even online banking with verification codes by sms/text can be bypassed

"Operation Emmental is designed to bypass the generic two-factor authentication mechanism that banks employ to ensure that their customers' money remains safe.


The attacks bypass session tokens sent by a bank's remote server to users' mobile devices via text messaging. Customers preferring to bank online are required to mandatorily enter these session tokens, to start new sessions and verify/authenticate the login credentials. The session tokens are generally sent through separate channels and are considered to be secure. However this piece of malware allows attackers to impersonate the bank, leading to confidential user login credentials being exploited.

the first stage is just very human

* people are asked to click on infected links on phishing emails that look as if they come from well-known brands

the second stage is somewhat more complicated (for the attackers)

* people are than connected to servers that look as if they are from the bank but are in fact from the malware agents who use DNS manipulation on the computers from the clients for that

 after these changed settings the malware disappears from the computer

to bypass any SSL verification they inserted in the computers of the clients fake SSL certificates (especially easy if they like some belgian banks make them themselves to spare a dime) so that there are no security alerts when the computer gets connected to the bad server

* the third stage is pocket money time

when users are trying to make some purchases on the internet they are redirected to the fake bank site and if they don't they receive fake emails from brands to make instant sales

when the users click on the links they are asked to download a malicious android app that not only blocks the normal txt messages from the bank but also will intercept and keep all the login and bankdetails


well I never believed that mobile banking with a cellphone or tablet could be save and I don't understand why finally the marketing boys won it from the security guys in the banks who are now heavily promoting this unsecure method of online banking

The comments are closed.