“Editor’s note” banks and operators, customers and banks, carriers and customers, as long as the leave data traces every aspect there may be flaws could allow an attacker to exploit. Bank wants to provide more convenient micro-payment services, attract more users; operators want to offer more value-added services, to form a long tail, creating higher added value. This article is not according to ICBC, moving, any banks and operators are likely to occur. Shotgun is the author of Lei feng’s network security experts in the field, he hopes to explore the present potential safety hazard in convenient online payments, to a third party warning, so that it can better protect our property.
So, in the process of payment transactions, operators, banks, users, how collaboration between the three? Which part of leaks? User’s bank card for the money he lost?
Event review (the main character as a small King):
In order to facilitate understanding, extracted several nodes of the process:
On July 1, 2015, Wang found himself was forced to open a safe deposit box 10086 SMS business. The next day, 10086 of Wang to change his password.
On July 6, Wang received nearly 10 in various site registration verification code information; once again, Wang found himself was forced to open SMS safe-deposit boxes; minutes later, sent a text message to the victim of the ICBC CAPTCHA, displayed a 9990 Yuan deposits in bank card b is being transferred.
In this case, I made the following analysis of these inferences:
First, the user’s phone should be clean. In other words, has not been implanted Trojan backstage.
In General, online attackers like to use cell phone Trojans to steal other people’s money.
Cell phone Trojan works: General work on the Android or iPhone after jailbreak (also recently appeared the apples need to jailbreak to implant Trojan), using the APP or mobile operating system vulnerabilities, not just text messages, interception of calls can be intercepted, even directly to mobile banking account number and password.
Cell phone Trojans can steal online bank account passwords, you can also read the validation message directly. In other words, if you have a cell phone Trojan, there is no need to obtain verification through SMS safe messages, nor does it need to try many times your ATM card PIN. But Wang was forced to open a safe deposit box 10086 SMS business as can be seen, the attacker does not read certification directly on your mobile phone text messages, so ruled out the possibility of phone is embedded Trojan background.
Second, the Bank’s server to not allow an attacker to steal.
If the attackers take the Bank’s server, then you can transfer funds directly to your account, do not need SMS to verify, even if SMS verification link, can also be read directly on the server, simply does not need SMS safe. Even if banking supervision and payment security are questionable, but there is no denying that is, the vast majority of banks of server protection measures are much higher than the PC, not just one level of disparity. Therefore, the chance of an Internet banking server is compromised is relatively small.
In this event, Wang is also a safe deposit box are forced to use the SMS, also means that the Bank server does not allow an attacker to steal.
Third, Wang computers, gateway should have a problem.
Computer, gateway, run the process is as follows:
In this process, the attacker to exploit security vulnerabilities to get the victim computer or gateway any permission, you can read into the victim’s bank card number, mobile phone number information. But because the Bank’s online banking system is protected by the safe controls, so your ATM card PIN is difficult to read, which is that the attacker attempts the reason for bank card locked.
When Wang change mobile operator Web sites login passwords, due to the mobile operator’s Web site security levels far below the net silver, so the password can easily be an attacker eavesdropping directly to.
Wang b card number leak the next day, he modified a mobile phone website login passwords, an attacker can still attempt to open the message safe. Although we haven’t been able to check Wang’s computer and gateway, but the attacker through a computer Trojan or gateway gets hijacked the accounts of victims is very high, and Wang’s phone number, also is likely to be attained through similar means.
So, in this session, Wang computers, gateway should have a problem. According to ICBC’s response, because criminals use illegal means to obtain account information and passwords, using customer information open phone “message to safe deposit box” businesses to obtain transaction authentication messages and stealing money. Of course, not evade responsibility for banks, there is no concrete expansion, followed by “e-payment” below.
Part IV: existing vulnerabilities of mobile operator security risk control.
1, SMS safe operation due to the greater risk could not be assessed in advance.
