Showing posts with label TAN. Show all posts
Showing posts with label TAN. Show all posts

Wednesday, 27 April 2011

Experimental attack on mTAN

F-Secure reports (link in german) that the trojan SpyEye has a new attack on the mTAN online banking security system. Users of infected PCs are tricked into installing malware on their Symbian mobile phones.
In order to do so, the attacker needs the phone's IMEI number, which is not a security credential in itself, but a user should become suspicious nowadays if their bank wants to know their IMEI number. Therefore I suggest to categorize this attack as experimental.
The urgent question behind this is: why did the Symbian developers base the security of their operating system on IMEI numbers?
Posted by at 2 comments:
Labels: , , ,

Wednesday, 2 March 2011

Malware on Android

As everyone reports: there has been malware on Google's Android market. I have to add that such a thing removes the remaining security from SMS-TANs or similar two factor authentication schemes. One way out of that problem would be to use an additional trusted execution environment on smart phones.
Posted by at 2 comments:
Labels: , , , ,

Tuesday, 28 September 2010

ZeuS attacks m-TAN

ZeuS e-crime toolkit now supports man in the mobile also. It seems that the malware on the PC tricks the user into installing malware on their phone with a classic social engineering manipulation.
The fraud is then straightforward: The trojan on the PC starts a transaction, the telephone malware grabs the m-TAN confirmation message and forwards it to the malware on the PC where the fraudulent transaction is completed.
This will become increasingly dangerous with the success of smartphones, which allow more attack vectors, in particular if the telephone is regularly connected to the PC, e.g. for synchronizing or charging.
I have written about this problem already one month ago.

Posted by at No comments:
Labels: , , , ,

Tuesday, 29 December 2009

GSM Security Broken, Finally

It was well known for a long time that A5/1, the GSM encryption code is not secure. Now it has finally been broken. Nobody ever believed that our phone calls were safe from the secret services of this world. The issue is that now the calls and, even worse, SMSes are vulnerable to criminals, too. This is a problem M-TANs are used in online banking, for example.
But not all is lost: UMTS uses another algorithm, called MISTY or KASUMI, which is still considered safe. So, use M-TANs only if you have a 3G uplink.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)