Banking Online? Your Bank Account Password May Have Been Stolen!

Banking Online? Your Bank Account Password May Have Been Stolen!

Trusteer, a provider of secure web access services based in Boston, has just reported the discovery of two methods by which criminals gain access to a victim’s banking one-time-password (OTP) by physically hijacking his mobile SIM card.

These new methods are a step-up on the previous method in which fraudsters would acquire a victim’s OTP by changing his mobile phone number.

According to Trusteer, one method is to obtain the victim’s IMEI (international mobile equipment identity) through a virus known as the Gozi Trojan which is installed secretly on the victim’s PC.  According to Trusteer, “Once they have the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card.

With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device.”  The fraudsters can then access the victim’s online banking account using the stolen OTP.  This attack has been detected mostly in the U.S.

In the second method, more prevalent in Europe, a victim’s banking and personal information are stolen using a phishing attack or through a Man in the Browser (MitB) attack on his PC.  Armed with these details the criminals lodge a complaint with a police station and obtain a police report that shows the victim’s mobile phone as stolen or lost.

The victim is then informed that his mobile services shall be down for the next 12 hours.  Next, the fraudster approaches the victim’s wireless service provider and uses the police report to get the existing SIM deactivated and a fresh SIM issued.  This SIM is used by the criminal to access the victim’s incoming calls and OTPs issued by the bank.

How does a person protect himself from these attacks?

According to Trusteer, the best way is to be on guard and take steps to protect oneself.  “The best practice requires three steps,” he says.  “First is to have security software from the bank itself that is designed to fight financial fraud.  Second, don’t play along with any change you see in the bank’s web site that is asking for information it hasn’t asked you for previously.  Call the bank and ask about it.”

Lastly, pay heed to the oft-repeated warnings not to divulge personal information to phishing calls on the internet or phone.






Leave a Reply

Your email address will not be published. Required fields are marked *