SMS contains the user’s privacy, even often carry payment information service offers cloud storage service should be more careful. For example, Hall in person can be enabled by the user, or at least allow the user to disable the service, until the lift Office in person.
2, allow by way of WAP enabled SMS safe deposit box service, allows the third party to attempt to open the service to hijack sensitive messages.
According to the company’s response: “the blog after the background display, unwitting customization are using the customer’s mobile phone number and customer service Web site password, login customer service via mobile phone WAP page is opened, there is no indication China Mobile site was attacked causing leakage of customer information. ”
The original “message to safe service” the reply message must be able to activate, but because the system failed to go through old WAP service interface allows an attacker bypass the native SMS validation through the WAP service, eventually led to Wang’s online bank thefts.
Under normal conditions the operator a new business online should do a risk assessment. WAP is an old business, SMS safe deposit box is a new business, operators missed this link, or the attacker’s head open wide, operators and didn’t expect someone with old-fashioned service to open new businesses. If the operator action, the flaws of this session will have a probability of being found, can be turned off through the WAP safe this way. However, after this incident, the operator should turn off the WAP application.
Though just like mobile said it is not “China Mobile site was attacked causing leakage of customer information”, but due to operators ‘ neglect of WAP service user may also cause financial losses. After all, this risk is controlled by the operator.
Five: banks use the message this is not a reliable way to perform user authentication is inappropriate. Givenchy iPhone 6 Plus Case
Text message via SMS in this case not only hijacked a hosting service, also may be “false base station”, “cell phone Trojan” hijack, so you should use a high intensity of the USB or the random password generator. This approach many banks already have major problems may still arise in “e-payment” because “e-payment” is micropayments, SMS is generally used to verify.
Even if you must use SMS for secondary authentication, and \ to pay transfer amount should also be restricted in a small amount. However, each bank definitions of “small”. Clearly the greater amount of ICBC: ICBC 10,000 by default, and can be up to 20,000.
User before saying “e-pay” security risk exposure, ICBC’s responses to “misunderstandings.” In fact also is that the attacker with illegally intercepting SMS verification code, easily stealing deposits.
Identified through the industrial and commercial bank, Wang totals 13990 was transferred to a group called the “yangshaohua” account. Sum is not small, a deal is 9990.
Sixth: users should improve safety alert.
1 enabled, users Bank online payment and online transaction function should read risk warning and take account of isolation, for example using a low value cards specialise in online transactions, and amount due from high closes all network cards, trading functions. Or checking in large monetary funds or deposit, but this one more time/cargo base turn current operations on a regular basis. Of course, this involves the Bank’s business and regulatory requirements of the Bank and the CBRC is also different, I do not expand.
2, do not use a weak password, pay attention to change your password on a regular basis, do not store the password on a computer or mobile phone, different cards use different passwords where possible.
In this event, Wang in the first bank card frequently after being frozen, apply for a second bank card, but he was still using the old password, in that case, could easily lead to password leaks.
3 when, in the face of the bank card is fraudulent, we want to contact banks to freeze accounts, rather than spending time and operators to discuss.
Summary Givenchy iPhone 6 Plus cases
In banks and operators ‘ perspective, this is essentially a new business innovation the old problems of the balance between risk and control.
Bank wants to provide more convenient micro-payment services, attract more users; operators want to offer more value-added services, to form a long tail, creating higher added value. But in business innovation, information on risk control measures failed to keep up with banks ignoring the unreliability of SMS, the operator is to the short message service hosting password authentication responsibilities.
Plus the usual inadequate education and training of users, user security guard is missing, insufficient sensitivity of the internal risk control, call center employees of the two companies are ignoring the exception before, eventually leading to the occurrence of the event.
996 votes
Google Cardboard glasses
Cardboard is an approachable solution for virtual reality. You just need to fold paper into a preset shape, download the corresponding application, mobile phones into Android, and put it in front of you, will be able to experience the wonders of virtual reality.
View details of the voting >>
A Travel Guide in China 