Smartphone attacks are just emerging as a viable threat. It’s clear innovation in the forums is going up, whilst researchers are uncovering myriad ways to use mobiles for potentially malicious means. Yet there appears to be one industry facing the wrath of mobile attackers right now: banking.
One problem with the whole banking infrastructure is that there are many targets for attackers to pick from. This was highlighted this week by researchers from consultancy MWR Infosecurity, who uncovered four vulnerabilities in various mobile point of sale terminals - those things that the people behind the bar ask you to shove your card into, but the new ones that let the merchant set the thing up and manage it with their mobiles or tablets. iZettle is the best known example in Europe.
The vulnerable devices all used the same underlying platform, made by a British company called Miura Systems. The proof-of-concept attacks put together by MWR’s Nils (he doesn’t share his full name apparently…) included compromises over Bluetooth, USB and with a specially-crafted payment card.
A Game Of Chippy Pin?
In all cases, they were able to carry out full code execution on the point of sale systems, which is security speak for “hackers can do whatever the flip they want on the machine”. In Nils’ example, shown off at the Syscan security conference this week, they uploaded a game called Chippy Pin, a wonderfully budget version of Flappy Bird.
The Bluetooth attack vector appears to be the most concerning, given the hacker could use a small, inconspicuous device, such as a smartphone, to launch an attack. Once they have control of the terminal they could make off with some rather sensitive data. “What we think is the most likely scenario is they could change the code so that it reads the mag stripe... they could clone the mag stripe after they've retrieved the PIN number,” Nils told me.
These point of sale devices are approved by Visa and Mastercard too. So it would be no surprise if they are found in many stores across the globe. And even though Miura has put some patches together and sent them out to partners (at least that’s what Nils tells me) it’s concerning to see any kind of vulnerability in a system that handles people’s financial data. Miura had not offered comment at the time of publication.
A New Android Botnet
Meanwhile, security researcher and blogger Brian Krebs has uncovered an Android botnet (a group of infected devices under the control of a hacker), which is targeting banks in the Middle East. According to Krebs, more than 2,700 phones were infected, with at least 28,000 text messages intercepted.
It’s not too dissimilar to other Android banking malware, in that it comes in the guise of an app for two-factor authentication (those apps that deliver a code to the phone during the login or transaction processes). What was startling, though, was the number of banks the perpetrator was targeting: Riyad Bank, SAAB, AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.
Europeans should be worried about this trend too. The continent is a hotbed for mobile shopping and Eastern Europe happens to be home to some of the smartest digital criminals on the planet.
Either way, Krebs has the right advice for mobile users here. “If you didn’t go looking for it, don’t install it,” he says.
“If you own an Android device and wish to install an application, do your homework before installing the program. That means spending a few moments to research the app in question, and not installing apps that are of dubious provenance.”
by pbriden via Featured Articles
Posts
No comments: