Schneier on Security
A blog covering security and security technology.
« Pretty Creepy Type of Cyberstalking |
| Shifting Risk Instead of Reducing Risk »
September 20, 2011
Complex Electronic Banking Fraud in Malaysia
The interesting thing about this attack is how it abuses a variety of different security systems.
Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users to execute cash transfers from their victims' accounts.
Federal CCID director, Commissioner Datuk Syed Ismail Syed Azizan told a press conference today that the syndicate had skimmed the personal online details of those who had used the kiosk by secrets attaching a thumbdrive with a spy software which downloaded and stored the usernames and passwords when the bank customers logged into their online accounts.
He said the syndicate members would discreetly remove the thumbdrive and later downloaded the confidential information into their computer from where they logged on to user accounts to find out the registered handphone numbers of the bank customers.
Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies.
"This new tactic is a combination of phishing and hijacking SIM cards. Obviously when a new SIM card is issued, the one used by the victim will be cancelled and this will raise their suspicions," Syed Ismail said.
"To counter this, a syndicate member on the pretext of being a telco staff, will call up their victims a day ahead to inform them that they will face interruptions in their mobilephone services for about two hours.
It is during this two hours that the syndicate would get the new simcard and obtains the TAC numbers with which they can transfer all available cash in his victims account to another account of an accomplice. The biggest single loss was RM50,000." he said.
MyKad is the Malaysian national ID card.
The criminals use a fake card to get a new cell phone SIM, which they then use to authenticate a fraudulent bank transfer made with stolen credentials.
Posted on September 20, 2011 at 6:36 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Remind me now why is it I refuse to do online banking of any kind...
This level of sophistication is high compared to other attacks, but I personally think this is only the third level of low hanging fruit. I can see this level of sophistication going up and up.
The scary thing is that,
1, Banks want to force "online banking" to cut their own costs.
2, Nearly all "online banking" externalizes the risk onto the customer.
I wonder at what point the legislators will wake up and ensure that this situation cannot continue any longer.
This is a fascinating story that shows just how sophisticated these people are getting. I bet it is happening elsewhere too, not just Malaysia.
If there was legislation to motivate the banks, then they'd care. At the moment, they don't have to do anything.
Maybe, if there was a £1M fine for every breach, they'd wake up.
"Maybe, if there was a £1M fine for every breach, they'd wake up."
Simply wouldn't happen. Either it would be too little for them to care or too much for them to face, so they'd get the legislation changed or exemptions put in place.
That is the nature of 'too big to fail'.
Not to mention: Most of these attacks are aimed against the user. Do you fine the banks everytime a user loses their password?
I am not quite sure where the banks would be at fault here.
It appears that the phone companies do not properly authenticate requests for replacement SIM cards - some additional ways to abuse this come to mind, e.g., calling premium numbers etc.
At the Swiss Cyberstorm Conference in May 2011, one of the speakers mentioned a similar scheme in Portugal:
The attackers would hack into the Telco mobile phone number database. They would then alter the name of certain SIM card holders to be names of their complices.
The complices would then approach a mobile phone shop reporting their phone/sim-card as being lost, proofing their identity and ownership of the said mobile phone number with their original ID card. They would thus receive a new sim card.
Otherwise it sounds like the same scheme.
"Maybe, if there was a £1M fine for every breach, they'd wake up."
I'd like to propose a variant of Goodwin's Law:
"As an online discussion grows longer, the probability of a piece of (ridiculous) legislation as the only answer to the problem approaches 1"
At what point in this transaction was the government defrauded? So why suggest handing over ridiculous sums of money to them as a solution? If you want to incentivise banks using legislation - make them liable for any loss not due to customer negligence.
Better yet, leave it to private lawsuits. Courts can do a better job of figuring out who is liable in each individual case than a million laws could. For example in this story the phone company who accepted a fake id for a new SIM could have some liability. MyKad is a government ID system, and compulsory, the governmnet may have part liability for the failure of the ID system. The bank has liability for the security of it's machines.
Fines, of any size, do nothing for customers who have been stolen from, and takes away money from solutions to problems. Stop thinking in terms of vindictive punishments that only serve to line government pockets and start thinking in terms of restorative justice and liability.
Setup your own 900 number for giving advice, charge $100/min and have all your stolen sims connect. The sim fraud is illegal, the money collection isn't.
Same has been done in itunes with stolen CC.
@Steve Jones:This is a fascinating story that shows just how sophisticated these people are getting. I bet it is happening elsewhere too, not just Malaysia.
I wonder if this also depends somewhat on the level of corruption happening in the background among law-enforcement in Malaysia relative to other countries (Western Europe, North America).
At least, for crooks using forged police authorization letters. How hard is it to forge, and how easy is it for the TelCo to call the Law Enforcement Agency in question and verify a case-number/reporting-officer detail?
For another angle, banks which don't require multi-channel authentications for money transfers won't force thieves to deceive the Telcos and/or customers for access to the outside-channel.
