Android.Bankosy Malware Defeats Two Factor Authentication

As Businesses up their security act, the hackers are upping their act too.

Banks, for example, have added two factor authentication to make logins more secure.  In fact companies from Amazon to Paypal have added optional two factor authentication.

So the hackers decided to up their game too.

Welcome Bankosy malware.  This malware intercepts your text messages from the target web site and forwards them to Outer Timbuktu and deletes them.  That way you don’t even know that someone attempted to log in to the site.

So now the banks added voice authentication – instead of sending a text, they call you and a computer speaks the two factor code.

So the malware puts your phone on silent, locks the screen and forwards your calls to Outer Timbuktu, grabs the code and un-forwards your calls.  All while your phone is locked and on silent.

I have never tried to forward my cell phone, but after doing some research, I did find the codes to do that.  For Sprint, they charge you 20 cents a minute for forwarded calls, for which I am not sure what the justification is.  So not only do you lose your money, but you get to pay for the call as well.

This is the downside of using your phone for the second factor.  It is very convenient, but not so secure.  If you used a stand alone RSA key fob, which generates the code locally and which you cannot program or install software one, it is virtually impossible to hack.

If you put the second factor on a general purpose computing device, it is convenient, but, apparently, hackable.

Which means that if you do online banking, you should be careful about what apps you install on your phone – even if you do the online banking from another computer.

That is why we say that cyber security is like peeling an onion – when you peel away a layer you can’t see any difference and it is often accompanied by some crying.  But eventually, you do get the result that you want.  It just takes a while.

Information for this post came from Symantec.

Leave a Reply

Your email address will not be published.