Complex Electronic Banking Fraud in Malaysia
The interesting thing about this attack is how it abuses a variety of different security systems.
Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users to execute cash transfers from their victims’ accounts.
Federal CCID director, Commissioner Datuk Syed Ismail Syed Azizan told a press conference today that the syndicate had skimmed the personal online details of those who had used the kiosk by secrets attaching a thumbdrive with a spy software which downloaded and stored the usernames and passwords when the bank customers logged into their online accounts.
He said the syndicate members would discreetly remove the thumbdrive and later downloaded the confidential information into their computer from where they logged on to user accounts to find out the registered handphone numbers of the bank customers.
Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies.
“This new tactic is a combination of phishing and hijacking SIM cards. Obviously when a new SIM card is issued, the one used by the victim will be cancelled and this will raise their suspicions,” Syed Ismail said.
“To counter this, a syndicate member on the pretext of being a telco staff, will call up their victims a day ahead to inform them that they will face interruptions in their mobilephone services for about two hours.
It is during this two hours that the syndicate would get the new simcard and obtains the TAC numbers with which they can transfer all available cash in his victims account to another account of an accomplice. The biggest single loss was RM50,000.” he said.
MyKad is the Malaysian national ID card.
The criminals use a fake card to get a new cell phone SIM, which they then use to authenticate a fraudulent bank transfer made with stolen credentials.
Clive Robinson • September 20, 2011 7:25 AM
Hmm,
Remind me now why is it I refuse to do online banking of any kind…
This level of sophistication is high compared to other attacks, but I personally think this is only the third level of low hanging fruit. I can see this level of sophistication going up and up.
The scary thing is that,
1, Banks want to force “online banking” to cut their own costs.
2, Nearly all “online banking” externalizes the risk onto the customer.
I wonder at what point the legislators will wake up and ensure that this situation cannot continue any longer.