Fraud Reveals Industry-Wide Insecurity with Bank SMS Text Verification

Researchers from IBM Trusteer have uncovered a massive fraud operation that stole money from more than 16,000 people.  The worst part is – you have no defense against it.

The crooks used emulators to imitate the phones of more than 16,000 people whose mobile bank accounts had been hacked. Even though regulators are implementing additional authentication levels by banks, such as two-factor authentication (2FA), the new data collection from UK Finance shows that money transfer scams (APP fraud) are on the rise and cost Brits £ 456 million in 2019. The size of the operation was unlike anything previously seen by researchers. In one instance, crooks used about 20 emulators to emulate more than 16,000 customer-owned phones whose mobile bank accounts were hacked.

SMS Verification is not Secure

In order to obtain complete access to an account, hackers are intercepting SMS messages sent by banks that use authentication codes. A large amount of money has recently been robbed from unlucky customers in Germany in precisely this way. A single emulator was able to spoof more than 8,100 computers in a different case. Banks that rely on SMS messages are finding that smartphones are easy to spoof, and that it may not be a credible method of security. rely above all on this methodology to authenticate their clients. However, the fact that SMS is used as a stopgap, according to Chris Stephens, head of fraud and security analytics at Callsign, is a big problem.

When you want to sign up, several sites resort to SMS authentication, sending codes via text message to your phone. But there are many security issues with SMS messages, and they are the least reliable two-factor authentication option. Never send your full bank account number (or any other private information, such as your password or PIN) via text message. Check text messages for your bank’s unique short code, the phone number “return address” that distinguishes official statements.

Industry Wide Problem

For many years, security analysts have cautioned about the inherent lack of security posed by SMS technologies. If the customer drops his cell phone, there is no guarantee that the new authentication system for mobile banking is secure. For example, if a consumer saves a password for reference on a cell phone, an anonymous party will potentially use the customer’s account.

For banks, SMS authentication has become the global default solution. However, as criminals are aware that banks are now relying on SMS for 2FA transfers, they seek to misuse and degrade the mechanisms in place and take advantage of these tactics for their benefit. Usually, fraudsters conduct SIM swap fraud, pilfer personal details about the victim before calling the target’s company to say that their phone has been lost or stolen. Because of SMS authentication, there are also unexpected expenditures that could add up for banks. E.g., banks need to be prepared for a substantial spike in incoming calls to customer support helplines if hiccups exist in the authentication journey, such as SMS messages not being sent, which can be costly.

Usernames and passwords were then inserted into banking applications running on the robbers’ emulators, and fraudulent money orders were initiated that siphoned funds from the hacked accounts. Emulators are used to assessing how games run on several various mobile devices for legal developers and researchers. The researchers think that using either ransomware or phishing attacks, and bank accounts were hacked.

Fast Moving Operation

The crooks managed to snatch SMS messages and system IDs not clarified by the IBM Trusteer report. In the US and Europe, the banks were based. The bandits intercepted messages between the spoofed computers and the banks’ application servers to track operations progression in real-time. To map the process over time, the attackers have used logs and screenshots. As the operation advanced, as the crooks learned from past mistakes, the analysts watched the attack tactics develop. SMS, in comparison, is not a universal solution. Many living in distant or low-service areas, for example, can find it hard to access SMS updates. SMS authentication is not open to everyone and is ultimately not immensely customer-friendly and friction-filled. Plus, it depends on getting up-to-date phone numbers for all clients, which is not an easy task. The European Banking Authority (EBA) is also proposing that banks look at alternative alternatives for these purposes.

How to take Precautions

Banks should look to the use of intelligent authentication, powered by a decision engine, to balance the high costs of SMS and have an improved user interface to provide a variety of safer, dynamic, and tailor-made journeys for consumers. They may also use passive authentication forms that use GPS, biometric, and contextual knowledge to verify that they are who they think they are. Using good passwords, learning how to detect phishing scams, and keeping computers free of ransomware, the operation raises everyday protection advice. It would be good if banks, but few financial institutions, offered multi-factor authentication by a medium other than SMS.


At least once a month, people can check their bank accounts and look for suspicious transactions. Because of advances in technology, clients and organizations are taking over interest in biometrics technology to reduce confusion and safety issues. The identification method for biometrics is to recognize the physical individuality or uniqueness of the authenticated person.