New Mobile Banking Scam you need to be wary of

So a Skunkworks mailing list user posted this (possibly new) way of mobile banking scam. He happens to be a Co-op bank account holder, so whether this vulnerability is limited to Co-op bank or can also apply to others. Here’s the thing, mobile banking via USSD is expected to be one of the most fool-proof methods, since it is not expected to work without involving your actual mobile phone. This person reports that there were attempts to use his shared fake PIN to probably make transfers off his account.

Forget the part where he actually did give away his PIN to a stranger, (no-one else is supposed to have it, whether old or new PIN, not even your banker) the fact that there were attempts at his account without involving his phone is quite worrying. What could be happening?

See below.

I recently got a call from someone claiming to be from Co-op Bank. He told be some bullshit about having upgraded their system and asked if I had received my new PIN number, I said no and he asked me for my old (current) PIN. I smelled a rat and gave him a fake one (1234). Hours later I tried the service (*667#) only to find myself blocked, on contacting the bank, they said that there had been numerous failed attempts hence the blocking.

Question is, I thought the M-Banking system is connected to my number, have those crooks cloned it? Is it an inside job? FYI, I got a similar call today but I took him on a wild goose chase

Sounds like a classic case of social engineering and not necessarily a weakness with the technology. Once the user reveals their credentials then the attacker can quickly make account withdrawals.

The bank should however have flagged what is definitely unusual account activity and contacted the customer immediately. Trust Kenyan banks to take shortcuts with your money!

Remember the mobile service is a USSD service that should only be accessible ad device level.

Modifying USSD requests is trivial and thus the need of a PIN to provide server side authentication.

we all know bank employees are colluding with hackers to steal money from customers. The bank employee (customer care/I.T/cashier/Manager etc) has access to all of your secret data and will therefore share them with someone on the outside who is smart enough to do some crazy things like giving the employee malware to infect the server so that he can register your account on another sim card, or simply the employee adds another number on your account details! There is no perfect computer system out there, someone stole thousands of user passwords at an Amazon server in 2014.