“Evil mobile emulator farms” used to steal millions from US and EU banks
- Thread starter JournalBot
- Start date
What happens to the people's accounts in cases like this? Knowing capitalism and banks, I'm guessing the consumer is yet again expected to bootstrap themselves out of losing their life savings, I assume.
Upvote
10
(48
/
-38)
Not looking to troll, but none of the spoofed signatures contain iPhone-related names. That's not to say they weren't there, but I wonder about the coincidence.
For instance, the ability to know the GPS locations of victims - this data is not easy to obtain, unless a device is laced with malware through a malicious app. I think it's also universally accepted (and has been reported many times) that Google's Play store doesn't have the same levels of malware protection.
So, malware-laced apps downloaded from the Play store create profiles on their users, which then are matched against bank data that has already been obtained elsewhere to complete the metadata signature that's then utilised in the attack to bypass bank's protections and 2FAs?
Another reason to pay for everything using credit cards, rather than direct debits which are so popular in the UK.
For instance, the ability to know the GPS locations of victims - this data is not easy to obtain, unless a device is laced with malware through a malicious app. I think it's also universally accepted (and has been reported many times) that Google's Play store doesn't have the same levels of malware protection.
So, malware-laced apps downloaded from the Play store create profiles on their users, which then are matched against bank data that has already been obtained elsewhere to complete the metadata signature that's then utilised in the attack to bypass bank's protections and 2FAs?
Another reason to pay for everything using credit cards, rather than direct debits which are so popular in the UK.
Upvote
63
(79
/
-16)
Perhaps also enterprising individuals combined multiple darknet credential and financial data dumps into a whole and went to town.
About the credit versus debit card ... My debit card is safer than my credit card. Any interaction that does not involve chip+pin requires TFA where I need to enter a transaction code generated by a TAN generator. And if a seller escalates to lower safety (chip + signature), the joke is on them in terms of fraud liability.
Upvote
34
(44
/
-10)
Not in the EU countries I know some banking laws about. Don't know about the US, but I imagine if the consumer wasn't involved the bank has to cover any loses they can't revert. But I have no idea if that would be automatic or something they first have to sue for.
Upvote
44
(44
/
0)
What I've taken from all this are a couple of things...
1. Use burner debit and credit cards...like what they are doing at privacy.com (or others)
2. Do ALL your critical banking and financial activity on a computer that you DO NOT do general web surfing on.
It's not foolproof, but it's a start.
1. Use burner debit and credit cards...like what they are doing at privacy.com (or others)
2. Do ALL your critical banking and financial activity on a computer that you DO NOT do general web surfing on.
It's not foolproof, but it's a start.
Upvote
-19
(23
/
-42)
Dear FBI. This is why we need strong encryption for everyone. With strong encryption and actual (non SMS) 2FA, this type of attack is mitigated.
Upvote
80
(86
/
-6)
According to American law, the banks must return the money not withdrawn by the customer. When a customer filed a complaint, the bank must investigate, and has 30 days to finish the investigation.
Similar laws cover credit card charges and debit cards. Ironically, it was these laws that allowed the credit card companies to thrive.
Upvote
77
(77
/
0)
Maybe that's true abroad, but in the U.S., regular credit card is definitely safer. It's not just the matter of funds being drained, but secondary effects too. For example, one sends their landlord a check and it bounces. Likewise, if one pays a utility bill, card bill, etc electronically and payment is rejected. With a regular credit card, payment goes through or it doesn't. No risk of overdraft fees. While banks will generally refund all overdraft fees, etc in cases of fraud, 3rd parties may not.
In short, paying with bank debit card, it's your money on the line while paying with regular credit card, it's their money on the line. Also, banks tend to be slow to return funds.
Upvote
82
(85
/
-3)
It really depends ... on paper the bank must refund fraudulent transactions within very few days. No questions asked. But reality can shatter upon impact with the burden of proof.
Fortunately, most banks are absolutely on top of things and will proactively refund stuff and they will usually refund first and ask questions later.
Upvote
18
(18
/
0)
It's more than a touch a depressing how financial institutions of all places seem to lag so badly on basic authentication practices. Banks were the last major service I used to have awful password practices (short max sizes, regular rotation required, weird arbitrary character restrictions, etc). Whereas with other services I can require use of hardware tokens (which has been possible for a long time, but is now vastly easier thanks to webauthn), support from banks is non-existent.
