SMS two-factor authentication is widely used by banking institutions. Obviously, this measure works better than a simple password, but it is not impenetrable. Security experts discovered 10 years ago how it can be circumvented when this security measure was gaining popularity recently.
The same goes for malware creators. That’s why bank Trojan developers easily violate single-use SMS passwords. Here’s how it works:
- a user opens an official banking app on his smartphone;
- a trojan detects which app is used and superimposes a fake copy on its interface (the fraudulent screen is the same as the real one);
- the victim enters the login credentials in the fake app;
- then the offenders request a financial transaction to their account;
- the trojan sends the user’s credentials to the criminals, who use them to log into the user’s real banking app;
What is two-factor authentication and where should you enable it? http://t.co/WSvDc9oSvb #passwords #privacy #security
- Kaspersky Lab (@kaspersky) June 9, 2014
- the victim’s phone receives an SMS with the disposable password;
- the trojan extracts the password from the SMS and sends it to the cybercriminals;
- he also hides the SMS from the user, because the victim is not aware of the ongoing operations until he checks his current account and transactions;
- The criminals use the intercepted password to confirm the transaction and receive the victim’s money.
It is no exaggeration to say that every modern banking Trojan knows how to circumvent two-factor authentication systems with SMS. In fact, malware creators have no other choice: since all banks resort to this security measure, Trojans have to be adapted.
Evolution of #Asacub trojan: from small fish to ultimate weapon – https://t.co/lLv0pY4lol #infosec #mobile #banking pic.twitter.com/gAM3zzy7aC
- Kaspersky Lab (@kaspersky) January 20, 2016
There are many illegal apps that can do this, more than you could imagine. In the past two months alone, our experts have published three detailed reports dedicated to three different families of malware. Each one more fearful than the other!
Asacub : an espionage app that has evolved into a trojan and has learned to steal money from mobile banks.
Acecard : a very powerful trojan capable of overlapping the interfaces of almost 30 different banking apps . By the way, mobile malware is now dominating this trend: in the beginning, Trojans targeted an app from a certain bank or payment service, but now they manage to fake many apps at the same time.
Banloader : a cross-platform Trojan of Brazilian origin, capable of entering PCs and mobile devices simultaneously.
Android trump card: Acecard https://t.co/yHxyACMslU #banking pic.twitter.com/DmnUAOJvSM
- Kaspersky Lab (@kaspersky) February 22, 2016
As you can see, two-factor authentication is unable to protect you from banking Trojans. It has not been successful for many years, and now the situation is not improving. That’s why you need additional security measures.
The basic rule, useful but not 100%, is to install apps only from official stores. The point is that there have been enough cases where Trojans have succeeded with the Play Store or even the App Store .
That’s why the most reliable solution is to install a good antivirus on your mobile phone. You can start with the basic version of Kaspersky Internet Security . It’s free, although from time to time you have to scan the devices manually. The full version is better, because it catches viruses on the fly, but it’s payment.