»Why (not) it is worth using the mobile application to authorize transfers?- Niebezpiecznik.pl -

2022-10-08 14:49:24 By : Mr. Zhike Wang

about safety and not ...A week ago, we described how a gang of criminals steal from clients of Polish banks thanks to illegally manufactured duplicate SIM cards.We thought that in that article we clearly indicated what to do to minimize losses in case someone gets a duplicate of your SIM card.Nevertheless, in the comments under the article, many (too many) readers suggested to other readers not very good preventive actions, such as switching to transaction authorization using one-time scratch card codes ...So we decided to compare all methods of authorization of operations in online banking and explain once and for all why scratch cards are generally not a good idea.And why anyone who can switch to the so-calledmobile authorization, i.e. confirming transactions on a mobile phone.But not with a code from an SMS, but with a "button" in the bank's mobile application.But while writing this article, something surprising happened to us.Well, the more we looked at the implementation of mobile authorization in various banks, the more serious errors we noticed and in the case of some banks we even came to the conclusion that enabling the mobile authorization will not give the customer any benefit, and may even be associated with additional problems .Therefore, in this text we will also discuss the disadvantages of using mobile authorization that are very inconvenient for banks - those that banks intentionally (or by oversight) do not want to talk about.Because mobile authorization, unfortunately, is not the Holy Grail, as some bankers mistakenly believe.But let's start at the beginning.When performing transactions on a bank account, two things are important from the point of customer security.Not only the WHO performs the transaction (anyway, the bank will never be 100% sure that it is actually his client, and not someone to whom the client has given all the necessary data and devices), but most of all WHAT is the subject of the transaction.There is a difference whether we make a transfer for a courier service for PLN 25 or transfer 20,000 to the criminal's account.And the lack of awareness of WHAT is confirmed is the biggest problem with using one-time codes from a scratch card (or one-time codes "from the list").If the computer is infected with malware, or if the victim gets caught while shopping for a fake Dotpay scam (i.e. de-facto phishing), then in the case of "scratch cards" he will have no chance to realize that what he sees on the screen your computer (eg confirmation of a transfer for a courier service for the amount of PLN 25) is actually something else (confirmation of a transfer of PLN 20,000 to the criminal's account).In one sentence: if you use scratch cards with codes, the task of the criminal is easier.All it needs to do is infect one of your devices - your computer - and that's it.You lose your life savings.However, if you use codes sent via SMS, you have a chance to discover, by reading the text of the SMS, that you are not making a transfer to the courier's account, but to the criminal's account (or, as is usually the case, you confirm the operation of creating a new trusted recipient, thanks to which the criminal will later make many transfers himself without having to ask you for the codes sent to you by the bank via SMS. Transfers to trusted recipients do not need such codes).This is why SMS codes are better than scratch cards.Unless, of course, they contain the details of the transaction to which the code applies.Some banks do not provide such information to clients (EDIT: Getin is said to already show):and others can stop showing:As you know from our last week's article, SMSs with bank codes sent to your phone may be intercepted by someone.Because it will either make a duplicate of your SIM card, or infect your smartphone with malware (see Beware of a fake BZWBK mobile application in the official Google store) or attack directly on GSM protocols (eg with IMSI-Catcher).Each of the above methods allows the criminal to redirect or retrieve SMS content from the bank.IMSI Catcher used to intercept communication from a mobile phone within its rangeTherefore, the so-calledchallenge-response tokens which take the attribute of the authorized operation as "challenge".Such tokens cannot be infected, duplicated or remotely eavesdropped.Because the token is a separate "non-communicating with the untrusted Internet" device.But be careful!Not every hardware token received from the bank is a challenge-response token, which generates one-time codes based on the transaction features (e.g. 4 digits of the target account number).Tokens that do not require entering a part of the target account during authorization, i.e. are not based on the transaction characteristics, are basically pointless, because they have all the token's flaws (battery, loss, forgetting) and all the flaws of the scratch card (no connection to the authorized transaction).Unfortunately, few banks in Poland provide customers with Challenge-Response tokens based on the characteristics of the transaction.And it is not surprising, because they are not the cheapest, you have to replace the batteries in them, customers forget to take them with them on trips, they lose them and generally complain (quite rightly!) About the ease of use (the so-called usability).For these reasons, customers (with a negative effect on their security) prefer to receive (less secure) SMS.Everyone who used the token at BGŻ Optima will confirm it:Banks are struggling with this reluctance of customers by forcing solutions of "GSM tokens", that is, in fact, mobile applications.Customers have them with them, regularly load them and generally from the bank's side it is "cheaper" to manage software (mobile application) than hardware (token).The problem is that application tokens work on a device that can be infected