Top News - Bkav Corporation

Do your best, the rest will come !

Warning: Stealing money from bank account by exploiting OTP's weaknesses

02:04:00 | 09-10-2020

Afternoon October 4, an account holder of Vietcombank lost 406 million VND. There were 4 transactions carried out with his account, which in turn transferred money to the accounts at two other banks within 7 minutes. The victim affirmed that he himself did not perform the above transactions and did not know who the beneficiary was.

Photo: Vietcombank

While the victim said he did not receive SMS messages containing verification codes and information about balance fluctuation as usual, the bank said 4 transactions were all valid and 8 messages were sent to the victim’s number.

According to Vietcombank, the victim's account on the VCB Digibank app was activated on another device and performed money transfer orders while the victim claimed not to provide the username or password of VCB Digibank service for anyone.

In fact, the cases like this are not rare. So, what is wrong? Bkav’s research shows that it comes from a technological weakness in SMS OTP authentication method. The attacker successfully took advantage of it to perform phishing attack without the victim's knowledge.

There are two possible scenarios for this case:

First, what the attacker needs to do is tricking the victim to enter OTP code into a fake website of the banks or money transfer service, etc. He then can grab the OTP and create a fake money transfer.

The second scenario is that the attacker tricks the victim into installing spyware on his phone. This software will track all information, including SMS messages containing OTP codes and login credentials to Mobile Banking applications. Once this information is obtained, the attacker will be able to create fake money transfers.

Ngo Tuan Anh, Bkav's Vice President of Cyber Security, shared: “Responsibility attribution in this case cannot help to solve the problem because OTP technology does not have the non-repudiation feature. It means that it is not able to accurately identify responsible side for the transaction. The only technologically and legally responsive solution to non-repudiation is digital signature”.

However, according to the current regulations of the State Bank of Vietnam, only transactions with very high values are required to use digital signatures. "We believe that the State Bank of Vietnam should lower this limit so that digital signatures are used more and transactions are safer”, Ngo Tuan Anh added.

Users are advised to be cautious about phishing attacks and install permanent antivirus software for computers and mobile devices.

Source: WhiteHat.vn

Others

The DEEP#GOSU virus campaign takes advantage of Google Docs and Dropbox to attack Windows users

LockBit ransomware virus attacks Windows Domain servers in Vietnam

5 million websites are at risk because of vulnerabilities in WordPress' LiteSpeed

Warning: using AI to create fake images and voices to scam money

Bug in Microsoft Outlook allows hackers to steal information and take control of devices

OPSWAT and Bkav signed a strategic partnership

Summary of cybersecurity in 2023 and forecast for 2024

Warning: Many Elknot virus variants appear targeting Vietnamese Linux servers

Bkav launches Bkav Pro 2024 with the orientation of expanding the global market

Applications impersonating government agencies to spread viruses on Android are highly active in Vietnam