Thieves use victims' SIM cards to hack into online banking

Boston-based Web security firm Trusteer has uncovered a new scheme to raid online bank accounts.

Trusteer, whose clients includeING Direct, CIBC and other globalfinancial giants, previously deciphered attacks in which criminalsactually changed victims’ mobile phone numbers to redirectone-time-password (OTP) authorization systems used by banks to theirown cell phones.

In the newly discovered method, the bad guys steal the mobile deviceSIM (subscriber identity module) card, thereby using it to bypass bandauthentication mechanisms.

Here’s an example of how it works: thieves use the Gozi Trojan to stealIMEI (international mobile equipment identity) numbers from bankaccount holders when they log in to their online banking application.The bank uses an OTP system to authorize big financial transactions.When they’ve got the IMEI number, the criminals contact the victim’swireless provider, report themobile device as lost or stolen, and askfor a new SIM card.

Once the thieves have obtained the new SIM card, all OTP’s intended forthe victim’s phone are sent to the device owned by the criminalinstead.
Trusteer will post a second example of how this fraud can be achieved,plus images to go along with it, on itsblog Tuesday.

ITBusiness.ca | Business Advantage Through Technology

Security

Thieves use victims’ SIM cards to hack into online banking

ITBusiness Staff

Related Content

CGI awarded more than $21M in contracts from Ontario-based credit unions

Security is #1 IT priority for Canadian businesses, says CDW Canada report

Laying blame on employee in Desjardins data breach is ignoring the big picture, security experts say

Hashtag Trending – Massive cryptocurrency theft, failing facial recognition, Uber’s IPO

GET NEWS AND INSIGHTS CRITICAL TO YOUR BUSINESS Enter your email to receive the IT Business Newsletter and emails of interest from IT World Canada.