User-centered bank fraud
Name | Info |
SMS swaps | SMS swapping has become quite common in the banking industry. First, the attacker steals a victim’s private phone number, along with the phone’s Security ID. Then the attacker calls the SIM card call center claiming they lost their phone, have bought a new SIM card and now need to get their old number back. Using the Security ID and other private information, possibly gathered from snooping on social media accounts, they convince the telecommunication support person to perform the phone swap. |
Man-In-The-Middle attacks | Another old but effective tactic is the Man In-The-Middle (MITM) attack, in which attackers target banking platforms that do not adequately protect their infrastructure. This not only allows hackers to steal money, but also negatively affects the bank’s reputation by making their infrastructure seem fragile and vulnerable. The attack allows fraudsters to interfere with the communication between users and the bank’s backend implementation to change transaction values and accounts. It can be prevented by using certificate pinning technology, which allows bank application to trust a specific certificate for a given server. |
Man-In-The-Browser Attacks | Man-in-the-Browser attack (MITB) is a trojan horse proxy that infects online browsers. It plays the role of a MITM, sniffing and modifying transactions performed on the infected browser, but still displaying back the user’s legitimate input. Most users assume their transactions are protected via SSL if they’re using a website with HTTPS enabled, but SSL only protects data in transit, between the browser and the server. |
Spear phishing attacks | Spear phishing is an email spoofing technique used by fraudsters to target a specific organization or individual with a customized, highly-realistic phishing email. Simply put, it’s a more targeted, complex and research-intensive version of phishing. |
Mobile malware attacks | Mobile banking trojans are one of the most flexible and dangerous types of malware, designed to steal funds from user’s accounts by stealing their credentials. They look like genuine mobile applications in the Apple or Google store, but when the user downloads and runs the application, it will start monitoring the phone’s banking apps. Not every banking app is designed to protect its own assets appropriately, so passwords and accounts are often easily traceable due to bad implementations and open source libraries exposures. |