{"id":5363,"date":"2016-03-11T05:57:39","date_gmt":"2016-03-11T10:57:39","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5363"},"modified":"2019-11-15T15:24:14","modified_gmt":"2019-11-15T11:24:14","slug":"banking-trojans-bypass-2fa","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/banking-trojans-bypass-2fa\/5363\/","title":{"rendered":"How banking Trojans bypass two-factor authentication"},"content":{"rendered":"<p>Two-factor authentication with SMS is widely used by banking institutions. Of course, this measure works better than a mere password but it\u2019s not unbreakable. Security specialists\u00a0<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2005\/03\/the_failure_of.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">found out<\/a>\u00a0how it can be fooled 10 years ago, when this protection measure was just gaining popularity.<\/p>\n<p>So did malware creators. That\u2019s why banking Trojan developers breach one-time SMS passwords with ease. Here is how it works:<\/p>\n<p>1. A user launches legitimate banking app on a smartphone.<\/p>\n<p>2. A Trojan detects, which app is used, and overlays its interface with a fake copy. The fraudulent screen looks just like the real one.<\/p>\n<p>3. The victim enters login and password in the fake app.<\/p>\n<p>4. The Trojan sends user\u2019s credentials to criminals. They use these data to login into the user\u2019s banking app.<\/p>\n<p>5. Then the culprits request a financial transaction to their account.<\/p>\n<p>6. Victim\u2019s phone receives SMS with one-time password.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">What is Two-Factor Authentication? Where Should You Use It? <a href=\"http:\/\/t.co\/4XF3yr5qBO\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/4XF3yr5qBO<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/CyberSecurity?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CyberSecurity<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/InfoSec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#InfoSec<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/476278212876451840?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 10, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>7. The Trojan extracts the password from SMS and sends it to cybercriminals.<\/p>\n<p>8. It also hides the SMS from the user. This is why the victim does not know about ongoing operations until they check their banking account and transactions history.<\/p>\n<p>9. Criminals use intercepted password to confirm the transaction and receive victim\u2019s money.<\/p>\n<p>It\u2019s hardly an exaggeration if we say that any\u00a0<strong>every<\/strong>\u00a0modern banking Trojan knows how to fool SMS-based two-factor authentication systems. In fact malware creators have no other choice: as all banks turn to this protective measure, Trojans need to adapt.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Evolution of <a href=\"https:\/\/twitter.com\/hashtag\/Asacub?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Asacub<\/a> trojan: from small fish to ultimate weapon \u2013 <a href=\"https:\/\/t.co\/lLv0pY4lol\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/lLv0pY4lol<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/banking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#banking<\/a> <a href=\"https:\/\/t.co\/gAM3zzy7aC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/gAM3zzy7aC<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/689836995196129281?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 20, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>There are a lot of malicious apps that are able to do it, more than you might think. During last couple of months alone our experts posted three detailed reports devoted to three different malware families. Each one scarier that the other:<\/p>\n<p>1.\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/asacub-trojan\/11108\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><strong>Asacub<\/strong><\/a>\u00a0\u2014 a spy app that evolved into a Trojan and learned to steal money from mobile banks.<\/p>\n<p>2.\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/acecard-android-trojan\/11368\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><strong>Acecard<\/strong><\/a>\u00a0\u2014 a very powerful Trojan that is able to overlay interfaces of\u00a0<strong>almost 30 different banking apps<\/strong>. By the way mobile malware is now mastering this trend: in the beginning Trojans targeted an app of one certain bank or payment service, but now they can counterfeit several apps at once.<\/p>\n<p>3.\u00a0<strong><a href=\"https:\/\/securelist.com\/blog\/research\/74051\/first-step-in-cross-platform-trojan-bankers-from-brazil-done\/\" target=\"_blank\" rel=\"noopener noreferrer\">Banloader<\/a><\/strong>\u00a0\u2014 a cross-platform Trojan of Brazilian origin, that is able to launch itself on PCs and mobile devices simultaneously.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> trump card: Acecard <a href=\"https:\/\/t.co\/yHxyACMslU\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/yHxyACMslU<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/banking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#banking<\/a> <a href=\"https:\/\/t.co\/DmnUAOJvSM\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/DmnUAOJvSM<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/701795013223694341?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 22, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>So you see, two-factor authentication cannot protect you from banking Trojans. It failed to do that for many years, and now the situation is not going to turn for the better. That\u2019s why you need additional security measures.<\/p>\n<p>The basic rule that helps, but not for 100%, is to install apps only from official stores. The thing is that there were enough cases when Trojans made the cut into\u00a0<a href=\"http:\/\/www.dailydot.com\/politics\/google-android-app-virus-mapin\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Play Store<\/a>\u00a0or even the\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/xcodeghost-compromises-apps-in-app-store\/9965\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">App Store<\/a>.<\/p>\n<p>This is why the most reliable solution is to install a good mobile antivirus. You can start with the basic version of\u00a0<a href=\"http:\/\/app.appsflyer.com\/com.kms.free?pid=smm&amp;c=kd-ru\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a>. It\u2019s free, though you\u2019ll need to scan devices manually from time to time. The full version is better, as it catches viruses on the fly, but it\u2019s paid-for.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Two-factor authentication with SMS is widely used by banking institutions. Of course, this measure works better than a mere password but it\u2019s not unbreakable. Security specialists\u00a0found out\u00a0how it can be<\/p>\n","protected":false},"author":421,"featured_media":5364,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,9],"tags":[1737,2088,105,109,702,1030,1145,426,192,97,46],"class_list":{"0":"post-5363","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-tips","9":"tag-advice","10":"tag-tips","11":"tag-android","12":"tag-apps","13":"tag-banking-trojans","14":"tag-finance","15":"tag-mobile-banking","16":"tag-mobile-devices","17":"tag-protection","18":"tag-security-2","19":"tag-sms"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/banking-trojans-bypass-2fa\/5363\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/banking-trojans-bypass-2fa\/3750\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/banking-trojans-bypass-2fa\/6849\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/banking-trojans-bypass-2fa\/6898\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/banking-trojans-bypass-2fa\/6818\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/banking-trojans-bypass-2fa\/7914\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/banking-trojans-bypass-2fa\/7695\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/banking-trojans-bypass-2fa\/11172\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/banking-trojans-bypass-2fa\/11545\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/banking-trojans-bypass-2fa\/6090\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/banking-trojans-bypass-2fa\/7215\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/banking-trojans-bypass-2fa\/10717\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/banking-trojans-bypass-2fa\/11172\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/banking-trojans-bypass-2fa\/11545\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/banking-trojans-bypass-2fa\/11545\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/advice-2\/","name":"advice"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5363"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5363\/revisions"}],"predecessor-version":[{"id":14887,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5363\/revisions\/14887"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5364"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}