In an effort to validate and secure financial transactions, a number of banks are using transaction verification systems. The belief is that even if malware manages to change transaction details on the fly, the customer has an out-of-band channel to verify that it has not been modified. The practice assumes that it will prevent a bank heist if malware cannot infect the out-of-band channel, and therefore the bank or the customer will be able to detect fraudulent transfers.

What Are Transaction Verification Systems?

There are different types of transaction verification systems. The two most common are:

  • SMS-based: With each transaction, the bank sends an SMS text to the customer with details of the transaction and a confirmation code. In order to confirm the transaction, the customer then enters this confirmation code into his or her browser. The purpose of this process is to make sure the customer reads the details.
  • Card and reader: With each transaction, the customer uses a reader. There are a number of variants, so it will depend on the bank. The customer enters the transaction sum and the beneficiary number, and the reader displays a code that the customer enters into his or her browser.

Safe and Sound?

However, the assumption that malware cannot influence the out-of-band channel is flawed.

The easiest way to defeat transaction verification systems is using social engineering attacks. IBM has seen a number of different variants against transaction verification systems over the years.

Now the company has encountered a new scenario that it believes is very interesting. The following attack is conducted by SpyEye against a Spanish bank.

Using malware, fraudsters first gain control over the Web channel. This means any information that customers view inside the browser while connected to their bank can be modified by the fraudsters. Unfortunately, customers viewing this information are usually unable to distinguish between services delivered by the bank and those that are in fact modified by malware. This gives fraudsters the ability to launch extremely effective social engineering attacks.

A Patient Bank Heist

In the attack analysts have recently seen, fraudsters were simply waiting for customers to log in to their bank’s website. The criminal then changed the content of the post-login page to a message informing customers of an upgraded security system. They’re invited to undergo a training process that promises to help them deal with the bank’s upgraded security system. As part of the training, users are asked to make a transfer to a fictitious bank account and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile device. Fraudsters claim that the users’ accounts will not be debited and the recipient’s account is fabricated.

Of course, the bank heist then happens, the money is transferred and the criminal disappears off into the sunset. The text of the post-login page is below.

BANK NAME OBSCURED está mejorando su sistema de seguridad enviando claves de un sólo uso a su teléfono móvil. Le informamos que han sido completados los cambios para la versión actualizada de nuestro sitio. Pero, muchos de nuestros usuarios tienen dificultad y cometen errores al tratar con nuestro nuevo sistema. Con el fin de evitar estas situaciones y el bloqueo de su cuenta bancaria, le invitamos a realizar un pequeño aprendizaje de capacitacion. ¡Este aprendizaje es obligatorio y su realización le llevará unos minutos! El procedimiento es el siguiente: El sistema de BANK NAME OBSCURED creará una transferencia ficticia. El dinero de esta transferencia NO será debitado de su cuenta. Es necesario la confirmación de esta transacción de prueba, introduciendo su “clave de operaciones” y la “clave de confirmacion” que usted recibirá en su teléfono móvil. Los datos de la cuenta del receptor de la transferencia son ficticios! Objetivo de esta operación: Evitar errores en el uso de nuestro sistema en el futuro. La comprobación de los datos de su teléfono móvil por el sistema. Para comenzar el aprendizaje, haga clic en Continuar.

English Translation:

BANK NAME OBSCURED is upgrading its security system by sending a one-time key to your mobile phone. Please note that the changes have been implemented for the updated version of our site. Many of our users have experienced difficulty and made mistakes in dealing with our new system. In order to avoid any problems and the blocking of your bank account, we invite you to participate in a little training. This training is compulsory and will take just a few minutes! The procedure is as follows: BANK NAME OBSCURED system will create an artificial transfer. The money from this transfer will not be debited from your account. You need confirmation of this transaction test, introducing its key “operations” and “password confirmation” that you receive on your mobile phone. Data from the account receiving the transfer are fictitious! Objective of this operation: Avoid errors in the use of our system in the future. The verification of the data on your mobile phone by the system. To begin learning, click Continue.

This and many other social engineering attacks against transaction verification systems demonstrate that:

  • Forewarned is forearmed. Financial institutions need to find ways of making customers aware of the latest “bank heist” criminals are performing.
  • Securing the endpoint and the browser is important regardless of other security controls you have in place. Fraudsters continue to come up with new creative fraud schemes. As long as the computer is infected, financial malware is capable of finding new ways to bypass even the most sophisticated security controls.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…