The situation is an extra shame because principle at least retail banks could actually have been fantastic cryptographic roots of trust. They have physical secure branches all over, are used to dealing with secure in-person interactions, and most people do visit (or at least did/could) for setting up accounts if nothing else. In many ways they'd be the perfect institutions to sign certificates for their customers vouching for the real identity. The same factors also put them in a good place for recovery were someone to lose their tokens. They could have been way, way out ahead, and if everyone (or even large percentages) had been using smart cards for finances and had well founded crypto identities since the early 00s the digital world would be a very different place. It's too bad institutional inertia, lack of vision, lazy quarterly focus, and so on kept that from happening.
Upvote
43
(44
/
-1)
So much focus on emulators, before the article casually gets around to mentioning the attackers already had the bank and SMS credentials.
Upvote
95
(95
/
0)
Ya it’s a bit of a mystery to me why banks don’t offer some authentication options .
I would feel better if my bank account was tied to my yubi key .
I would feel better if my bank account was tied to my yubi key .
Upvote
18
(18
/
0)
This.
*I've* invested in a YubiKey, why can't *you* [my bank] invest in supporting it?
Hell, you should've given me a free one, instead of a toaster.
It's patently ridiculous that my Google account is more secure than the account that holds all my assets and life's savings.
Upvote
79
(79
/
0)
More robust security is of course nice, but it certainly sounds like they accessed those SMS messages on the device itself; i.e. the insecurity was due to the devices and how they deal with SMS, not the protocol itself (which is what people usually complain about when they complain about SMS insecurity). It's conceivable that app permissions could be improved here to reduce this risk, e.g. by forbidding permanent access to incoming SMS messages (or at least treating that very differently), and typically requiring each app to request permission each time it wants to read an incoming SMS. Other 2fa implementations can also have vulnerabilities once your device is hacked, even if they use more secure protocols.
Not that a better approach wouldn't be nice, but it's still worthwhile to protect what's easily available too.
Upvote
8
(8
/
0)
Debit is inherently less safe than credit card though. When you get hit with a few thousand $$$$ in fraud on your bank account, it seems to take weeks or more to get investigated and reversed. It takes 1 short phone call to my credit card company to dispute the charge and get it locked down, during which time I still have the money in my bank account and remaining available credit.
I have close friends who have had their bank accounts overdrawn with everything they have gone when someone manages to fraudulently use their debit cards, leaving them wondering how to buy food/gas, pay for rent, etc. Worst I've had is "wait 1-2 business days while we expedite a new credit card to your house" but I still can go withdraw cash or pay bills from my bank account in the meantime.
Upvote
42
(43
/
-1)
Now who do we know, who could that be, that keep tracking our device's location pretty much constantly and keeps location history stored somewhere on some servers? Hmmm? And why, in the everloving fuck, would someone else be able to get that data?
Upvote
-8
(5
/
-13)
What's the point of two-factor authentication when you are using your phone? Whether you get a text or email, there's the code to proceed. Wouldn't it be better to require bio-metric identification before the code is sent?
Upvote
0
(7
/
-7)
Banks, by and large, know SMS is lousy, but there's no substitute that's as simple. People frequently change phones all the time. Even services that allow an authenticator app or hardware device used as 2nd factor often have SMS set as backup. Not providing a mobile number can be a work-around, but may not be practical or allowed.
Upvote
20
(20
/
0)
It is *really* hard to get the message across that SMS is not adequate for 2FA at this risk level. Many, many banks only support SMS for 2FA, and won't let you use U2F, Yubikey, RSA token, etc. at all.
I've tried several times to get my bank's IT team to issue a bug ticket for this. I have not found any way to explain it to a Level 1 customer support rep that doesn't result in them just saying "well, I trust our internal IT, so you must be wrong".
At least my contract with them says it's 100% their fault if the online banking gets hacked and money goes missing.
Upvote
22
(23
/
-1)
On paper, yeah.
In reality, I've never seen it happen. In every case people I know have had faster results pleading their case with whatever company took the money away to reverse the transaction rather than the bank. In every case, the bank insists that they first at least TRY to go thru the company that took the funds before the bank will step in.
That sucks tho when $20,000 is gone and now your bills are all bouncing while you argue with the company that cashed the check or processed the card with the decimal point in the wrong place. And even when they agree to reverse it, that process seems to typically take 7-10 days (vs the same-day they take the money).
Upvote
3
(6
/
-3)
Its all moot anyway.
I learned when 2FA malfunctioned (I wasn't getting the texts and calls) that I could just call the bank customer support and tell them "I'm locked out, I can't get the codes, please help me" and they just verified my last-4 social, name, address, and gave me a bypass code to get in.
