Whilst many of us in Information Security are struggling to patch the broken and educate the confused, the largest of the corporates seem to be making giant leaps in protecting their customers. None more so then the banking sectors!
Of course a bank’s primary objective is to store and make money but they have seen a return on investment from spending, focussed on providing security education and crime protection advice to their customers. Time and time again money spent on education and clever tech has reduced spending on frauds and repaying of victims, it’s a brilliant and refreshing change in the industry. It’s hard to argue ‘chip and pin’ and clever algorithms aren’t helping us; We have seen frauds by chip and pin methods decline in recent years. Banks use sophisticated technology to protect their customers and this could be a modern utopia if it wasn’t for the pesky hacker types again. But there will never be a simple solution or a time where the online scams don’t keep pace with new defences. Allow me to highlight what this blog post is about and the level of craziness I find before me accidentally.
Let’s make this interesting and simplistic in a way with some good old role playing.
Lets be a criminal social engineer keen to get our hands on your savings?! It might even be fun?
1 The Pretext
Nice and simple, I like blue and will choose Barclays. I want to be just like them, I want to look like them and have a domain like them. OK This is role play so to avoid the lawyers and angry calls we are not going to register it but the following picture should get it across nicely.
Barclaysweb.com in the basket at Godaddy.com
2 The Delivery
Every high street bank has a well designed website that looks the part, we are trying to trick people so it would be a good idea to copy all that HTML and get a cloned copy hosted on a server in our control.
A screenshot of a spoofed/malicious banking log in.
3 The Not So Routine Phishing Tricks
So this was supposed to be role play and fun, but so far it’s just plain old phishing and nothing new – until we decide to switch things up a little. So yes of course we are going to grab their surname and banking number and card number, but what we really want is their 2FA device code. It doesn’t matter if the credentials are good or bad, the victim is going to be guided to a telephone number in our control.
Problem with your ID
4 The Best Lies Are Built On Truths
So you guide a mark to your phone number and they ring, they will provide you with yet more details you can recycle later but they will also easily provide you with authentication using their 2FA device – in fact it is policy for Barclays to ask for a code generated by the 2FA on an incoming call. So you ask your mark for the code from their 2FA device and using the details you now have in your possession we could log on to the victims bank account.
What Now?
So we have taken a simple phishing scenario and made the impact far worse. We have exploited a mis-placed trust in a banks customers that the number they call will be the bank they expect. When we aired our concerns with the bank in question their own staff couldn’t see the dangers “but sir you rang us” – and they are right, we did ring them, but that even sounds like something a scammer would say should we of rang a malicious number by accident. When you start to factor in Google adverts promoting the malicious ‘Barclays Bank Login’ stealing interest from genuine customers or Phishing and SMShing attacks quite a few people would fall victim. For you techies that would never fall for this low level scam – factor in bit-squatting and a well made SSL cert and stop living a lie, you would fall for it.
Request For Comments
It is worth noting Barclays are an industry leader in securing their customers and driving large scale awareness programs to their customers. This is in no way a ‘negative’ blog and should be seen as awareness building to phishing and social engineering attacks in general, with the intention of educating their customers – warning them of possible attacks. We have reached out to them and initially they state “We use complex systems to look for these kind of sites” but they have offered a statement which will be detailed in an update to this post in due course.
This blog is about fine tuning authentication mechanisms to weed out the weak points, Barclays are in a strong position when compared to TSB who have recently all but aided the criminals targeting their customers. More on TSB here.
Tips
- If you need to ring your bank, always go to trusted sources. Google the banks name and check the link isn’t an advert! Check a statement from last month… ask you mum if that works. But never ever trust that first link in Google or the website in front of you is in fact your bank.
- Make it a rule to never give out your 2FA code to ANY incoming phone call – never ever!
- Check the SSL certificate, ok it’s not perfect but if it has the genuine domain in and a padlock – it’s something.
- Remain sceptical and cautious and never be afraid to put the phone down if you are in doubt.
- Learn about phishing in general – it starts here.