Steal spyware
On the afternoon of July 7, Mr. Tran Viet Luan (in Thu Duc District, Ho Chi Minh City), who lost 406 million VND on his Vietcombank account through the Digibank app, said that after As the incident was reported in the newspaper, the bank (NH) has had no further information that he did not log into his account and did not implement 4 transaction orders of VND 406 million.
“In the customer feedback letter, Vietcombank only reported that the SMS service provider sent the OTP to my phone without giving any proof, while I said I did not receive any. any message about OTP. Too tired, I will report to the police and have authorized the law firm to pursue this case, ”said Mr. Luan.
OTP: One-time password only exists for a short period of time, usually after 60 seconds the code will no longer be valid, considered the most effective locker to protect your account. Therefore, the OTP code can also be stolen, causing confusion for users. Whitehat Forum (white hat hacker) in Vietnam analyzed the vulnerability here is a technological weakness in the method of sending OTP via traditional text messages on mobile phones (SMS OTP), where the bad guys have taken advantage of This is for a phishing attack (also known as phishing) without the knowledge of the victim.
If there is a “gap” with the SMS OTP method, it will become a bigger story because anyone can lose money, but this situation is very difficult. However, sending SMS OTP has limitations as it is not possible for cross-border services. Or there is a risk of being stolen from the telecommunications network, but in reality it is not easy. Today many units have switched to using OTP authentication in apps like Google Authenticator … for added convenience.
Security Expert Nguyen Minh Duc
|
There are 2 scenarios mentioned by Whitehat. First of all, the bad guy will trick the victim into entering the OTP code on a fake website (bank, money transfer service …) to get the OTP code, thus creating a fake money transfer transaction. For the second scenario, the bad guy will trick the victim into installing spyware on the phone. This software will track all information, including messages containing OTP codes and information recorded in mobile banking applications.
Regarding the security weakness of the OTP authentication method, recently in June, Bkav Technology Group issued a warning about a spyware called Việt Nam84App. This software steals data from Vietnamese users, especially focusing on stealing OTP codes from SMS. It is estimated that in Vietnam there were more than 300 victims in a short time. Vietnam84App spyware is distributed via fake websites and when users access this website, they download Vietnam 84App application phone as .apk file. At this time, Vietnam84App will silently collect messages, phone numbers, IMEI information … and send them to the hacker control server. Analyzing Vietnam84App, the experts found that the Chinese interface control server and the messages collected from the phone were bank transactions with a large amount of billions of dong.
Many questions about malicious code
Security expert Nguyen Minh Duc analyzes that in order to withdraw money from the bank account, the scammer must steal all the information about the bank account and then the OTP code. In the above customer’s case, the scammer activated a bank account on another device. At that point, the scammer must also obtain the OTP code to install. Your OTP code is more likely to be stolen. For example, when the message that OTP sends to the user appears on the device screen, someone leans out and immediately enters to activate the account. Or through a link to a fake website similar to Vietcombank that customers believe they are making on the bank’s official website, they need to enter the OTP code and be stolen by the hacker and at the same time perform the configuration of the account through other devices. Or the user’s device has been pre-installed with malicious code, so all information and transactions are copied …
Mr. Vo Do Thang, Director of the Cyber Security Training Center, said that this unit has met many clients who lost all personal information from email to Zalo, Facebook or even accounts. In general, mobile banking has been infiltrated by spyware. Spyware is quite diverse, there are programs that focus on copying related to financial transactions such as bank accounts, mobile banking; There is software that focuses on recording the history of telephone exchanges … When spyware is located, all activities and transactions on the phone will be copied, including messages containing OTP codes in transactions. to transfer.
“When the device is not secure, no matter what security method is used in banking transactions, from SMS OTP or OTP through the application … there is the possibility of being copied, the risk of losing money is high. Since then, the scammer can easily get the OTP to steal money from the account, “said Vo Do Thang.