Your browser is obsolete!

The page may not load correctly.

Banking online

Онлайн по банкингу

Other issues in this category (7)
  • add to favourites
    Add to Bookmarks

Online banking hacks: How to keep verification codes from being intercepted

Read: 3701 Comments: 0 Rating: 1

Monday, February 19, 2024

Even when an online service incorporates two-factor authentication, cybercriminals find ways to hack profiles and intercept access to their victims’ data.

By using two-step identification, users believe that the funds in their accounts are secure and that their personal information remains confidential. Indeed, this is definitely more reliable than relying only on complex and different passwords for all the services you use. But the technical skills of Internet fraudsters and the level of cybercrime increase as information security technologies evolve Therefore, even a complex system for logging in to a device, an Internet service or an application does not absolutely guarantee that sensitive data won’t be stolen. And how users behave online and elsewhere plays an important role in data security: some actions users take can become a clue for scammers and directly affect the chances of a computer getting hacked.

We already know that hackers are able to get hold of user logins and passwords. However, it is impossible for them to gain the right to access data without hacking the second authentication factor (2FA).

In today's article, we will talk about the most popular 2FA options used by online banks and methods for hacking them and ensuring data security.

Diverse 2FAs

In 2019, push notifications were the most popular second factor of authentication (2FA). In 2023, one-time passwords became more popular. Usually, they come in the form of SMS messages to a mobile device.

And what two-step verification methods are used in online banking?

Push notifications. If we speak about making transactions in an online banking application, a one-time code may be sent to confirm them in that same application. So, to conduct a hack, an attacker needs to gain access to both the mobile device and the data needed to log in to the application. This seems like a difficult task for fraudsters because mobile banking services usually protect their users with a separate password (that's why it is important to create different strong passwords for all the services we use), and they also often use biometric authentication.

If we imagine a scenario in which a user is undergoing two-factor banking authentication using an Internet browser, then, rather than a push notification, the user will most likely receive an SMS message containing the code needed to pass this second factor of authentication.

A one-time code in authentication applications. Such applications not only protect online banking, but also increase the security of the accounts linked to them on the Internet. Examples of such applications include Google Authenticator, FreeOTP, and many others.

They are more reliable than codes sent in SMS messages, but they are used less often because not every service uses this kind of authentication.

Email or SMS code. This is convenient and the most common method of verification. Sometimes an email message may contain an access link that makes it unnecessary to enter a username and password. But users should stay vigilant when using links (more about this below), and hackers especially like to intercept codes from SMS and email messages.

Two-factor token. This is an offline physical device — like a smartcard. To use it, criminals need to steal it: for example, they need to pull it out of a briefcase, a pocket or a small locked case. Tokens generate one-time passwords and protect users’ accounts so that they cannot be accessed on the computer.

This option is more suitable for corporate protection. But, alas, even such a device does not protect a computer from being hacked and remotely controlled when a trojan penetrates it.

Biometric data. Logging on using fingerprints or facial recognition seems ideal because nothing needs to be remembered or carried around, and it is extremely difficult to forge such data, although in theory it is also possible.

But, there is a nuance: not all services offer to install biometric data protection because it is expensive and requires special supervision: its implementation must comply with the letter of the law, and user data must be stored securely.

Hacking is not possible

When data security blackout technologies develop, hacking technologies keep up with them because the latter is also profitable business. Such a confrontation is like a tense intellectual game or a professional sport with loopholes, tricks, and the opponent breathing down one’s back.

Two-factor authentication makes it difficult for a hacker to carry out an attack and access personal data. But the fraudster also has a trump card — extortion and deception, which lead to the fact that victims hand over their "keys" themselves.

Do you remember the plot of the film Ocean's Eleven? And what kind of security system did Terry Benedict, the owner of the three major Las Vegas casinos, have: armed guards, biometric locks on the doors, cameras, and elevator shafts with motion sensors. We do not know how realistic this scenario is, but in order to hack a similar security system, in addition to a high level of technical training, ingenuity and artistry are needed.

The cybercriminal expects the user to be trusting, curious, inattentive, and someone who prefers to solve problems in simple ways. For example, scammers from online ad services arrange everything so that the victim, after seeing an urgent offer, does not check the terms of the transaction. They take the victim to third-party platforms and webpages, where actions are prompted, and things are rushed and played up for the sake of a successful profit.

Internet fraudsters and hackers are the same enterprising actors, so, no matter what, users need to be vigilant.

Lockpicks and keys

To get past two-factor authentication in an online banking service, an attacker usually needs to intercept a verification code from an SMS, an app, or an email.

Theoretically, it is possible to fake the victim’s biometric data, although so far this looks more like science fiction or the plot of a film where robbers break into a casino.

