Man-in-the-Middle Bank Fraud Attack
This sort of attack will become more common as banks require two-factor authentication:
Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.
Next, it initiates a transfer.
At this point Tatanga uses a Web Inject to trick the user into believing that the bank is performing a chipTAN test. The fake instructions request that the user generate a TAN for the purpose of this “test” and enter the TAN.
Note that the attack relies on tricking the user, which isn’t very hard.
billswift • September 14, 2012 11:49 AM
Part of the reason it is so easy to trick users is because so many applications, from the users point of view, are really inconsistent in the first place.
If anything out of the usual happens, I stop and make a call. To make this possible though, you have to plan withdrawals and so forth in advance and give yourself enough time for potential problems. (It is still faster than the old days of going to the bank, though, so it’s often worth it.)
Th big problem is too often they rarely know anything about what may or may not be going on, even if you call support to check things out.