There has to be a back door like that when people get locked out (lose their phone/token/whatever) so it doesn't matter.
Upvote
33
(34
/
-1)
Upvote
9
(9
/
0)
The article didn't mention any patterns developed from interviews with the scammed users.
With all the data that was already in possession of the hackers, I have to suspect there may be something in common to emerge there.
With all the data that was already in possession of the hackers, I have to suspect there may be something in common to emerge there.
Upvote
5
(5
/
0)
Upvote
14
(14
/
0)
My big takeaway here is that "location" isn't a strong authentication method. The bank's fraud detection systems didn't flag the transactions because the devices appeared to be coming from the correct location.
I don't mean we should scrap location as a fraud detection measure, but it probably means we need to consider some other factors as well.
I don't mean we should scrap location as a fraud detection measure, but it probably means we need to consider some other factors as well.
Upvote
0
(3
/
-3)
Physical addresses. In such cases unlock codes are sent by mail in "tamper-proof" envelopes. It is your obligation by contract and law (in many countries) to always inform your bank of your current address.
Upvote
8
(9
/
-1)
Wasn't that end of 2019?
My bank was scrambling pretty hard with escalating messages of switching my hardware tokens. Now, their legal department seems to have found a loop hole and theoretically I could do everything on my mobile phone with a "secure" app.
Thanks, but no thanks. I will stick to my hardware tokens. Yes they are inconvenient, but I do not trust the attack surface that my phone represents.
Upvote
10
(10
/
0)
I hope my bank was one of those victimized. I've been complaining about their SMS-only MFA for some time now, warning them how insecure it is.
Upvote
1
(4
/
-3)
Not sure in this case as I haven't read further than this article, but there's a whole ecosystem of services in the criminal world that revolve around getting this kind of money somewhere or into a format where it can't be clawed back i.e. money laundering. So you can trace it to a certain point but then the chain is broken. It's not like all the money is transferred directly to one or a few accounts all belonging to the crooks. Well it could be but that would be dumb. On the upside for crooks as long as it isn't obvious the money was originally stolen from them the global banking system seems pretty blasé about dodgy money.
*Barely informed speculation follows*
This operation sounds well organised so I imagine the laundering side was similarly well setup, to quickly move the money where it is safe from banks/law enforcement or at least very time consuming for them trace/access. If individual amounts are suitably small and spread out over time maybe something like: the money is quickly routed to the accounts of "mules" who will withdraw it as cash or use it to buy something cash-like, e.g. app store gift cards; the mule is told to deposit the cash somewhere else or do something *waves hands* with it and since the two transactions aren't obviously related the money gets "washed"; now the chain is broken it just looks like normal money doing normal money things, so the money makes its way to the original thieves with everyone on the way getting their cut. You can theoretically put it all back together but the investigative resources required are often insurmountable. I think Brian Krebs has looked into some of this stuff like money mules etc. in his reporting so that could be a good place to start. If amounts are larger you probably need smarter people with more experience that take a bigger cut...or just turn up to your local HSBC branch they have a history of providing great service.
Upvote
16
(16
/
0)
Not all countries are as lax as yours.
In a developing country like mine, you must present national resident ID to register for banks, internet, water, etc. So using real name is a must.
Although if you want, you can simply make fake ID cards with fake name, I suppose... (as it was used as a dumb card, as dumb as a name card)
Upvote
11
(11
/
0)
Depends on the bank. I use a bank that has non of the drawbacks of traditional banks:
* No bank side overdrafts
* Account can't go into the negative (ACH transfers that push the account into the negative are rejected)
That being said, a credit card still narrowly comes out on top. We need more regulations and possibly incentives in order to improve the state of things.
The only time in my life my bank account was drained it took the bank 12 weeks to give me back the funds. They took 4 weeks to investigate and 8 weeks to give me my money back. The whole situation was infuriated, because in my case, my account was emptied via debit card purchases in CA when I was in NJ. Charges were being made WHILE I WAS AT A BRANCH in NJ talking to a specialist. Yes, that is how complacent the banking industry has gotten. This was quite a while ago, but I suspect things haven't improved much since.
For credit cards, your actual fluid cash isn't involved in the situation, and credit card companies tend to give provisional credits right away. Banks should be required to do that as well.
Upvote
9
(9
/
0)
Well, I assume the focus on mobile emulators is because it isn't nearly as common (never till now?) and allowed the bad guys to massively scale-up their heist. To me, that makes it pretty notable and newsworthy.
Upvote
7
(7
/
0)