Many citizens unknowingly make it easier for fraudsters to enter the personal account of an online bank, said Maxim Kostikov, head of the banking systems security research group at Positive Technologies.
According to him, nowadays, leaks of banking information with information about cards and personal data of clients very often occur.
To restore access to your personal account, you must have information about your login and password, card details and phone number. Fraudsters intercept SMS messages and, as a result, can change the client’s authentication data.
Using a phone number as a login to enter a mobile bank can make it easier for an attacker to access a user’s personal account. In addition, it is easier to get into your personal account if only a phone number and card data or information from public access are needed to restore access.
The third factor is that SMS notifications can be intercepted. Whenever possible, bank customers should switch to push notifications.
“To level these threats, banks need to add an additional authentication factor when restoring access, namely a code word, generate arbitrary usernames and allow them to change, add the functionality of confirming transfers only by push,” RIA Novosti quotes Kostikov.
However, even when entering the user’s personal account, the attacker will encounter the bank’s anti-fraud system. If there is suspicious activity in the account, it should not allow the fraudster to inflict financial harm on the client or minimize it.
As Izvestia found out earlier in April, the scammers began to send the Russians an SMS with a code to register an account of a legal entity or individual entrepreneur in a bank. The message notifies about “registration in the guest area for legal entities on the Sberbank website.”