It seems that hackers have found a way to get around yet another security measure. The hackers behind the infamous Zeus trojan have been able to successfully exploit text messages that banks send to users as a second form of authentication for account transactions. In order for this to work, the Zeus trojan must first invade a user’s PC. Then, users are led to a website that advertises a security update for their cell phone. In order to receive this supposed update, the user then enters their cell phone number, model, and vendor.
Zeus uses this information to send a text message to the person’s phone that contains a link to their “security certificate.” Once the user clicks on the link to download this “certificate,” the mobile version of Zeus is installed on their phone. This allows Zeus to monitor any incoming messages and installs a “backdoor” to accept and carry out commands received through text messages.
Once all of this occurs, the hacker has all he/she needs to make transactions with the user’s bank account. They simply have to log in using the stolen username and password and command the user’s mobile phone to send them the authentication text message so they can fill it in. This is sometimes referred to as a “Mitmo” or “Man in the Mobile” attack, and so far it has only affected Blackberry and Symbian phones.
I think that it is extremely important for users of online banking services to frequently monitor their account transactions and report anything that does not look familiar. Users should also be extremely wary about entering any kind of information (such as their phone model and number) into a website. If a website claims to be offering a security update for your phone, it would probably be wise to contact the phone company first to make sure that it is a valid update.
As for the phone companies, I think it would be helpful if they followed Apple’s lead in requiring all extra installations and applications to go directly through Apple (via iTunes) instead of any outside sources. As the article mentions, this has protected the iPhone from many of these kinds of problems. It is also important for banks to continue to create new and more secure ways of authentication for transactions in order to remain one step ahead of the hackers.
http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html
http://www.scmagazineuk.com/mobiles-used-by-zeus-as-sms-messages-are-used-to-deliver-one-time-passwords/article/179764/
Wednesday, September 29, 2010
Subscribe to:
Post Comments (Atom)
Posts
Until recently, I was not aware that hackers are now using cell phones to obtain personal information. This is probably the reason why the Zeus trojan has been effective. Similar to my thinking, others who are not aware that their cell phone can be used as a tool for hackers to retrieve personal information do not hesitate to download a so called "security update" to their mobile phone. What I learned from the article is this: as our technology is increasing, so are the means by which hackers can attack. Because of this fact, I think it is very important that individuals scrupulously examine what they decide to download. The Zeus trojan needs an individual's phone number, service provider, and phone model. Why would anyone provide this information to an unknown source other than your phone provider? In essence, I believe that because of examples such as the Zeus trojan, we need to be weary of downloading a program, unless it is in fact through a trusted company or service provider.
ReplyDeleteIt seems like the hackers always find a way around the security measures. Using something as personal as a cell phone to verify seems like a great idea because it is something that a single person possesses, but this is obviously not enough anymore. This seems like a case of two-factor authentication which would provide a secure environment. The person needs to hack into the computer and obtain a person's username and password (something you know), but they must also gain access to an individual's cell phone (something you have). It seems like this may not be enough any more. This may not truly be two-factor authentication because the hacker does not need physical access to the cellular phone, but it is close. I think this article should open people's eyes to the threats and show how even systems that seem very secure can become compromised. This can cause a situation were the confidentiality, integrity, or availability of information is hurt. Everyone needs to be on guard. I think the lesson of this story is to look into everything and always verify something that seems secure, like a cell phone update. Times are changing, and every one needs to adapt to them.
ReplyDeleteIt is more frightening seeing the new technologies that have come about allowing for different virus' to be spread and the different mediums attackers can now use. However, I still feel as if a lot of these scams happen because users do not think through or really inspect who/what they are sending their information to. Banks are constantly sending out email reminders that their customers will NEVER be asked via electronic sources for their account number or any sensitive information. People need to be more responsible when it comes to this type of information, especially when they get so angry when it gets "leaked out." If people took time to assess the situation and really think about it before they send off any type of important information, I feel hackers will be less effective. A lot of this does come down to personal responsibility and what information you are willingly giving away.
ReplyDeleteI really enjoyed this article because I used to have an iphone and now have a Blackberry. One of my biggest qualms has always been that I thought Blackberry should do their downloads and applications like Apple does. It really does give the user a sense of security. With a Blackberry on the other hand, you really sometimes do feel as unsecured as if you were using an actual computer. By Apple making you go through their site they really are able to filter dangerous material, as proof by this 'Zeus Trojan.'
ReplyDeleteAs technology grows more and more it becomes more integrated into our lives. The idea that anyone can obtain enough information from a text message is very distressing. Not to mention that a hacker can even develop a trojan for a phone in the first place. I would imagine that companies are developing new protections to deal with this treat but the world of computing is a difficult thing to lock down. If there is a door, and the internet has many, there is always a way to obtain and send information. Most phones and computers simply auto-update without informing the user that they are doing it. In this sense, getting malware is almost an inevitability. And now phones, themselves are starting the auto-update process as well. And because its such a new technology connected to a very unsecured network, they are vulnerable to many different types of attacks.
ReplyDeleteI agree that users should be more cautious as to what information they give out, but the idea of authenticating via text message, or mobile banking in general, is relatively new, so users may not be able to distinguish what looks fishy and what is "normal." I can definitely understand if someone thought there may be a security update necessary to facilitate a transaction if that person had never done this before. If banks had clear instructions informing users what procedures to expect, there would be less chance that user would submit to the trojan.
ReplyDeleteThe second article cmille2013 cited says that the attack is unlikely to affect that many users, but reminds us that attacks will become more sophisticated in the future, as the posts above also suggest. Because of this, the banks have to work with mobile providers in anticipating possible attacks and staying ahead of the hackers.
After reading this article, I'm a little more wary of giving out information about my cell phone to a website. Before a couple of months ago, I never had an internet enabled phone so I wasn't very concerned with having information stolen from my phone. Now, however, this seems like a real possibilty. It seems that hackers are always one step ahead of those people trying to protect our information. This is yet another example of that. I wouldnt be shocked if a company like Norton developed an app or something similar to scan your phone for viruses just like it would do with a computer. It seems to me that if these attacks are happening, virus protection and firewall programs for phones are a necessity.
ReplyDeleteIt seems that mobile operating systems should be more proactive in making users grant applications permission before they run. I know that the Android and iPhone operating systems both require the user grant apps permissions, though the iPhone's permission system is more robust. In my experience the with the Android, iPhone, and Symbian operating systems, only the iPhone operating system regularly asks for the user to grant permission whenever an application tries to take a certain action (such as getting your location), while the Android operating system asks you once, when you first install the app. In my experience with Symbian, I was never asked to grant an application permission, even when it was pulling my location data, for example.
ReplyDeleteI recently read an update to this article. The article said that dozens of people, in the US, UK, and Ukraine, have been arrested linked to the Zeus attack. Those that have been arrested are suspected of being part of a very large criminal organization that has allegedly stole $70,000,000,000 from US small businesses and other organizations.
ReplyDeleteDespite this "break through" in the case, experts are warning users to still be alert to this attack. The trojan worm, designed to steal users' personal information, is for sale on a host of websites. Experts say that for an investment of around $2,500, criminals can begin running their own fraud operation.
This is obviously a big problem for all technology users. They are targeting all sorts of victims, and like others have previously said - people must be aware of what they are clicking on or who they are giving their information to.
I think that the FBI and other government agencies need to step in and shut down these websites selling the worm. It seems like the only chance to stop this worm and catch individuals.
http://www.computerworld.com/s/article/9189558/Criminals_will_continue_to_use_Zeus_Trojan_expert_says?taxonomyId=17