How the banking Trojans circumvent two-factor authentication

March 15, 2016

Two-factor authentication involving SMS has been used by most banks for quite some time. This is better than nothing, of course, but it’s not unbeatable: Researchers warned that it can be surmounted with relative ease about ten years ago, when this protective measure started gaining popularity.

Unfortunately, banking Trojan writers soon mastered the techniques to circumvent the one-time passwords delivered via SMS. Here’s how it works with modern banking Trojans:

  1. A user launches a legitimate banking app on his device.
  2.  The Trojan identifies the app and overlays its UI with its own, faking the screen. The fake app looks as similar to the genuine one as possible.
  3. A user enters their login and password in the form of fake app.
  4. The Trojan sends these credentials to the criminals – now they can use them to authorize within the banking app.
  5. Criminals initiate a transaction to their own account.
  6. The user’s smartphone receives an SMS with one-time password.
  7. The Trojan intercepts this SMS and sends it over to the malefactors.
  8. At the same time, this SMS is concealed from the targeted user, so he or she doesn’t see it or suspect anything.
  9. Using the intercepted one-time password, criminals confirm the transaction and receive the money.

It wouldn’t be much of an exaggeration to state that all of the modern mobile Trojans are capable of circumventing two-factor authentication using this scenario. Their authors don’t have much choice: almost every bank employs this protective measure, so the money can’t be stolen unless it is beaten.

Trojan_horse_gates

There are more of these malicious applications than one may think. Just over the last month and a half our experts published three reports on various banking Trojans families, each one as bad as the other.

Asacub – a spying Trojan which learned to steal from banking apps too.

Acecard – a feature packed Trojan capable of overlaying apps from some 30 banks with its phishing screens. This trend has been caught by other malware as well: if initially banking Trojans would have targeted just one specific bank or payment system, now many of them are capable of hitting them in numbers.

Banloader – a cross-platform Brazilian Trojan capable of launching both on PC and mobile devices.

It is very naive to hope that two-factor authentication via SMS would protect against banking Trojans. For many years it’s been no match for them, and the situation isn’t going to improve. So the additional measures are necessary.

The problem is further aggravated with the fact that Trojans steal money via end-users’ devices, but it is banks that are the actual victims since they later have to investigate every incident, reimburse the losses, and restore their damaged reputation.

Yes, most of the Trojans can be stopped with  anti-malware solutions, but it’s an unrealistic task to persuade thousands of users to install such solutions. Banks have a good reason to take their clients protection into their own hands –  for instance, using Kaspersky Fraud Prevention suite.

Its SDK arms the bank’s own mobile app with technologies capable of detecting the Trojans’ presence and successfully prevents criminals from accessing the bank account.

The platform uses Clientless Engine, a server-side solution that is installed at the financial organization’s side and protects online access to the customers’ accounts regardless of what devices are used for this.