Mobile Viruses in Man-in-the-Mobile Vs Multi-Factor authentications
Smart phones are drawing attackers' attentions especially for monetary gains. Viruses are targeting mobile platforms to compromise multi-factor authentication. Zeus is one of them.
According to http://www.darkreading.com/authentication/security/client/showArticle.jhtml?articleID=227700141&cid=RSSfeed
we imagine a rough scenario how a mobile virus can compromise currently used assuming foolproof multi-factor authentication nowadays' banking industry use .
- USER Logins to FAKE BANKING SITE inspired by PHISHING Attack
- FAKE BANKING SITE asks USER to enter ONE TIME Device token to login to Actual Banking Site
- LOGIN SUCCESSFUL
- FAKE BANKING SITE Adds new Payee
- ACTUAL Banking Site asks ONE-TIME Device Token
- FAKE BANKING SITE asks USER to enter ONE TIME token to login to Actual Banking Site by showing UNSUCCESSFUL Login
- FAKE BANKING SITE submits ONE-TIME Device Token to ACTUAL Banking Site
- ACTUAL Banking Site sends ONE-TIME Authentication Token to USER's Mobile
- FAKE BANKING SITE Asks ZEUS VIRUS to silently Submit Token in SMS to Actual Banking Site
- FAKE BANKING SITE submits ONE-TIME Authentication Token to ACTUAL Banking Site
- ADDING PAYEE SUCCESSFUL
- FAKE BANKING SITE Transfers User's Money to New Payee
- ACTUAL Banking Site asks ONE-TIME Device Token
- FAKE BANKING SITE asks USER to enter ONE TIME token to login to Actual Banking Site by showing UNSUCCESSFUL Login
- FAKE BANKING SITE submits ONE-TIME Device Token to ACTUAL Banking Site
- ACTUAL Banking Site sends ONE-TIME Authentication Token to USER's Mobile
- FAKE BANKING SITE Asks ZEUS VIRUS to silently Submit Token in SMS to Actual Banking Site
- FAKE BANKING SITE submits ONE-TIME Authentication Token to ACTUAL Banking Site
- MONEY TRANSFER SUCCESSFUL
Comments
Post a Comment