Recently the website of the Bank of India was attacked and used to distribute malware. If there’s one site you’re likely to trust, it’s your Bank’s site. Phishing(and smishing) takes advantage of this trust to separate you from your login information and/or your money.

Online banking is already under attack by crooks and they are also likely turning their eyes toward mobile banking. McAfee Avert Labs has been following mobile payment and mobile banking security for quite a while. We’ve also seen how mobile internet sites(WAP) and the newly created .mobi domain can be used for malware distribution.

Apart from dedicated mobile banking sites, banks are using Transaction Authorization Codes sent by text messaging(SMS) to add an extra layer of security to online banking. Transaction Authorization Codes are used by a number of banks in Asia.

Transaction Authorization Codes: How they work

Transaction Authorization Code(TAC) are single or multiple use passwords. TACs are only required for certain transactions such as money transfers or setting up automatic bill payments. The codes are usually valid for two hours after they’re issued. To make things easier for customers, it’s common for banks to allow multiple transactions to be made with the same TAC.

1. Mr. Blue wishes to setup automatic bill payment for his utility bill. He requests a TAC from his bank, Green Bank.

2. Green Bank sends the TAC to Mr. Blue’s cellphone via SMS.

3. Mr. Blue can now setup payments for his utility bill.

What can go wrong

1. Mr. Blue is tricked into following a link to a malicious site with his mobile browser. The malicious site convinces Mr. Blue to install mobile spyware such as SymbOS/Mobispy.A. The site, belonging to Mr. Red, also fools Mr. Blue into entering his bank account information.

2. Later on Mr. Blue visits Green Bank’s site and requests TAC. Green Bank sends the TAC by SMS. Mr. Red receives copy of the TAC.

3. Mr. Blue performs a transaction requiring a TAC. Mr. Red uses the same TAC to transfer money from Mr. Blue’s account to his own.

Banks have been active in the creation of user friendly mobile banking sites. Many services are promoted to be accessible both on smart phones and ordinary cell phones. As computer criminals expand their reach towards mobile banking, McAfee recommends:

• Individuals should never allow their phone out of their control and always use a PIN code with their phone.
• Banks are advised to discuss the above scenarios and current level of device and service protection with carriers.
• Mobile carriers should consider protection for all devices that can access mobile internet services.