and in this field they lose against tokens with a kretesem ...Taking into account the advantages and disadvantages of all the transfer authorization methods described so far, the most sensible method of transaction authorization seems to be the bank's mobile application (if it is well implemented - more on that in a moment).The mobile application not only clearly shows the user what is the subject of the authorized operation, but also thanks to the encryption of communication, it prevents interception or modification of the content of the message (both for the GSM operator, who "sees" the content of SMSs, and the person who performs the aforementioned attacks on the GSM network, e.g. .using SS7 or IMSI Catcher protocol).Not to mention the fact that if you use the mobile application to authorize the transaction, you don't have to waste time "rewriting" the code.It's faster and more convenient!And for the bank it is also cheaper, because the bank does not have to bear the cost of SMSs sent to the client (and if you think that such a cost does not matter for rich banks, then you are wrong :).In the table below, for the sake of clarity, we compare the resistance of both mobile authorization, as well as scratch cards and SMS authorization to popular attacks on online banking:As you can see, the above statement looks great for mobile authorization, doesn't it?It wins with SMS.But let's see how using mobile authorization can deal with the "duplicate SIM" attack, which is the attack that is the direct cause of this article.We will describe this attack on the example of mBank, because this bank was used by one of the victims we describe.The victim did not use mobile authorization and perhaps that is why many people suggested that if they did, the attack would have no chance of success ... So let's look:Having this data, the thief can install the mBank mobile application on his phone and then link it to the victim's account.All they need to do is download the application, install it, enter the PESEL number and maiden name of the victim and receive an SMS with a one-time code (on a duplicate SIM card).This code must be entered a moment later when the mBank machine calls him (you type it on the keyboard).In response, the machine will dictate the code that should be entered in the application.2 minutes and the thief is connected to the victim's account with the mobile application.mBank is aware of this, and therefore the risk of theft of funds by the mobile application is minimized by the limits imposed on the mobile application:So, using the mobile application, the thief will not transfer more than PLN 5,000.If he wanted to change this limit on the online service (and let us remind you that in the attacks with a duplicate SIM card described by us, thieves have the victim's password to the online service), he will encounter a problem:So let's choose the maximum value of 10,000 and try to enter 100 into the number of transactions:The criminal can now transfer 10,000 * 100, i.e. one million zlotys a day, using a mobile application.All because confirmation of the limit change for mobile applications comes via SMS, so a thief with a duplicate SIM card will be able to read it.Not.And that was a big surprise for us.If the victim were using mobile authorization, everything would be exactly the same, except that the thief would have to turn on mobile authorization on their phone first.Such a switching of mobile authorization to a thief's phone is nothing difficult - it is enough for the thief to click in the mBank application (which the thief previously connected to the victim's account) on one link:To sum up, in the case of mBank, a thief who has a login and password for the account and a duplicate SIM card can:So this SMS message about the "new device" can only be seen by the thief, not the victim!At this stage, she no longer receives text messages because her card is inactive.Here we admit that such behavior of mBank scared us a bit.Because we already wanted to recommend mobile authorization as the best security, but it turns out that the current implementation of mobile authorization at mBank does not protect customers against an attack with a duplicate SIM card in any way.And it would be enough, for example:Both activities are simple to implement and do not burden the client if he does not want to.It is true that such "unlocking" only during a visit to the bank is a certain risk for the bank.Because if it was the banker (and not the operator's employee) who would fall for a fake ID card or notarized authorization, then the fault for the theft of money from the account would be 100% on the bank's side.Currently, banks may share the blame with operators.So, extending our table to include an attack case with a duplicate SIM card for mBank, we have:Of course, we turned to mBank with questions on this matter as soon as possible.We were immediately answered by Krzysztof Olszewski, mBank's spokesman:Niebezpiecznik: 1. Why does mBank only informs about connecting a new mobile application in the SMS channel, and not by pushing it via the mobile application, if the account owner already has such an application installed?This could alert the victim / account holder that something is wrong.Krzysztof Olszewski: Sending information about the activation of a new application in an SMS has so far been the surest way to quickly inform the customer about such an event.There are many attack scenarios, and the one with a duplicate SIM is just one of them.Therefore, in the vast majority of cases, SMS notifications are effective in informing the customer about the event.Sending a push to a previously activated mobile application with information about the activation of a new application will only slightly increase the level of security.This way of information will not be received by the customer who has not used the mobile application before.The notification will also not be received when the user's phone (with an