Combating the invisible bank robber: RMIT expert

In the past, bank robbers wore masks, but now you cannot see them. In the digital era, second device authentication is the best method of combating the invisible bank robber, wrote Dr Jonathan Crellin, program manager in cybersecurity at RMIT Vietnam.

Second device authentication (where a code is sent to a second device) is secure, but not invulnerable. For example, a bad actor can create a simulation of a banking login system, and simulate the request for an OTP via text message, or by using a bank app. When the customer enters the OTP into the simulation, the criminal can then use it to log in to the real bank account and take control of the account.

The bad actor may simulate some forms of system failure (“website unavailable please log in later”), so the customer does not immediately realize something has gone wrong. This is one reason why your bank tells you “…never to follow a link sent to you (for example: by email)” as this can contain a very similar URL pointing to a fake, simulated bank site.

From your point of view, always use a legitimate link or web address for your bank. If you use a banking app, download it from a legitimate source, such as the Play Store or Apple’s App Store. If your phone is compromised with malware, it can facilitate a bad actor gaining access to your phone, using apps, seeing received text messages, controlling the phone remotely, running apps, and extracting information.

SIM swapping has been a very popular technique in recent years. This involves a criminal tricking a mobile network company into reissuing a replacement SIM card linked to the same original number. This is often used with high-profile targets. It is an easy attack if the bad actor can obtain personal information about the victim, which may be recoverable from a dark web marketplace. Once the new SIM is reassigned, the original SIM will stop working.

Another technique that was used in the past was SIM cloning. Here, a duplicate SIM is created which has the same IMSI number (the SIM’s network identity number), authentication number (KI), and phone number as the original SIM. This technique became difficult from 3G onward, as the KI is difficult to recover. However, many IMSI KIs can be found for sale on dark websites, so if someone was unlucky, their IMSI might have been listed.

If a bank identifies that their app was used on a different type of device than usual, this suggests that SIM cloning or SIM swapping may have occurred. The bad actor using another phone can set up biometric authentication with the banking app that uses the bad actor’s biometrics. From the app’s point of view, the correct person is using the app since the app relies on the phone’s biometric system to confirm the identity of the user.

In SIM cloning, the bad actor would need some data from the original SIM, then write these to a new programmable SIM card. Then they have a phone with a SIM that pretends to be the victim’s phone. Both phones will work, but only one at once. The bad actor can send a text from another phone, pretending to be the cell network provider, instructing the victim to turn off their phone for a network update. Whilst their phone is off, the bad actor connects to the bank, transfers money, and then turns off the cloned phone. When the victim turns their phone back on, it reconnects to the network without any immediate indication of the attack.

From the bank's point of view, thefts are often due to customer errors, perhaps leaking too much personal information. The bank's systems are usually as robust as they can be (but still usable for most customers). Criminals rely on people’s carelessness, trust and naivety.

The lesson here is treating your phone and SIM as if they have the same value as all the money in your bank accounts. To enhance security, consider using dual SIM card phones and use one SIM only for things like financial transactions, and the other for less important activities. Be careful not to share the secure phone number and detailed personal information you use for financial transactions anywhere other than the bank. Exercise extreme caution when downloading apps, ensuring they come from legitimate sources. Additionally, contemplate the use of an additional phone with a separate SIM if you plan to use riskier applications.

Authentication poses a significant challenge across all internet activities, especially in financial transactions. Over the years, we have seen numerous advancements in authentication, alongside evolving criminal tactics. IT and cybersecurity programs at many universities in Vietnam equip students with the skills and knowledge about the strengths and weaknesses of current authentication systems. These students will be at the forefront of developing and implementing the next generation of technology.

Crime is never going to go away. Every lock we make or system we develop will have some weaknesses, especially if those using them are careless. The motivation to steal money is so strong that there will always be people who work out how to break into systems. But at its best, the digital world does bring many benefits and conveniences, just be careful and aware of what you share and the security of your devices.

From July 1, people in Vietnam transferring money over VND10 million ($393) must authenticate by face and fingerprint.