The Anti-virus Times

Monday, February 19, 2024

Even when an online service incorporates two-factor authentication, cybercriminals find ways to hack profiles and intercept access to their victims’ data.

By using two-step identification, users believe that the funds in their accounts are secure and that their personal information remains confidential. Indeed, this is definitely more reliable than relying only on complex and different passwords for all the services you use. But the technical skills of Internet fraudsters and the level of cybercrime increase as information security technologies evolve Therefore, even a complex system for logging in to a device, an Internet service or an application does not absolutely guarantee that sensitive data won’t be stolen. And how users behave online and elsewhere plays an important role in data security: some actions users take can become a clue for scammers and directly affect the chances of a computer getting hacked.

We already know that hackers are able to get hold of user logins and passwords. However, it is impossible for them to gain the right to access data without hacking the second authentication factor (2FA).

In today's article, we will talk about the most popular 2FA options used by online banks and methods for hacking them and ensuring data security.

Diverse 2FAs

In 2019, push notifications were the most popular second factor of authentication (2FA). In 2023, one-time passwords became more popular. Usually, they come in the form of SMS messages to a mobile device.

And what two-step verification methods are used in online banking?

Push notifications. If we speak about making transactions in an online banking application, a one-time code may be sent to confirm them in that same application. So, to conduct a hack, an attacker needs to gain access to both the mobile device and the data needed to log in to the application. This seems like a difficult task for fraudsters because mobile banking services usually protect their users with a separate password (that's why it is important to create different strong passwords for all the services we use), and they also often use biometric authentication.

If we imagine a scenario in which a user is undergoing two-factor banking authentication using an Internet browser, then, rather than a push notification, the user will most likely receive an SMS message containing the code needed to pass this second factor of authentication.

A one-time code in authentication applications. Such applications not only protect online banking, but also increase the security of the accounts linked to them on the Internet. Examples of such applications include Google Authenticator, FreeOTP, and many others.

They are more reliable than codes sent in SMS messages, but they are used less often because not every service uses this kind of authentication.

Email or SMS code. This is convenient and the most common method of verification. Sometimes an email message may contain an access link that makes it unnecessary to enter a username and password. But users should stay vigilant when using links (more about this below), and hackers especially like to intercept codes from SMS and email messages.

Two-factor token. This is an offline physical device — like a smartcard. To use it, criminals need to steal it: for example, they need to pull it out of a briefcase, a pocket or a small locked case. Tokens generate one-time passwords and protect users’ accounts so that they cannot be accessed on the computer.

This option is more suitable for corporate protection. But, alas, even such a device does not protect a computer from being hacked and remotely controlled when a trojan penetrates it.

Biometric data. Logging on using fingerprints or facial recognition seems ideal because nothing needs to be remembered or carried around, and it is extremely difficult to forge such data, although in theory it is also possible.

But, there is a nuance: not all services offer to install biometric data protection because it is expensive and requires special supervision: its implementation must comply with the letter of the law, and user data must be stored securely.

Hacking is not possible

When data security blackout technologies develop, hacking technologies keep up with them because the latter is also profitable business. Such a confrontation is like a tense intellectual game or a professional sport with loopholes, tricks, and the opponent breathing down one’s back.

Two-factor authentication makes it difficult for a hacker to carry out an attack and access personal data. But the fraudster also has a trump card — extortion and deception, which lead to the fact that victims hand over their "keys" themselves.

Do you remember the plot of the film Ocean's Eleven? And what kind of security system did Terry Benedict, the owner of the three major Las Vegas casinos, have: armed guards, biometric locks on the doors, cameras, and elevator shafts with motion sensors. We do not know how realistic this scenario is, but in order to hack a similar security system, in addition to a high level of technical training, ingenuity and artistry are needed.

The cybercriminal expects the user to be trusting, curious, inattentive, and someone who prefers to solve problems in simple ways. For example, scammers from online ad services arrange everything so that the victim, after seeing an urgent offer, does not check the terms of the transaction. They take the victim to third-party platforms and webpages, where actions are prompted, and things are rushed and played up for the sake of a successful profit.

Internet fraudsters and hackers are the same enterprising actors, so, no matter what, users need to be vigilant.

Lockpicks and keys

To get past two-factor authentication in an online banking service, an attacker usually needs to intercept a verification code from an SMS, an app, or an email.

Theoretically, it is possible to fake the victim’s biometric data, although so far this looks more like science fiction or the plot of a film where robbers break into a casino.

Sometimes, the victim's SIM card is cloned, although this scenario is less common than one-time codes being intercepted.

Cybercriminals get access to a mobile device physically — by stealing it. But there are other options that depend on the human factor.

Social engineering techniques. Attackers pose as individuals who have the right to find out a person's personal data in order to confirm some action. Let's say that the victim receives a call. The attackers ask the victim to specify all their card details and their username and password, arguing that this is necessary. For example, to unlock their account.

It should be remembered that the maximum amount of data requested by a bank over the phone is the customer’s full name and code word. If the “survey quiz” contains more items, quit the game.

Malicious programs. These can be spyware or virus software.

Without a valid and constantly updated anti-virus, users run the risk of downloading spyware, which monitors all the actions taken on a computer or mobile device and transmits them to a third party. Or, users can download a trojan disguised as a useful application, and attackers can use it to establish full remote control over the infected device.

Phishing. The classic situation: an email suggesting that you update your bank account information. In this email, the user is carefully asked to follow the link to a fake bank page. Without having been convinced of the webpage’s authenticity, the victim hands over all their banking profile data to the interested parties.

Fraudsters also know how to create additional windows inside fake webpages for entering 2FA verification codes into them.

The use of public Wi-Fi networks. Public networks can be hacked to gain access to user data. It is enough for a connection to be unprotected.

If I use ONLY my mobile banking app, can it be used to track all my login details, steal them, and log in to my account?

That depends on the type of attack and the specific device. There are banking trojans (for Android) that can read the contents of the screen, control the clipboard, take screenshots, and intercept codes from SMS messages and other notifications. At the same time, in the same banking applications, a system ban on creating screenshots may be enabled, and in a more recent OS version, there may be restrictions on reading the content. Therefore, the answer to such a question is: it depends on a number of factors.

If your account does get hacked

When you discover strange activity going on with your bank account, you need to raise the alarm — urgently call the bank's support service and report the suspicious activity.

If your account really was hacked, ou will have to do the following:

• block your account,
• get the bank to re-issue the card (so that the old card’s data cannot be compromised again),
• change the passwords used to log in to your personal account and the bank's mobile app.

Even if you're very stressed, make sure you have actually called the bank's support team. A real employee will not ask you about issued cards, accounts or secret codes, let alone send you a verification code at the time of the call.

The next step is to scan all your devices for malware or spyware. If you detect a problem, eliminate it immediately.

You should also contact law enforcement agencies and provide them with all the information needed to investigate the incdent.

Important: banks do not compensate for damage caused by fraudulent transactions if the users themselves gave out their confidential data or installed malware. We ask that you be vigilant and try not to fall for intruders’ tricks.