inactive SIM card - after the duplicate has been activated by the criminal) is not within the range of the Wi-Fi network.We are constantly working on the development of our app - the notifications in question will be available soon.NBZP: 2. Why does mBank not inform the account owner about the activation of mobile authorization in the new application on another device on which the owner has previously installed the mobile application in which he has active mobile authorization?Without such a notification, the owner does not know that someone else is taking over the mobile authorization, thanks to which he can increase the transaction limits and, as a consequence, may rob the account.KO: Such a function is under preparation.The customer will receive a push with information about the change of the device or application with active mobile authorization for all devices associated with it.We are talking about informing the customer about such a change, not about approving the activation of the mobile authorization for the new device on the previous device.This is because currently only a few percent of users are actively using more than one app linked to their account.The vast majority of customers actively use only the last launched application.These people do not intend to use the previously activated application or even cannot do so (e.g. due to uninstalling the application without disconnecting it from the mBank account, factory reset or destroying the phone).We are currently analyzing the possibility of changing the application activation process on subsequent devices based on additional elements of the entire security ecosystem, includingexamining the reputation and reliability of devices.Additional information: we also send an informational SMS every time you change the authorization method from SMS to mobile authorization.NBZP: 3. Does mBank also plan to introduce additional (but optional, ie at the customer's decision and at the customer's risk) methods of protection against attacks with a duplicate SIM card?For example, a permanent blocking of the possibility of connecting new mobile devices to a bank account, which in the case of, for example, losing a phone, would require physically appearing at a bank branch to lift the block?KO: We are constantly working on security solutions to best protect our clients against new ideas from criminals.This is a challenge that in today's world not only banks, but also all serious companies have to face.It is not the case that a security measure once developed will be fully effective until the end.We know it, and that's why we keep improving it.In this case, the actions of the banks must go hand in hand with the appropriate reaction of the operators.Let's be straightforward - if issuers of SIM cards do not change their duplicate policy, any security implemented by the bank may be insufficient.Restricting the activation of the mobile application on new devices would be against the interests of customers.On average, as many as 100,000of them reactivates its application, which is mainly due to a change, loss or failure of the device.Anyway, the need to visit a bank branch would be insufficient anyway, taking into account spear phishing attacks using false identity cards (which de facto criminals already have in order to be able to apply for a duplicate SIM card).MBank's responses calmed us down a bit.In conclusion - it will be better.Hopefully soon.We are glad that although mBank initially tried to demonstrate that the solution we propose would not be useful and would "slightly increase the level of security", in the further part of the statement it undertook to introduce security based on exactly what we proposed.And we agree that in the attack "with a duplicate SIM card" actions to take primarily GSM operators, who spend these duplicates unjustifiably (we will devote a separate article to miracle operators soon).We believe that mBank is able to react quickly to a problem, because we have already seen it in practice once.At the turn of the year, we described the situation of the client to whom the criminal redirected the phone to T-Mobile and used the redirection to install the mBank mobile application on his thief's phone.Yes, at T-Mobile it is enough to call the hotline and provide the customer's PESEL number ... mBank then reacted very quickly, introducing the requirement to enter the code from an SMS into the application installation procedure (SMSs cannot be redirected).So there is a chance that soon mBank's mobile authorization will make sense to turn it on, and the reason to turn it on will be not only "no need to rewrite the SMS code from the phone to the form on the website" or containing more details, longer authorization messages, as well as higher security aspects.And this is a similar operation confirmed by SMS, which, according to mBank, should generally contain much less information on confirmed transactions:As you can see, messages in the mobile application are not (always) more detailed, although mBank itself could be such “greater detail” as an advantage of mobile authorization.Finally, it is worth pointing out another disadvantage of mobile authorization (or rather the bank's mobile application necessary for its operation).Installing a bank (but not only bank) app on your phone is a partial loss of privacy.Depending on the granted permissions (but also the developers 'cleverness), the bank (or other application manufacturer) can access our location, our friends' data, the name of our device, Wi-Fi network, IMSI or IMEI numbers (cf. with your data).Banks - hopefully - will be more interested in using this information not for profiling but to protect their customers (e.g. detection of location changes between authorizations, although both were initiated from the same IP).But it is always worth bearing in mind that when installing an application, we give it access to our data and "believe" that there is nothing wrong with