mobile phone had been touted as one of the most reliable and convenient second forms of authentication for online banking. This latest wave of attacks shows that everything is vulnerable, says Gartner vp and distinguished analyst Avivah Litan.
Earlier this year word came from the FS/ISAC that companies should no longer engage in online banking via a standard browser because of its inherent weaknesses, and the massive fraud hits to business accounts. Man- in-the-middle attacks have been vexing OTP token vendors for years.
"At the end, by definition, it is all compromised - the phone, the computer, the password, the token," says Orad. "What you cannot really compromise is someone's history and their behavior."
