Hackers’ exploit banking app 2-factor authentication

Next story
Olivia Storey

German hackers have discovered a new way to redirect money from victims’ banks into their own accounts. The cleverly executed manoeuvre exploited a weak point in telecommunications network.

The hackers targeted mobile phone devices with banking apps that use a 2-factor authentication security feature that sends the transaction number via SMS, which is then confirmed through the app. The single digit password allows for online bank transfers. This mTAN method was considered safe, but criminals have found a new vulnerability.

The cyber criminals acted in two steps; first attaining all data needed, including account number, associated password and mobile number, and then targeted the victims from there.

Phishing emails were sent to the victims from their ‘bank’, for example, ‘Mybank.com’ would be presented as ‘My-bank.com’. Neither of the websites related to one another, and only those who pay close attention would notice the slight URL alteration.

The victims then input their login details into the phishing site, where the attacker could steal the credentials. With this information, the attacker can see how much money is in the account and make the transactions.

To do the transfer via mTAN, hackers found vulnerabilities in the SS7 network, which controls how mobile handsets can make phone calls abroad. Using the Home Location Register the SS7 can send SMS and other commands, even when the cell has switched to overseas networks.

From here, the attackers set up call forwarding, which was likely performed at night when the victim would not see the network change. Then the hackers log into the victim’s account using the stolen credentials and make the transfer. Before the security message comes through, they would redirect the SMS to a number of their choice and confirm the transfer.

We speak to Mark James, ESET IT Security Specialist, about the security issues with this kind of 2-factor authentication and how it could be avoided in the future.

“Sadly, this is one of the flaws that is uncontrollable by us on how quickly or efficiently it is going to be patched.

“In theory the only way to protect yourself if you are using SMS or the mobile network is to simply not use your phone!

“Of course that’s not what we want to hear, but there are ways we can protect our data being sent.

“We can use means not going through the networks’ own channels. Encrypted messaging clients like WhatsApp or Apple iMessage will stop your data being compromised.

“If you’re worried about your calls then use a voice over data service, many top names offer this service of making calls over the internet instead.

“Your SMS’s can be protected by using Silent Circle or any other encrypted SMS service. You should be very careful about any type of financial transactions placed using mobile platforms, and always check your financial statements promptly and completely if you do bank remotely.

“Most banks will help you recover lost monies if you have not been negligent and notify them with speed.”


How much attention to you pay to a URL? Do you ever double check? What might prompt you to take a closer look? Let us know on Twitter @ESETUK.


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.