Cybercriminals bypass e-banking protections with fraudulent SIM cards, says Trusteer

Cybercriminals are impersonating victims in order to obtain replacement SIM cards from their mobile carriers, which they then use to defeat phone-based Internet banking protections, security vendor Trusteer said in a blog post. 

Trusteer researchers have recently seen variants of the Gozi online banking Trojan injecting rogue Web forms into online banking sessions to trick victims into exposing their phone's IMEI (international mobile equipment identity) number, in addition to other personal and security information.

MORE: 'War texting' lets hackers unlock car doors via SMS

The likely explanation for the Trojan's collection of phone-specific data is that it's used to obtain a fraudulent SIM card for the victim's phone number by reporting their phone as stolen. Trusteer's director of product marketing, Oren Kedem, said. This would allow fraudsters to bypass bank anti-fraud defenses that are based on one-time passwords (OTPs).

OTPs are unique codes that online banking customers receive on their phones when money transfers are initiated from their accounts. These codes need to be inputted into the bank's website to authorize those transactions.

Fraudsters have developed several techniques in order to defeat such anti-fraud systems. Some trick their victims into installing malicious mobile apps that forward OTP text messages to phone numbers under their control.

More @ networkworld.com/news/2012/031312-cybercriminals-bypass-e-banking-protections-with-257225.html