Wednesday, November 14, 2012

How secure your SMS token/mTAN/TAC code is really up to you

Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.

Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).

Excerpt from the news by

Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.

"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."

The criminals reportedly use a Trojan virus to get their victims' bank details from their desktop computer. Then a fake notification appears on their browser saying they should protect their smartphone with a security update, which requires them to give the phone's number and model.

An SMS is then sent to the phone containing a link to the supposed security update - but the software they then download is highly dangerous. "From then on, all instant messages containing an mTAN are diverted to another mobile phone, belonging to the criminal," the statement said.

These mTAN numbers, along with the account and PIN numbers gleaned before, can now be used to withdraw money. The transactions cannot be reversed. In several cases, the fraudsters not only emptied the accounts, but also used up overdraft limits, the police said.

Police are now warning people not to download security updates onto their phones apparently sent by their banks. Emails apparently sent from banks asking for security details should also be regarded suspiciously, the police said.

Moral of the story?
1. Never enter any personal details, phone number etc you are not sure what it will be used for.
2. Ignore those warnings or ads that suddenly pop-up on your browser. Use ad-block or ad-block plus :)
3. On very top of that, do not simply click on any link you see, no matter how cute or attractive the picture is.
4. Also, install a Anti-Virus on your mobile phone. I found Avast Mobile quite useful :)
5. Patch, patch, patch your system.

Ain't security fun? ;)

 acknowledgement - picture taken from

No comments:

Post a Comment