Thus, in areas where temporary access to someone's cell-phone isn't as valuable, we won't see that particular method used.
One final thought: when a phone/SIM is reported as lost, does the TelCo call the number associated with the lost phone/SIM, and attempt to verify that the current owner of the phone knows the owner's secret question? Or even the billing address? Are there any cultural differences on this end of the transaction?
This scheme required two different exploits, by my read.
Currently, the original article link is broken, or at least points to a web page is down for maintenance message.
(1) an exploit based on being able to place a keylogger/network-sniffer/internal-log-parser on a public terminal for online-banking, using a combination of
(1A) access to USB ports on the terminal
(1B) malware that convinced the machine to allow access to keyboard/network/internal-logs
(2) insufficient authentication for reports of stolen phones/SIM, depending on one of
(2Ai) forged police reports, OR
(2Aii) forged ID cards, OR
(2Aiii) forged personal correspondence,
AND one of
(2Bi) pilfered mail, OR
(2Bii) forged request to change billing address and/or residence at Telco's account
It's definitely clever. Any one of these security weaknesses is a problem, but none of them individually gives full access to the customer's bank account.
One problem with multi-channel authentication is that the owners/maintainers of the individual channels may be unaware of the consequences to the end-user of their security weaknesses.
Paeniteo :"I am not quite sure where the banks would be at fault here."
How about this little detail:
"managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank"
It should not be possible to attach a thumbdrive to such a system, Period.
@ Clive. I quite agree. Complexity breeds more complexity in what is best termed a complexity arms race. The more sophisticated the systems get, the more sophisticated the crooks get.
@ "Courts can do a better job of figuring out who is liable in each individual case than a million laws could."
That my friend is the best joke I have heard all month.
This technique is known as SIM swop fraud. It's been around for a number of years, principally in South Africa, but has been seen as far afield as Turkey and Australia.
>I am not quite sure where the banks would be at fault here.
>It appears that the phone companies do not properly authenticate requests for
>replacement SIM cards
That's not surprising, SIMs are a phone company billing mechanism, they were never intended to provide authentication for online banking.
Looks like technology just creates more ways to do evil (and provides a solution to very few of these ways)
This scam will not work, if the bank uses one-time passwords for either login or payment authentication, because the fraudsters cannot use codes that were already used in the netcafe.
Also, if the 360 degree authentication SMS is designed cleverly enough, it will not ask for payment authentication by a simple yes/no answer, but an answer to a personal question only the account owner would know and what is not stated inside the net banking session - again information that the crooks do not have.
Also, what makes this scam difficult is that you transfer money in the banking network - either the dumber scammer as a recipient of the funds or the even dumber mule recruited for this purpose is nearly 100% bound to get caught.
@ Steve Jones,
"Maybe, if there was a £1M fine for every breach they'd wake up"
That's not quite the legislation I was thinking of because it's to narrow (and thus can be avoided).
The problem is one of authentication.
The bank is leveraging somebody elses authentication method for their own purpose without having to pay for the authentication or the consiquences when the authentication goes wrong for them and their customers.
It is like the idiotic use of Social Security Numbers in the US and other fairly easily forged ID in the rest of the world to establish if the person is who they are claiming to be.
What should be legislated for is that authentication should not be shared in this way unless both the user of the authentication (the bank) and the authentication supplier (the phone company) agree to be jointly liable for any losses.
I thing you will find that the phone company would say something quite rude to the banks if they became liable for the banks "free riding".
However there is an issue with this which is "service centralisation" we already see this with some small American Banks and many many web sites which take payment. Effectivly for a fee they "outsource" the function to one of just a handfull of organisations.
As we know from bitter experiance with the likes of EVM this centralisation gives rise to a monopolistic position with all the nasties that usually involves including loss of privacy and unwarranted detrimental and prejudicial behaviour without due cause.
However I belive whatever form the legislation comes in it should be very broad in scope and cover all "persons legal and natural" without exception, further that any remedy a "customer" needs to take against an "organisation" for such a failure of authentication should not require the services of a court and all the expense and shenanigens involved that price justice way above all but a very few can afford.
the thing is that the mule doesn't care whether he gets caught or not. He is a mule due to him not having any assets worth taking and has a personality that makes him accept a possible time in prison for adequate compensation for the real thieves.
And some of these mules might be forged/stolen identity cases.
@Dave: "SIMs are a phone company billing mechanism, they were never intended to provide authentication for online banking"
That's why I pointed out that other nasty things could be done with a replacement SIM.
@M.V.: "It should not be possible to attach a thumbdrive to such a system"
I agree, but details are scarce here and skimming of account data cannot be prevented 100% of the time.
“This scam will not work, if the bank uses one-time passwords for either login or payment authentication, because the fraudsters cannot use codes that were already used in the netcafe.”
It’s not dependent on previous OTP’s. The fraudster gets a new legit OTP sent to him via the new SIM when he does the transaction.
