If the recent publicity concerning the 'Sandroid' virus - which impacted
2FA is an authentication approach requiring the presentation of two or more of three authentication factors: a knowledge factor ('something only the user knows'), a possession factor ('something only the user has'), and an inherence factor ('something only the user is'). After presentation each factor must be validated by the other party for authentication to occur.
This explains why cyber-criminals have recently switched tactics - to take advantage of 2FA security - by bundling malware with Android apps that look like 2FA applications. Typically, Trojans such as Sandroid will create a pop-up box asking handset users to download a security application onto their phones. These programmes then intercept and relay the victim's incoming SMS messages to the hackers, who in turn use the customer's banking username and password to log in as the victim. Relatively crude, but very effective.
Yet this merely represents the tip of the iceberg. In its 'Cyber Security Trends for 2014' report, management consultancy
Though Perkele has yet to significantly spread its tentacles globally, it has been present in the
Like Sandroid, crimeware kits such as Perkele and other cross-platform malware have identified large gaps in mobile device security; allowing criminals to take advantage of weaknesses in the system that allow information to be sent to a hacker who then "owns" the device.
Security applications provider Versafe found in the case of Perkele that the infection points were genuine websites that had been hacked to host the malware payload. It wasn't the first and will by no means be the last Trojan to employ this method. From a technical standpoint the user would submit a request for the bank's webpage from his or her computer, which had previously been infected by any of a variety of targeted web injection malware types.
The online banking page would then be sent to the user and opened by the web browser - the Trojan on the user's computer injecting malicious code into the webpage, prompting the user to enter his or her mobile information, including mobile number and operating system type.
The user's mobile information would then be sent to the attacker's dropzone, in which a PHP-based system would process the information and document the victim's information in the database.
PHP is a server-side scripting language designed not only for web development but also as a general purpose programming language.
According to Versafe the online banking page would then be injected with another script, asking the user to scan a Quick Response (QR) code with his or her mobile device in order to install an additional security mechanism.
The victim then scans the code, initiating download of the Perkele (or similar) mobile malware code.
The Trojan on the victim's computer would then conduct an automated transaction using the user's compromised credentials - an SMS message with the TAN/OTP (one time password valid for only one login session) then being sent to the victim's device. The Perkele malware on the mobile device then would redirect the TAN/OTP to the attacker's server.
Given criminals go 'where the money is', growing liquidity in developing countries is likely to result in further attacks on local banks, especially given states across the
The scale of the problem is already evident - the
Helping the criminals gain an edge, according to
Growing use of mobile apps is also having an impact, given that when users regularly download them they're essentially putting a lightweight client on the endpoint and downloading code.
The core issue, as security teams grapple with the 'any-to-any problem' self-evidently is how to secure any user, on any device, located anywhere, accessing any application or resource.
From the perspective of banks and other institutions the trend towards BYOD (bring your own device) - allowing employees to bring personally-owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications - further muddies the security waters.
In addition, the use of wireless channels to eavesdrop and gain access to data being exchanged through those channels needs to be addressed.
However, in the area of theft, at least, significant progress is being made with
In a recent report
Noteworthy was that in
The importance of being extremely vigilant cannot be overstated.
Most Popular Stories
- Toxic Algae Threatens Florida Fishing, Tourism
- Eva Mendes Gives Birth to a Baby Girl
- Hispanic Groups Lead Voter Registration Drive
- Fed Signals It Will Keep Key Rate at Record Low
- Plus-Size iPhones Live Up to The Hype
- FedEx Adding 50,000 Holiday Jobs
- Stocks Rise Before Fed Statement
- Occupy Wall Street Buys Up Student Debt
- Cool Features on Today's New iOS 8
- Kohl's Hiring 67,000 for the Holidays