« ALTA Member Profile: Challenges, Mystery Fuel Path for Title Agency Owner | Main | Alliance Title & Escrow Helps Close the Hunger Gap »

11/30/2021

Criminals Using SMS Messages to Beat Multifactor Authentication

For several years, cyber criminals have used text message scams called “smishing” to steal personal information. Now, SMS messages are being used to infiltrate peer-to-peer (P2P) payment service used by many financial institutions.

According to Krebbs on security, criminals have deployed a Zelle fraud scam that allows them to circumvent multifactor authentication and access a victim’s bank account without knowing the username or password.

The scam starts with a text message about a suspicious bank transfer:

Krebbs zelle

Any response elicits a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member. The criminal then uses the code to complete the password reset process, changes the victim’s online banking password and uses Zelle to transfer the victim’s funds to others.

By sharing their username and reading back the one-time code sent via email, the victim is allowed the fraudster to reset their online banking password. The fraudster never needed to phish for the victim’s password.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment