In new attack on mobile handsets, fraudsters target one-time passwords

Security for mobile handsets keeps improving. But then, mobile threats to those handsets keep improving as well. 

Among the most recent, reported by Trusteer, a Boston-based provider of secure web access services, are two online banking fraud schemes designed to defeat the one-time password (OTP) authorization systems used by many banks.

IN DEPTH: How to protect online transactions

According to Trusteer, these new threats go a step beyond earlier attacks in which criminals would change a victim's phone number to redirect OTPs to them.

"In these new scams, the criminals are stealing the actual mobile device SIM (subscriber identity module) card," the company said.

The first kind of attack uses the Gozi Trojan to steal IMEI (international mobile equipment identity) numbers from online bank account holders when they log in.

"Once they have the IMEI number, the criminals contact the victim's wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim's phone are sent to the fraudster-controlled device," Trusteer said.

Oren Kedem, director of product marketing for Trusteer, said the Gozi attacks are mainly in the U.S. and that, "the level of infection is quite significant," even though the damage is not yet extensive.

More @ networkworld.com/news/2012/031512-in-new-attack-on-mobile-257321.html