Banking fraud is on a frightening up curve and it appears it is impossible for banks to stop it by themselves, said Tjaart van der Walt, MD of telecommunications and banking specialist TruTeq Group.
Can this problem be solved at all?
Yes. There are a number of different techniques that fraudsters can use, so stopping them requires solving a number of problems – some easier and some more complex. We need to accept that the computer and smartphone will remain vulnerable.
Most people are aware of how easy it is to get malware on a computer, but the same problem applies to smartphones. Any crypto technology applied by a bank in its application, can only secure the path from the application to the bank. The path from the banking application to the user is vulnerable and this is where the malware “skin” does its work.
This man-in-the-middle attack is similar to the skimming devices sometimes installed on ATM machines that read a user’s bank card as it is inserted into the machine.
The solution is to focus on the path followed by the communications. If we can calculate some sort of a digital fingerprint from the user’s actions inside the mobile network, then that can be used to verify that the OTP was indeed delivered to the correct phone. Validating the path can be more effective than trying to secure the end point.
A key consideration in determining the digital fingerprint must be the user’s privacy. Instead of giving the banks private information of the user, it should rather be information about changes in detail. If a user changed mobile networks a week ago and attempts to pay a regular beneficiary, it is probably safe to let the transaction complete.
If, on the other hand, the user ported today, finds himself in another country and attempts to transfer a large sum of money to a new beneficiary, it warrants some investigation.
We can tell the bank all of this without disclosing which network the user is registered on, the SIM card serial number or the country where the SIM is registered.
Protecting the path
Mobile networks need real-time information to be able to perform the complex operations needed to allow your phone call to remain connected while a call is handed over between cell towers. In IP networks such as the Internet or your office LAN, the time a packet of data takes to travel is not as important as the speed with which it travels.
In mobile networks however, this delay or latency is extremely important for things to keep working. Luckily this also means that it is extremely difficult, even for experts, to mess with the insides of a mobile network without things going wrong.
We can trust the realtime information inside the network core. This is called the Number 7 or SS7 network and this is where the magic happens. It is also where we calculate the digital fingerprint needed to detect changes that may indicate fraud.
This is illustrated below where the compromised smartphone, computer and mobile network make it possible to compromise both legs of the two-factor authentication (on the left), but it is much harder if the digital fingerprint of the mobile device is used to validate it (on the right).
Therefore, even if a user’s number has been ported or SIM swapped and the user’s computer is infected with malware from a phishing attack, the bank can limit or even stop the transaction. This is illustrated by the two examples below.
In the example on the left, the user performs a normal transaction. The bank sends the OTP via the secured SMSC and gets a response with the depersonalised risk parameters. In this case the phone’s fingerprint matches the stored fingerprint and the bank allows the OTP to complete the transaction.
In the example on the right, the fraudsters are using bank login information obtained through phishing and a ported SIM in a phone to intercept the OTP. The system recognises this and alerts the bank. The bank declines the transaction.
Surely this is expensive?
Not really. The volume of banking transactions is really high and although the specialised equipment needed to determine the fingerprint is expensive, this cost can be spread across many users to reach a price point equivalent to one large cup of coffee per user per year.
So what should I do right now?
As with everything in life, we need to unlearn some bad habits and learn new, healthy ones. The really bad habits are:
* Clicking on links in email – Phishing is the number one way to get your computer infected with malware and to hand our banking login detail to the fraudsters. If you expected an email with a link, hover the mouse icon over the link (don’t click). Somewhere on your email client (bottom left for Gmail) you should be able to see where the link will take you. Unless you can see the link and recognise it, do not click on it.
* Downloading mobile apps without checking out the publishers – Mobile phone malware is very easy to spread through free or cheap apps. Before installing free apps or even paid-for apps from an unknown source, check if the number of downloads is over a million and then Google the name of the app, the publisher and the term “malware” or “spyware”. The odds are good that if it contains malware, somebody would have picked this up and said something online.
* Receiving banking SMSs or IP messages on the same phone you use to do mobile banking – This is really dangerous as you will not have any meaningful two-factor authentication. Imagine two-factor authentication as two doors you need to have the keys for in order to pass through. The fraudsters only have to pick the lock on one door now.
Some good habits to learn are:
* Installing anti-virus software on your phone and computer and keeping it up to date.
* Using a dumb phone with a SIM dedicated to receiving OTP messages.
* Hit “delete” when you see a button in an email.
The future
Security is a moving goalpost and we have already identified new modes of attack users will face in the future. This includes new and more sophisticated attacks on smartphones and abusing the roaming standards in mobile networks to spoof the bank from remote networks.
The solution lies in protecting the message path using real-time data and applying proactive measures. And some new, healthy habits.