Warning: Stealing money from bank account by exploiting OTP's weaknesses
02:04:00 | 09-10-2020

Afternoon October 4, an account holder of Vietcombank lost 406 million VND. There were 4 transactions carried out with his account, which in turn transferred money to the accounts at two other banks within 7 minutes. The victim affirmed that he himself did not perform the above transactions and did not know who the beneficiary was.

Photo: Vietcombank

While the victim said he did not receive SMS messages containing verification codes and information about balance fluctuation as usual, the bank said 4 transactions were all valid and 8 messages were sent to the victim’s number.

According to Vietcombank, the victim's account on the VCB Digibank app was activated on another device and performed money transfer orders while the victim claimed not to provide the username or password of VCB Digibank service for anyone.

In fact, the cases like this are not rare. So, what is wrong? Bkav’s research shows that it comes from a technological weakness in SMS OTP authentication method. The attacker successfully took advantage of it to perform phishing attack without the victim's knowledge.

There are two possible scenarios for this case:

First, what the attacker needs to do is tricking the victim to enter OTP code into a fake website of the banks or money transfer service, etc. He then can grab the OTP and create a fake money transfer.

The second scenario is that the attacker tricks the victim into installing spyware on his phone. This software will track all information, including SMS messages containing OTP codes and login credentials to Mobile Banking applications. Once this information is obtained, the attacker will be able to create fake money transfers.

Ngo Tuan Anh, Bkav's Vice President of Cyber ​​Security, shared: “Responsibility attribution in this case cannot help to solve the problem because OTP technology does not have the non-repudiation feature. It means that it is not able to accurately identify responsible side for the transaction. The only technologically and legally responsive solution to non-repudiation is digital signature”.

However, according to the current regulations of the State Bank of Vietnam, only transactions with very high values are required to use digital signatures. "We believe that the State Bank of Vietnam should lower this limit so that digital signatures are used more and transactions are safer”, Ngo Tuan Anh added.

Users are advised to be cautious about phishing attacks and install permanent antivirus software for computers and mobile devices.

Source: WhiteHat.vn