Virus against SMS-based banking systems

Australian security researchers have managed to create a malicious code that poses a greater risk to banking data than ever before, as it can also deactivate two-factor SMS-based authentication.

TrustDefender and Dragonfly Technologies are making significant improvements to develop endpoint security solutions and the most efficient two-factor authentication tools possible. Researchers at the two companies gave an interesting presentation on the risks posed by a new dangerous malicious code. And the danger of the Trojan program is not small, as it has made the accounts managed by the Commonwealth Bank accessible. The Trojan has eliminated the two-factor authentication system used by the financial institution without any difficulty.

Andreas Baumhof, one of the managers of TrustDefender, said that today two-factor authentication is one of the most effective defenses against attackers. At the same time, it became clear during the presentation that there is still room for development on these systems as well. The new malicious program is not only capable of collecting usernames and passwords entered by users, but also of gaining unauthorized access to bank accounts protected at multiple levels by taking advantage of a weakness in the SMS-based authentication system. At the time of presentation, the Trojan ran on a standard PC based on the Windows XP operating system and included the Internet Explorer 7 web browser. Security experts emphasized that the options used by the Trojan may also be functional for other banks. According to Baumhof, financial institutions mostly only protect their own systems, while if their customers' computers are infected, the entire "security chain" can be damaged.

However, Sarv Girn, the head of IT security at Commonwealth Bank, denied that the bank’s system had been compromised by any malware. According to the expert, such a complete security system cannot be compromised by a single Trojan. Girn explained that with the help of a protection solution, all transactions are checked in order to make frauds detectable with high efficiency.