In an effort to validate and secure financial transactions, a number of banks are using transaction verification systems. The belief is that even if malware manages to change transaction details on the fly, the customer has an out-of-band channel to verify that it has not been modified. The practice assumes that it will prevent a bank heist if malware cannot infect the out-of-band channel, and therefore the bank or the customer will be able to detect fraudulent transfers.

What Are Transaction Verification Systems?

There are different types of transaction verification systems. The two most common are:

• SMS-based: With each transaction, the bank sends an SMS text to the customer with details of the transaction and a confirmation code. In order to confirm the transaction, the customer then enters this confirmation code into his or her browser. The purpose of this process is to make sure the customer reads the details.
• Card and reader: With each transaction, the customer uses a reader. There are a number of variants, so it will depend on the bank. The customer enters the transaction sum and the beneficiary number, and the reader displays a code that the customer enters into his or her browser.

Safe and Sound?

However, the assumption that malware cannot influence the out-of-band channel is flawed.

The easiest way to defeat transaction verification systems is using social engineering attacks. IBM has seen a number of different variants against transaction verification systems over the years.

Now the company has encountered a new scenario that it believes is very interesting. The following attack is conducted by SpyEye against a Spanish bank.

Using malware, fraudsters first gain control over the Web channel. This means any information that customers view inside the browser while connected to their bank can be modified by the fraudsters. Unfortunately, customers viewing this information are usually unable to distinguish between services delivered by the bank and those that are in fact modified by malware. This gives fraudsters the ability to launch extremely effective social engineering attacks.

A Patient Bank Heist

In the attack analysts have recently seen, fraudsters were simply waiting for customers to log in to their bank’s website. The criminal then changed the content of the post-login page to a message informing customers of an upgraded security system. They’re invited to undergo a training process that promises to help them deal with the bank’s upgraded security system. As part of the training, users are asked to make a transfer to a fictitious bank account and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile device. Fraudsters claim that the users’ accounts will not be debited and the recipient’s account is fabricated.

Of course, the bank heist then happens, the money is transferred and the criminal disappears off into the sunset. The text of the post-login page is below.

BANK NAME OBSCURED está mejorando su sistema de seguridad enviando claves de un sólo uso a su teléfono móvil. Le informamos que han sido completados los cambios para la versión actualizada de nuestro sitio. Pero, muchos de nuestros usuarios tienen dificultad y cometen errores al tratar con nuestro nuevo sistema. Con el fin de evitar estas situaciones y el bloqueo de su cuenta bancaria, le invitamos a realizar un pequeño aprendizaje de capacitacion. ¡Este aprendizaje es obligatorio y su realización le llevará unos minutos! El procedimiento es el siguiente: El sistema de BANK NAME OBSCURED creará una transferencia ficticia. El dinero de esta transferencia NO será debitado de su cuenta. Es necesario la confirmación de esta transacción de prueba, introduciendo su “clave de operaciones” y la “clave de confirmacion” que usted recibirá en su teléfono móvil. Los datos de la cuenta del receptor de la transferencia son ficticios! Objetivo de esta operación: Evitar errores en el uso de nuestro sistema en el futuro. La comprobación de los datos de su teléfono móvil por el sistema. Para comenzar el aprendizaje, haga clic en Continuar.

English Translation:

BANK NAME OBSCURED is upgrading its security system by sending a one-time key to your mobile phone. Please note that the changes have been implemented for the updated version of our site. Many of our users have experienced difficulty and made mistakes in dealing with our new system. In order to avoid any problems and the blocking of your bank account, we invite you to participate in a little training. This training is compulsory and will take just a few minutes! The procedure is as follows: BANK NAME OBSCURED system will create an artificial transfer. The money from this transfer will not be debited from your account. You need confirmation of this transaction test, introducing its key “operations” and “password confirmation” that you receive on your mobile phone. Data from the account receiving the transfer are fictitious! Objective of this operation: Avoid errors in the use of our system in the future. The verification of the data on your mobile phone by the system. To begin learning, click Continue.

This and many other social engineering attacks against transaction verification systems demonstrate that:

• Forewarned is forearmed. Financial institutions need to find ways of making customers aware of the latest “bank heist” criminals are performing.
• Securing the endpoint and the browser is important regardless of other security controls you have in place. Fraudsters continue to come up with new creative fraud schemes. As long as the computer is infected, financial malware is capable of finding new ways to bypass even the most sophisticated security controls.