March 11, 2016

How banking Trojans bypass two-factor authentication

News Tips

Two-factor authentication with SMS is widely used by banking institutions. Of course, this measure works better than a mere password but it’s not unbreakable. Security specialists found out how it can be fooled 10 years ago, when this protection measure was just gaining popularity.

How banking Trojans bypass two-factor authentication

So did malware creators. That’s why banking Trojan developers breach one-time SMS passwords with ease. Here is how it works:

1. A user launches legitimate banking app on a smartphone.

2. A Trojan detects, which app is used, and overlays its interface with a fake copy. The fraudulent screen looks just like the real one.

3. The victim enters login and password in the fake app.

4. The Trojan sends user’s credentials to criminals. They use these data to login into the user’s banking app.

5. Then the culprits request a financial transaction to their account.

6. Victim’s phone receives SMS with one-time password.

7. The Trojan extracts the password from SMS and sends it to cybercriminals.

8. It also hides the SMS from the user. This is why the victim does not know about ongoing operations until they check their banking account and transactions history.

9. Criminals use intercepted password to confirm the transaction and receive victim’s money.

It’s hardly an exaggeration if we say that any every modern banking Trojan knows how to fool SMS-based two-factor authentication systems. In fact malware creators have no other choice: as all banks turn to this protective measure, Trojans need to adapt.

There are a lot of malicious apps that are able to do it, more than you might think. During last couple of months alone our experts posted three detailed reports devoted to three different malware families. Each one scarier that the other:

1. Asacub — a spy app that evolved into a Trojan and learned to steal money from mobile banks.

2. Acecard — a very powerful Trojan that is able to overlay interfaces of almost 30 different banking apps. By the way mobile malware is now mastering this trend: in the beginning Trojans targeted an app of one certain bank or payment service, but now they can counterfeit several apps at once.

3. Banloader — a cross-platform Trojan of Brazilian origin, that is able to launch itself on PCs and mobile devices simultaneously.

So you see, two-factor authentication cannot protect you from banking Trojans. It failed to do that for many years, and now the situation is not going to turn for the better. That’s why you need additional security measures.

The basic rule that helps, but not for 100%, is to install apps only from official stores. The thing is that there were enough cases when Trojans made the cut into Play Store or even the App Store.

This is why the most reliable solution is to install a good mobile antivirus. You can start with the basic version of Kaspersky Internet Security. It’s free, though you’ll need to scan devices manually from time to time. The full version is better, as it catches viruses on the fly, but it’s paid-for.