Sometimes, the victim's SIM card is cloned, although this scenario is less common than one-time codes being intercepted.

Cybercriminals get access to a mobile device physically — by stealing it. But there are other options that depend on the human factor.

Social engineering techniques. Attackers pose as individuals who have the right to find out a person's personal data in order to confirm some action. Let's say that the victim receives a call. The attackers ask the victim to specify all their card details and their username and password, arguing that this is necessary. For example, to unlock their account.

It should be remembered that the maximum amount of data requested by a bank over the phone is the customer’s full name and code word. If the “survey quiz” contains more items, quit the game.

Malicious programs. These can be spyware or virus software.

Without a valid and constantly updated anti-virus, users run the risk of downloading spyware, which monitors all the actions taken on a computer or mobile device and transmits them to a third party. Or, users can download a trojan disguised as a useful application, and attackers can use it to establish full remote control over the infected device.

Phishing. The classic situation: an email suggesting that you update your bank account information. In this email, the user is carefully asked to follow the link to a fake bank page. Without having been convinced of the webpage’s authenticity, the victim hands over all their banking profile data to the interested parties.

Fraudsters also know how to create additional windows inside fake webpages for entering 2FA verification codes into them.

The use of public Wi-Fi networks. Public networks can be hacked to gain access to user data. It is enough for a connection to be unprotected.

If I use ONLY my mobile banking app, can it be used to track all my login details, steal them, and log in to my account?

That depends on the type of attack and the specific device. There are banking trojans (for Android) that can read the contents of the screen, control the clipboard, take screenshots, and intercept codes from SMS messages and other notifications. At the same time, in the same banking applications, a system ban on creating screenshots may be enabled, and in a more recent OS version, there may be restrictions on reading the content. Therefore, the answer to such a question is: it depends on a number of factors.

If your account does get hacked

When you discover strange activity going on with your bank account, you need to raise the alarm — urgently call the bank's support service and report the suspicious activity.

If your account really was hacked, ou will have to do the following:

  • block your account,
  • get the bank to re-issue the card (so that the old card’s data cannot be compromised again),
  • change the passwords used to log in to your personal account and the bank's mobile app.

Even if you're very stressed, make sure you have actually called the bank's support team. A real employee will not ask you about issued cards, accounts or secret codes, let alone send you a verification code at the time of the call.

The next step is to scan all your devices for malware or spyware. If you detect a problem, eliminate it immediately.

You should also contact law enforcement agencies and provide them with all the information needed to investigate the incdent.

Important: banks do not compensate for damage caused by fraudulent transactions if the users themselves gave out their confidential data or installed malware. We ask that you be vigilant and try not to fall for intruders’ tricks.

The Anti-virus Times recommends

Here is a small checklist on the safe use of online banking services.

  • Update your anti-virus to prevent spyware and malware from penetrating your computer and smartphone. In just one day, the Doctor Web virus laboratory receives up to a million potentially malicious samples. Not all of them are viruses, but just think about this number! All devices must be protected.
  • Use two-factor authentication. With all the existing hacking methods, this is still the most reliable method of protection, and it cannot be neglected.
  • Avoid using public Wi-Fi networks for carrying out financial transactions. Check your webpage security certificates when you connect to the public Internet, and don't use online banking applications in restaurants, cafes, airports, cinemas, or other public places.
  • Always use sites with a digital security certificate. You can check the certificate by clicking on the lock icon next to the address bar. We illustrated the process of such a verification in the screenshots in our article about neural networks. We also advise you to crosscheck the address in the browser bar with the address of the original site. The difference can literally be one symbol — in which case it is a fake. Do not enter bank card details and 2FA verification codes on non-original webpages.
  • Also, make sure that the request for authentication is sent to a real bank, and not to fraudsters. We have a detailed article on this topic, namely about TLS and SSL certificates.
  • Never open suspicious links. Banks do not send emails containing links — only phishers do this. Phishing can also include messages in instant messengers and emails that promise recipients success, intimidate them or plead for their sympathy, ask them to vote in contests, etc.
  • Before downloading a file or installing a program or application, check the reliability of the source so as not to download malware or spyware. Note the quality of the animation on the pages available for viewing, whether all the fonts are the same, and whether the page or application is requesting too much confidential data to take further action. Remember: if you voluntarily give all your data to cybercriminals, your bank will not return the money debited from your account.
  • Never share with anyone the codes sent to you in SMS messages or emails for the purposes of successfully completing two-factor authentication. This information should be known only to you.

#bank_card #hacking #malware #two-factor_authentication #online banking #personal_data #fake_bank #facial_recognition #SMS_messages #social_engineering_techniques #phishing


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.