Blog / People Are Getting Their Bank Accounts Cleaned Out… Through Their Mobile Phones!
I was recently reading an article about an unfortunate farming family that wound-up getting scammed and having their bank accounts emptied. The article also mentioned that this was not an isolated case. Other families have had the same situation happen to them. The whole thing started with the attackers porting over the phone number to a new carrier.
Now you’d think that porting a phone line wouldn’t help, when it comes to anything related to a bank scam, but you’d be wrong.
Setting up the attack
From my own observation of people in this area, I’ve noticed most of them are comfortable doing banking on their smart phones. Everyone has smart phones and they are accustomed to using them all the time. Face to face banking is hard to do out here, since it’s not unusual for the nearest bank to be over an hour’s drive just to get there, and that’s when the roads are good. By comparison, banking from a PC doesn’t seem to be very popular. Most things involving the Internet are unpopular, probably due to the garbage quality of speeds out there. Not just that; sometimes getting an Internet connection at some of these farmhouses can be horrendously expensive or even impossible, due to the remote location.
Firstly, the attacker needs to find a target. They choose farms, maybe because there’s a high chance they will do banking from their smart phone. Also, due to the nature of a farm, you don’t get paid in small amounts every 2 weeks, like most of us. You get paid once or twice a year in a high amount. This means that if they time it properly, they can hit the target when there’s a large amount of money to be stolen. Doesn’t that sound like the same sort of logic you’d use for an old-time bank robbery?
The farm probably has a website and/or Facebook page (the farm in this instance had both.) The attacker can do some searching to find information like phone numbers, names and addresses. It’s easy to run a search on a phone number, to find out which company provides that customer with service. Thus, identifying that a business number is a cell phone, is trivial. Also, many people make their personal Facebook pages public, and post all kinds of information. In this case, the attacker cares about little more than phone numbers and email addresses. Once they have enough information and feel the time is right, they attack.
Time to strike
After they’ve gathered enough information, what happens next is the attacker ports the phone number. Since the target is a farm, it’s easy to monitor their activity and time the attack for somewhere around harvest time, or when a livestock farm sells-off a bunch of cattle. A little bit of patience would help maximize the payout; but is also unnecessary.
Once the phone is ported, the attackers simply need to use the ‘Forgot password’ feature, to restore a backup for that phone’s information. By default, a backup will include things like contacts, the email setup (if there is one) and all the applications that were installed on the phone. At this point, they simply need to open any banking software (since login information is also stored) and international transfer-out of any available funds.
Since this attack may also provide access to an email account, changing its password is also a trivial matter. Doing so, could prevent the target from receiving emailed notification of the attackers’ activity, and provide the attacker with more time, before they are detected.
Porting a phone is simple and requires only cursory details about whom the number is registered to. There is also no notification about this on the target’s phone. All incoming calls now go to the attacker’s phone; the target simply can’t call out. The only immediate indicator of this attack would be a change in the icon that shows the phone is connected to a cellular network. Depending on the make and model of the phone, it could disappear, have a slash through it, or something of that nature. Non-cellular services like Bluetooth and WiFi would continue to function normally. So, depending on where and how you used your phone, it could easily take days to notice you have been a victim of this sort of attack.
For starters, if you currently do any kind of backup for your phone, you have any sort of financial, banking or sensitive software on it, and you haven’t explicitly set things up to not back-up your applications or financial software, DELETE ALL YOUR BACKUPS!! After that:
1) Make sure your backup process DOES NOT INCLUDE ANY FINANCIAL SOFTWARE
When you configure a backup, it’ll back-up as much info as it can by default, including ALL your applications. Check the configuration and make sure you configure it NOT to back-up your financial applications. This will not result in any sort of financial losses or issues, as the only data that is stored on the phone is the application itself and your login information. So, if you need to replace your phone, simply restore your backup as you would normally do, install your banking software and input your login information when you first open it.
2) Do your finances from a different device
If you can’t find a way to do a backup without including your financial software, then the only way to protect yourself from the problem of having that software and your login information restored from a backup, would be not to install it in the first place. But you still need to do your finances and remember that physical access to a bank may be cumbersome. So, if you’re forced into this corner, I can see 2 options:
Option a): Do your finances from a PC – This carries different risks (viruses, Trojans, etc.), so don’t think it’s as simple as just that. Also, there’s the potential issue of getting Internet access in the first place and the lack of convenience (it’s not as mobile as your phone.)
Option b): Do your finances from a different phone – Remember: The issue of doing a backup that doesn’t include your financial software is still there, which may mean that you don’t back-up this phone at all.
3) After you’ve dealt with your backups, contact your Cellular carrier
Some carriers have the options of setting up additional Security on your account to prevent a port from happening. Rogers allows you to set-up a PIN and some others allow you to make it so that porting your phone requires physically going into a store. Your carrier may have an option for additional Security in this situation, or they may not; it’s worth asking at least. Keep in mind that there’s no consensus about addressing this in Canada, so if there are steps you can take, they may or may not be effective. It doesn’t hurt to find out, but that’s why you should deal with this after you deal with the backups.
There’s no one cause for this attack. It’s a combination of several different factors that have created this situation. If financial software didn’t store your login credentials, then restoring a backup wouldn’t be a problem. If backups didn’t include installed applications (or application data) then restoring the backups wouldn’t be a problem. It’s easy to point a finger, but this situation is only possible due to multiple different reasons.
One major issue here is how easy it is to port a phone. Unfortunately, that process is legally mandated to be simple. The reality is that this was decreed because in the early days of Cellular in Canada (You need to think back to the days of the Palm Pilot), each provider was making it difficult for a customer to switch to a competitor. Hence, mandating that the process be possible (and simple) was the solution. This was fine at the time, because cellular phones were just that: only phones. Times have changed. Phones are a lot more than just phones these days and the regulations need to catch-up.
If you have any questions about phone backups, you can always reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.