Flash. Bang. Wallet: Marcher crooks target UK Android users Miscreants behind the Marcher mobile malware have begun targeting UK banking customers. The trojan - which already targets banks in other countries, including Germany, Austria, France, Australia and Turkey - has added nine major UK bank brands onto its roster, IBM's X-Force security research team warns. Marcher is an Android- …
Except this isn't, for once, a Flash vulnerability. It appears to be another vector which just pretends to be something to do with Flash in order to get the user to execute it. 99% of Apple users won't know their device doesn't use Flash so would behave in the same way anyway.
Because flash is so compromised, PC users (who still have flash installed) are used to seeing notifications for updates all the time. If it they didn't use "flash update" as the reason, they could have used "Java update" or "adobe reader update" as those are just as noisy.
Indeed, the "2" in 2FA is the assumption that both channels are not compromised by the same folk.
Using your phone for both blows that out of the water, but you know for some its is the only "computer" they have so it is used, and sadly probably has less patching available than most XP boxes...
You would think so - but I was recently slagged off in a newspaper's on-line forums by an "IT security professional" who was convinced that the safest way to do on-line banking was by using the bank's free phone app as opposed to the two channel authentication method I had suggested - still, my money is still where it's supposed to be, hopefully hers has migrated elsewhere by now.
Santander (and probably others) has for a long time shown you an image previously selected by them, and a phrase previously entered by you, after you have entered your customer number, but before you enter your secret information. Assuming the user is awake, this ought to defeat attacks which present the same spoof site to every user.
But it's a quick step to doing MITP, secretly stepping in between the actual app and the user and logging everything the user sees and does so as to defeat that kind of authentication. And as noted, you can't use another factor for authentication when the phone is the ONLY factor they frequently have. You can't do two-factor authentication without a second factor, after all.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
