Criminal activity that targets mobile banking has not yet reached the levels of online banking, mostly because the volume of mobile banking to this point hasn’t made it as attractive a target.
But as mobile banking grows, that’s starting to change (
“This special attack involves stealing information to generate new SIM cards,” says Orem Kedem, a director at the security firm Trusteer who described the threat in a recent interview. The new attacks on SIM cards grew out of an earlier criminal threat that uses the victim’s mobile number to redirect one-time passwords to the crook’s phone, Kedem says.
A SIM card is a small smart card that can be moved from one phone to another. It can be used to store a key used for authentication purposes.
SIM cards are the favored method of securing mobile payments at Isis and other telco-driven mobile-payment schemes around the world because the telco maintains more control over the technology. Other strategies, such as embedding mobile phones with Near Field Communication chips, would give handset manufacturers such as Apple Inc. more control.
In the new SIM card attack, a Gozi Trojan is used to steal international mobile equipment identity numbers from accountholders when they log into the mobile-banking application. Once crooks have acquired the numbers, they contact the wireless service provider, report the mobile device as lost and ask for a new SIM card. Once crooks get this new SIM card, the service provider sends all one-time passcodes intended for the victim’s phone to another mobile device the crooks control.
Avivah Litan, a vice president and analyst at Gartner, says the SIM cards and the NFC chips that are embedded in the secure element where the user data are stored are highly secure.
“The vulnerabilities and issues come from the business processes and applications that surround them. In this case, it’s good old fashioned social engineering that defeats the strong technical security,” she says. “People and processes are always the weakest links, and this is no exception. Sure, mobile payments will open up the possibility of lots of new types of attacks that exploit processes, people and applications that make use of chip functionality.”
One option for the carriers is to use strong authentication–verification in a second venue–for SIM card issuance Kedem says.
“Mobile carriers are not set up to be issuers of credit cards; they don’t have the processes for that. They need to set up password protections similar to credit card issuers. That’s a whole new ballgame,” Kedem says.
Isis representatives did not return requests for comment.
What do you think about this? Send us your feedback.
