Exploitable security plagues digitalisation

October 16, 2020 | 10:00
(0) user say
Disruptive technologies spur the evolution in the financial landscape, with comprehensive applications providing convenient access to customers’ banking needs. However, unbeknownst to many, hackers can easily find a way around the most common two-factor authentification methods.
1513 p23 exploitable security plagues digitalisation
Vietcombank’s (VCB) Digibank phone app

Tran Viet Luan from Ho Chi Minh City had his account activated via Vietcombank’s (VCB) Digibank phone app, and within seven minutes, VND406 million ($17,650) was transferred to a beneficiary at MSB and SeABank.

Vietcombank’s VCB Digibank, launched in July, integrates the bank’s online trading platforms with its existing services. The state-owned lender believes the app will offer an excellent experience to customers.

Following this lead, most banks are upping the ante in consumer experience, with some trying to blend experiences from the physical and digital worlds.

For instance, VietinBank offers VietinBank iPay Mobile. Meanwhile, HSBC positioned its signature “Banking on the way” app that lets users conduct transactions wherever they are. Standard Chartered is also bringing cutting-edge solutions to customers such as biometrics logins, facial recognition, and fingerprint authentication.

However, security is a major concern for users since the potential for losses is huge. For example, after conducting his money transfer through VCB’s Digibank phone app, since Luan from Ho Chi Minh City did not receive an SMS with a verification code or any notification of the transaction, he was unaware of the money lost until he went to the bank for another transaction.

In another case, earlier this year, 24-year-old Phan The Anh from the north-central province of Thanh Hoa was arrested and sentenced to 30 months for illegally usurping others’ property. He and other fraudsters tricked victims to get a one-time-password (OTP) code, then transferred VND100 million ($4,350) from the victim’s account to their own.

Tricky technology

“During the last year, there have been many cases where hackers exploited the weaknesses of SMS OTP authentication,” said Nguyen Tu Quang, CEO of Bkav, a Vietnamese technology corporation specialised in cybersecurity, software, and smart electronic devices.

OTPs sent via SMS remain a common authentication method, despite siginficant security flaws that have been known for years. Most online transactions nowadays require some kind of two-step authentication, which usually include an OTP sent via SMS.

However, many apps now require access to one’s SMS, which compromises security. A malicious app that targets OTPs only needs two permissions: one to access the internet and another to intercept SMS. With these two very commonly required permissions, the security scans of app stores often miss potential threats.

“OTP theft is quite popular, and this risk typically occurs in two major ways. First and foremost, users’ cellphones could be infected by a malware. which can be used to tap into your messages containing the OTP,” economist Nguyen Tri Hieu told VIR. “Secondly, users could get duped into revealing their OTP by fraudsters. For instance, there are many messages, or online links that might trick users to share personal banking details. In some cases, fraudsters could pose as bank tellers, talking about renewing or upgrading existing credit or debit cards of the victims to get the OTP.”

He added that the biggest weakness of the SMS OTP method is the lack of anti-denial, meaning that the system cannot verify who is carrying out the transaction. For example, if a hacker lures a user to a fake money transfer page, all information the user enters will be passed on to the hacker. They will then have a login information and an OTP code to perform the transaction on another device. The system is incapable of determining who made the transaction.

Risks abound

Regarding the incident of Tran Viet Luan, the representative of Vietcombank said Luan’s account was activated with the VCB Digibank application on another device. Vietcombank reported that the carrier has sent a total of eight messages, including four confirmation messages and four balance changes to the Luan’s phone, which he did not receive. The incident is still being investigated.

Vo Do Thang, director of privately-run Athena Cyber Security Center, said that OTP attacks are quite frequent, not only in Vietnam but all over the world.

“However, the decisive factor of safety lies within the user, not the method,” Thang said, adding that the main reasons of account theft are personal mistakes and a lack of experience in self-protection. “Many people freely log in to public Wi-Fi or download spyware without knowing it. Hackers can fully exploit this habit to access the user’s OTP code. Two-layer security by OTP will become less secure if we use it on an insecure device,” said Thang.

When installing new software, it is advised to refrain from allowing too many permissions to applications, such as reading SMS or accessing the internet if not needed. In addition, smartphone users should also use anti-malware software.

Though digital signatures are popular around the world and used in many fields in Vietnam such as customs, insurance, and taxation, Cuong said this method has not been developed by banks due to legal barriers regarding the use of mobile phones. At the same time, OTP is far more superior to digital signatures in terms of convenience when making transactions between different devices.

Le Anh Dung, deputy director of the State Bank of Vietnam’s Payment Department, said he expects the Ministry of Information and Communications and the Ministry of Public Security will speed up their progress to complete a comprehensive decree on protecting personal data and electronic identification.

By Luu Huong

What the stars mean:

★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional