Combating the invisible bank robber

Combating the invisible bank robber

“In the past, bank robbers wore masks, now you will never see them at all”, said Dr Jonathan Crellin, Program Manager in Cyber Security at RMIT Vietnam.

In light of recent news stories about cyber criminals’ attacks on personal bank accounts, this article by Dr Crellin will explain how attacks are made, and the precautions you can take to make these attacks harder for the criminals.  

The second device authentication method (where a code is sent to a second device) is more secure, but not invulnerable. For example, a bad actor can create a simulation of a banking login system, and simulate the request for an OTP via text message, or by using a bank app. When the customer enters the OTP into the simulation, the criminal can then use it to log in to the real bank account and take control over the account and its contents, using them as they will.

The bad actor may simulate some forms of system failure (“website unavailable please log in later”), so the customer does not immediately realise something has gone wrong.  This is one reason why your bank tells you “…never to follow a link sent to you (for example: by email) …” as this can contain a very similar URL pointing to a fake, simulated bank site. 

Dr Jonathan Crellin, RMIT Vietnam Dr Jonathan Crellin, RMIT Vietnam

From your point of view, always use a legitimate link or web address for your bank. If you use a banking app, download it from a legitimate source, such as the Play Store or Apple’s App Store.  If your phone is compromised with malware, it can facilitate a bad actor gaining access to your phone, using apps, seeing received text messages, controlling the phone remotely, running apps, and extracting information.  

SIM swapping has been a very popular technique in recent years. This involves a criminal tricking a mobile network company into reissuing a replacement SIM card linked to the same original number. This is often used with high-profile targets. It is an easy attack if the bad actor can obtain personal information about the victim, which may be recoverable from a dark web marketplace. Once the new SIM is reassigned, the original SIM will stop working.  

Another technique that was used in the past was SIM cloning. Here, a duplicate SIM is created which has the same IMSI number (the SIM’s network identity number), authentication number (KI), and phone number as the original SIM. This technique became difficult to do from 3G onward as the KI is difficult to recover. However, many IMSI KIs can be found for sale on dark web sites, so if someone was unlucky, their IMSI might have been listed on one of the dark web marketplaces. 

As the bank identified that their app was used on a different type of device than usual, this suggests that SIM cloning or SIM swapping may have occurred. The bad actor using another phone can set up biometric authentication with the banking app that uses the bad actor’s biometrics. From the app’s point of view, the correct person is using the app since the app relies on the phone’s biometric system to confirm the identity of the user.    

In SIM cloning, the bad actor would need some data from the original SIM, then write these to a new programmable SIM card. Then the bad actor has a phone with a SIM that pretends to be the victim’s phone. Both phones will work, but only one at once. The bad actor can send a text from another phone, pretending to be the cell network provider, instructing the victim to turn off their phone for a network update. Whilst their phone is off, the bad actor connects to the bank, transfers money, and then turns off their phone. When the victim turns their phone back on, it reconnects to the network without any immediate indication of the attack.

From the bank's point of view, thefts probably take place because of some errors by the customer, perhaps leaking too much personal information. The bank's systems are usually as robust as they can be (but still usable for most customers). Criminals rely on people’s carelessness, trust and naivety.    

As technology evolves, so do cyber criminals. (Image: Freepik) As technology evolves, so do cyber criminals. (Image: Freepik)

The lesson here is treating your phone and SIM as if they have the same value as all the money in your bank accounts! To enhance security, consider using dual SIM card phones and use one SIM only for things like financial transactions, and the other for the less important activities. Be careful not to share the secure phone number and detailed personal information you use for financial transactions anywhere other than to the bank. Exercise extreme caution when downloading apps, ensuring they come from legitimate sources. Additionally, contemplate the use of an additional phone with a separate SIM if you plan to use riskier applications.

Authentication poses a significant challenge across all internet activities, especially in financial transactions. Over the years, we have seen numerous advancements in authentication, alongside evolving criminal tactics. Information Technology and Cyber Security programs in many universities in Vietnam equip IT students with the skills and knowledge about the strengths and weaknesses of current authentication systems. These students will be at the forefront of developing and implementing the next generation of technology.

At RMIT University, we are now running new Cyber Security minors and majors in the Bachelor of IT program, Vietnam campus, together with our Master of Cyber Security and Graduate Diplomas, Melbourne campus. These programs empower students and existing IT professionals with advanced skills in designing robust authentication systems and expertise in information system forensics.  

Crime is never going to go away. Every lock we make or system we develop will have some weaknesses, especially if those using them are careless. The motivation to steal money is so strong that there will always be people who work out how to game and break into systems. But at its best the digital world does bring many benefits and conveniences, just be careful and aware of what you share and the security of your devices!  

Story: Dr Jonathan Crellin, Senior Lecturer and Program Manager for Master of Cyber Security, RMIT Vietnam 

  • Media release

Related news