Monthly Archives: February 2014

Phishing on the Mobile + Internet Front

I received an SMS from DBS this afternoon:

Fr DBS: Due to security reasons, your DBS/POSB Card(s) must be urgently replaced. Please call the Bank now on 18001111111 or +6563272265.

Of course, I straight away clicked on the number in the message to make the call. I went through their IVR system, to a customer care officer and he proceeded to ask me for passport information, how many cards I had, who do I have a joint account with, for verification purposes. They proceeded to investigate but found that my account was not compromised by the suspicious merchant making fraudulent charges on people’s account. I’m still regretting not asking why the SMS was triggered in the first place, though he implied it was targetted at accounts that made frequent internet purchases.

I called my husband after that and told him about it. He didn’t get the SMS (I don’t think he shops online as much as I do) but asked me whether I called DBS or the number in the SMS. I didn’t even think about it because I often call DBS for whatever reason and I know their hotline by heart so I knew it was the correct number.

Looking back at the whole scenario, several aspects make it a perfect setting for some serious social engineering. Apart from the fact that the number for customer service in the SMS is actually the real number, this could have very well been a social engineering attack.

Today’s mobile phones make it easier to just click on a number in a message to dial it so rather than looking up your phone book or the bank’s website for the customer service number, they would just click on the message and proceed. That plus “urgently replaced”, “call bank now” trigger a bit of panic to the targets (in this case me) enough for them to resort to the quickest possible way to make contact which is clicking on the message.

The SMS sender’s number is a number that isn’t the same as what they use to send SMS’s for OTPs. Looking at the message, there’s no history of me every receiving any messages from this number so there’s no way for me to verify that this is a legit message from DBS.

An attacker could potentially have exactly the same message, but a different phone number listed, and he could have their victims call them up and freely provide all the security questions and answers typically used to verify accounts ( passport, account/credit card details, etc ) across a number of web services, and not limited to banking.

Potential Solutions

1. Getting a vanity customer service number (think 1-800-FLOWERS) that’s easy for the customers to remember (1-800-DBSHELP Maybe?) and market the heck out of it so customers know the 1 number they should be calling for anything related to banking.

2. It wouldn’t hurt if their systems use 1 number for all their SMSs as well to assure the customer they’re dealing with the same entity. I guess i would have felt more at ease if this alert came in the same thread as the messages with my OTP and transaction alerts

3. Smartphones can do their part by making their OSes even smarter by allowing the dialling of these vanity numbers direct from the SMS messages.

 

Update: Interesting how this Netflix phishing scam is using fake customer service reps as part of their scheme http://www.huffingtonpost.com/2014/03/03/netflix-phishing-scam-customer-support_n_4892048.html