Do not give out activation data

The reporting office Melani pointed out a few months ago that criminals are increasingly targeting mobile authentication methods in e-banking. Now, attackers are going a step further and trying to get victims to send a copy of the letter they received from the bank, which contains activation data for e-banking two-factor authentication (2FA), to the fraudsters.

Since 2016, attackers have been attempting to circumvent mobile authentication methods on smartphones using social engineering with the help of malware such as "Retefe". Users of PhotoTAN, CrontoSign and SecureSign are affected by such attacks. This is independent of the smartphone operating system used (Android, iOS).

Never(!) give out personal activation letter

Since the beginning of August, MROS has observed an increasing number of attacks in which criminals attempt to obtain letters from banks containing activation data. This activation letter usually contains a mosaic image that must be scanned or photographed the first time a device logs into e-banking using an app such as PhotoTAN, CrontoSign or SecureSign. Subsequently, the corresponding device is approved by the bank for the mobile authentication method. These letters are usually sent by the bank to the customers via postal mail. The attackers ask the victim to scan or photograph the letter and send it to the fraudsters. Anyone who does this must expect the criminals to log into the victim's e-banking by using another smartphone for two-factor authentication. From this point on, the attackers can log into the e-banking portal at any time and order fraudulent payments from the victim's account without the victim's knowledge.

MROS recommendation

In dealing with e-banking, MROS recommends:

• Do not "share" the bank's activation letter with anyone, even if asked to do so. If in doubt, contact the bank.
• Make sure that when you log in to e-banking on the mobile device (e.g. smartphone or dedicated PhotoTAN device), you really confirm the login and that it is not already the viz. of a payment.
• If you are sighting a payment, always read the full text on the mobile device and check the amount and recipient (name, IBAN) of the payment before releasing it.
• Install smartphone apps only from the official app store (Google Play or Apple App Store). Never install apps from unknown sources, even if you are asked to do so. Do not modify your device in such a way that essential security mechanisms are undermined (e.g. "rooting", "jailbreaking").
• Apply security updates for both the computer and the cell phone as soon as such an update is available.
• If you notice any irregularities when logging into e-banking, contact your bank immediately.

Source: MELANI