“Also, if the 360 degree authentication SMS is designed cleverly enough, it will not ask for payment authentication by a simple yes/no answer, but an answer to a personal question only the account owner would know and what is not stated inside the net banking session - again information that the crooks do not have.”
That would probably be better but I suspect that most of the current SMS OTP systems run independently and do not have access to the bank’s customer database. Requiring individual customer secrets brings into play a whole bunch of other complications. Besides, now you would be relying on the timeous delivery of two SMS’s through different networks.
“Also, what makes this scam difficult is that you transfer money in the banking network - either the dumber scammer as a recipient of the funds or the even dumber mule recruited for this purpose is nearly 100% bound to get caught.”
What they typically do is register a new bank account using a fake ID. If the new account is with the same bank as the victim, the transaction settlement is usually immediate. In this case they can risk going into the bank to withdraw all funds. They would probably only risk this once though. Thereafter, they will keep using the account but only withdraw funds using random ATM’s until the account gets closed down.
As Dave mentioned, the SIM swop scam is old news.
Since they already had access to the kiosk, they could have been better served using man-in-the-browser type malware which would have allowed them to hijack each session. In this case they may not have needed the additional complication of SIM swopping.
"Since they already had access to the kiosk, they could have been better served using man-in-the-browser type malware which would have allowed them to hijack each session. In this case they may not have needed the additional complication of SIM swopping."
No, the SMS probably also contains transaction amount and destination account number beside the TAN. While not everyone will check this, enough will do to detect the compromised kiosk within hours. To small window to collect much money. The SIM swap might bought the attacker a window of days or even weeks.
In Germany this is called MobileTAN and still considered quite safe against man-in-the-browser type malware. At least unless used on iPhone or Android, which some smarter banks don't allow.
@ M.V. @ wendy
Yes, it depends on the type of OTP system used. That's why I used the word "may".
There are still banks using OTP systems which are not based on the transaction and therefore are still susceptible to MTB attacks.
"Hold on I think I can see Ross in his TARDIS coming to explain this"
If you go and read comment 4 (posted by me) on the page you link to you will find I'm not very keen on federated authentication for a number of reasons.
However the primary problem is the "all your eggs in one basket" issue. A big mistake many "technology people" make is to underestimate peoples desire to have "segregation" in their lives for many reasons but one main issue is "roles".
People have different roles in life not just socialy but proffessionaly, and whilst some also have little quirks and hobbies in their life they would not want their proffessional colleagues being cognizant of, they even more do not want some major company knowing it either. Then of course there is political affiliation they might be an unassuming donkey working in a room full of elephants, and not wish to cause the elephants to become bullish in their direction.
@ Antonio Lorusso
"Courts can do a better job of figuring out who is liable in each individual case than a million laws could."
Er, no. Without specific laws and regulations governing the issue, there is exactly zilch any court can do and even less banks will do to protect their customers from getting defrauded. You may wish to (re-)read the comments on a specific case Bruce blogged about a couple of months ago and where the judge ruled in favour of the bank instead of the customer.
I know first hand from victims that variations happen in Britain too, i.e. after acquiring bank account # of victim the fraudster phones the phone company to report a fault on the victim's line and ask the phone company to redirect all calls to the fraudster's mobile whilst its being investigated. The fraudster then quickly phones the bank and asks for a large transfer to empty the victim's account; the bank, to be safe and get routine confirmation, call the victim on their phone number to confirm....
I remember that in Holland they had a problem with this kind of scamming. A guy replaces the SIM card on his cell phone, then receives a message that his online bankaccount was blocked to prevent hijacking. His cellphone provider told him that they never disclose information to 3rd parties, and the bank (the 3rd party) told him that it was "part of an anti-fraud system" that monitored SIM-card changes they received from the cellphone provider.
But this also reminds me about the TAN/authentication scam: When you have a username/password (easely obtainable through compromised computers) you can see how much money someone has, and also their complete info on the website (like twitter, facebook, ...). The info you get with a simple password is more than you ever want to know from a person.
The authentication (which gets sent to your phone) can be bypassed due to the fact that your authentication "key" can be discovered. I heard this from someone who found out that this "key" was nothing more than a mathematical formula consisting of an x (the TAN number), an y (the answer) and a number that was sent in the headers z (the salt). He told me that he even wrote an app to prove that the math is right. That bank is still promoting internet explorer 6 and still promoting the use of TAN codes...
Also, another trick that the hackers used was injecting code in the pages that were shown, much like greasemonkey. However, they used an exploit for this to work, since they had to keep themselves hidden.
After making sure that the user logged in on the verified website (of course, else it wouldnt work), the hackers injected a popup telling the user that for "extra security", they had to insert a number... And that number corresponded with (how can you guess) a signing key (instead of a login key, onliest difference was that they had to press P2 instead of P1). So, as soon as they entered "send" they actually were sending 90% of their income to a homeless money mule. Bank was nice and gave the money back, but they could easely say: "Its not our fault" and you were digitally robbed.
> That bank is still promoting internet explorer 6
Now *that* is a crime against humanity.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.