it.And sometimes this belief is very naive (see errors in mobile applications of Polish banks).Finally, let us emphasize once again that the sensibility of using mobile authorization to protect against a duplicate SIM card was shown only on the example of mBank.In other banks, the behavior may be better (or worse).We conduct our own research in this area, but we will be pleased to receive your help, dear Readers.If you have an account with other banks - conduct the following experiments on your own and paste the bank name and answers to such questions in the comments:And if you are interested in general advice on how to safely use online banking, we invite you to our lecture onHow not to get hacked ?.Soon we are going to Poland and we will visit Warsaw, Kraków, Gdańsk, Wrocław and for the first time Katowice.In 3 hours we will show you how to secure your computer, smartphone and digital identity - not only when using online banking, but also when shopping online and simply "relaxing" on social networks.Detailed dates, places and the possibility of booking a seat are possible here.PS.If, after reading this article, you still want to use scratch cards, then you are either a person who has not read the article with understanding, or a very specific case of a person who only deals with bank transactions on one separate, dedicated exclusively for banking purposes, constantly updated device and only there.It's hard for us to believe that such people exist.But even if they did exist, at mBank they can still be robbed with a duplicate SIM card up to PLN 5,000.PPS.Later this week, we will publish a description of how several times in various salons we tried to obtain, in an unauthorized way, a duplicate of someone's SIM card (spoiler: we managed).We present the article with some of your recent stories, which described how operators did not verify your identity and gave you duplicates without checking your personal data.If it happened to you, please let us know.Learn how to keep your money, data, and identity safe from cybercriminals.Come to our iconic 3.5-hour lecture entitled"How not to get hacked?"and learn about dozens of practical and easy-to-implement tips that will effectively increase your safety.This lecture should be attended by everyone who uses the Internet on a smartphone or computer.We run it in an accessible language, interspersed with live demonstrations of attacks - so take your parents with you!In the coming weeks, we will be in the following cities:Are you sometimes persuading readers to answer your questions publicly, do not help the criminals to get information?Who is this criminal who doesn't know it himself?:)It also occurred to me at first, but the criminals themselves "work out" these mechanisms.The publication of such information should provoke a discussion and an introduction to improving security in banks.In addition, a specific comparison will come out of who, what and how (banks).If the bank does not react to the publication and changes are introduced, the customers will "settle them for it" and that's good.It is harder for individuals to exert "pressure to change" on large institutions than it is for groups.Fingers crossedIt is high time for the security through obscurity bar to say STOP.Transparency of methods, transparency of security, secrecy and an appropriate level of security of keys - this is the solution.I prefer crypto ... I have a private key and I know that I am responsible for it.How does the private key solve your problems?Verify how safe the mobile PekaoToken is with Pekao SA I have been using it for some time and it seems to be reasonably organized and the way of associating the application with the account also seems safe.> Not to mention the fact that if you use the mobile application to authorize the transaction, you do not have to waste time "rewriting" the code.It's faster and more convenient!========== For this you need to run the application, enter the password for the application, enter the menu.If you do several (teen) transfers, this version is faster and more convenient.And if there is one, the SMS version is better.I am currently testing mBank's mobile authorizations and I do not know what to choose, because I often make 1 transfer and then the procedure through the app is painstakingly inconvenient :(Depends on what application.Mine sends a push notification about waiting for the transfer confirmation and after clicking the notification, it transfers to the application.With new phones, you do not need to enter the password, because you can authenticate yourself with a fingerprint.Therefore, in my case, these are exactly 4 clicks: 1. tapping the fingerprint reader.2.clicking on the notification.3. finger authentication.4. Clicking the button.The whole procedure takes a few seconds, which is faster than waiting for an SMS;).We also know from readers' reports that the mBank app has a problem with FaceID - it hangs and does not show notifications after "playing".There was also such a problem in Android that sometimes the notification disappeared.But it was still improved in the beta.I remember because I reported ;-).Anyway, even if the notification disappears, you can enter the list yourself and it also works ... Anyway, it works for me ;-)Pekao: A: PeoPay: basically 12 numbers: 8 is the customer number, 4 is the PekaoToken pin: You need to log in to the bank's website and generate a token authorization code, to be rewritten in the app B: PeoPay: No notification PekaoToken: Only SMS C: There are as well as I remember it is PLN 500 a day D: In point A E: I did not check F: I did not check G: Changing the limit in the application immediately generates a call from the bank's hotline H: It is enough to click the button on the bank's website, but the SMS costs PLN 0.20 per 1As for A, I should also add that if the bank's client has not installed the mobile application before, he does not have a PIN code, then he logs in with his normal password to the bank, as if he was logging in via a browserIn PeoPay, the user ID is different from the customer number to Pekao24 (it comes in the e-mail after activating the app for the first time, it can also be obtained from the bank's hotline after authentication + additional verification questions from the consultant).As for B - you can turn on such notifications in all cases, via SMS (the service is additionally payable, perhaps 20 groszy from the notification)C - limits can be freely modified, their change requires confirmation with the currently used authorization method.Changing the authorization method requires entering the code from the currently used one, in a critical case (e.g. the phone has been reset to the factory - the app's private keys are NOT backed up) contact with the hotline, after meticulous verification of the customer, they can change the authentication method to SMS.D - let me add that the mobile app has a completely different authentication of transfers than the web service - you need to set a confirmation PIN for transfers from the app, different from all other used ones, especially from the pin to PekaoToken and to TelePekao.E - for authorization never in life, pairing an authentication app requires an authorization code, which is one-time (this is one of literally TWO operations during which Internet access is required on the mobile side - the other is changing the PIN to the app) - pairing a second device already associated crashes.The Pekao24 app is different - there may be four of them associated with one account, to add another one you need to unregister one of the already used ones (Settings -> Mobile application).F - he will not do it until he has access to the old app (the confirmation code must be downloaded from an already authorized device when trying to generate another auth code) - or until he convinces a bank employee on the hotline to reset the authorization method (and Pekao consultants have such verification methods, that the data from FB is completely insufficient - sometimes they ask about things on the account itself, which cannot be seen without providing at least the "downloaded code" - PekaoToken has TWO types of codes - "downloaded" and challenge / response - the latter, for example, for making transfers or adding defined recipients).In general, Pekao has THREE (actually five, but three for individual) applications, each for something different: - Pekao24 (in the MS: Bank Pekao store) - to handle the account itself - PekaoToken - to authenticate operations - PeoPay - mobile payments, NFC , withdrawals from ATMs without a card, etc.There are two more for business people: - PeoPay mPOS - accepting contactless / mobile payments - PekaoFirma24 - an equivalent of the regular Pekao24 for company accounts.Since they did the PeoPay rework, this is the customer number.It is impossible to log in via the ID"Rework" has not yet touched W10M - here still remains an independent identifier;)As for pekao and peopay, it is also necessary to note that to run the application, if I remember correctly, you must send an activation request on the bank's website.For pekaotoken yes, but peopay requires only one activation, subsequent logins do not require anything except the client number and PINAt ING, when authorizing each transaction, you can click - "change the method of authorization to SMS" and easily approve it by text message.I repeat once again, detach yourself a little from the screens of phones and mobile applications.A bank's mobile app is as bad as a payment card (no expenditure control, technical breaks, tracking, profiling ...).Authorization phone: we buy an old Nokia and an additional prepaid, keep it in a drawer with socks and turn it on only to authorize transactions (only we and the bank know the number).Departures?We go to the exchange office for banknotes, we carry them in waterproof bags around our necks.Sometimes I drive a few thousand.USD and in contrast to the defects of the phone or cards (flooding with sea water, physical damage, unfavorable currency conversions, blockade after detecting transactions from Tanzania ...) I had no problems.In the case of mBank, a separate number for transfers is visible after logging in after entering the phone top-up, also the thief, having login details, knows which number to add a duplicate to.I think I prefer to keep it in my bank account and then go after the courts and sue for compensation, than lose all my money in case of getting stuck in the teeth.Of course, the loss of documents and telephone does not prevent the account from being stolen if someone insists.He can always break into your house.The phone number may also be phishing.Above you also have an example of a machine for intercepting text messages, even from a phone that no one knows about.In other words - if someone wants and can, he will find a way to get your money.No, only you and your bank do not know the number ... your mobile operator also knows it thanks to the anti-terrorist act and forced registration of numbers.Yes, regular employees usually have access to customer data and some will sell it for next to nothing.The solution is sometimes just 2 accounts.On the first one we keep thicker money and we only have one recipient defined on it (ourselves in the second bank).In addition, only a scratch card for authorization, which we destroy immediately after defining the only recipient.If someone wants to clear us from the cash register, he has to take over 2 accounts.In addition, there is a simple rule that we never get to both accounts from the same device.We only risk current funds on the account with the card and access to transfers.So in my case about PLN 2,000Have you ever rented a car abroad?KBL, we risk not only 2kPLN, but also loans.Mbank - I confirm - a hopelessly secured bank!I bought a special SIM card only for SMS confirmations.So what if this new number is immediately visible when you try to make a transfer.;)PS.":)