Tuesday, July 16, 2019

Banks are now experience smart phone sms phishing attacks (breaking SSL) looking for phone PII

There seems to be a new phishing attack using SMS messages rather than email, targeting customer bank and investment accounts.
A lot of this is rather recent, but the Better Business Bureau has a typical explanation
Tonight, when I logged on to Wells Fargo, I noticed such a message about fifteen minutes later.  I thought it might be related to a long list of payments or maybe checking a secondary annuity site. 

Later I noticed that the message had come at exactly the same time as my first access. The point of such an attack is obscure;  it would make sense only if I carried a lot of data on my phone and I don’t.

If the hacker already had my cell phone, or already had access to the account “they” could have messaged me exactly as I logged in. This implies they were the man in the middle, which shouldn't happen in a bank's SSL environment.  Fortunately, I have relatively little PII on my phone.  The message would link one to an account not secured, which is another red flag. 
I’ve had only one other security issue with the iPhone, that is, occasional emails claiming gamer purchases in Indonesia or especially Belarus were charged to my Apple account, when they weren’t.
Maybe I do have a doppleganger in the non-western world. I wonder if that could surface if I were to travel abroad in non-western countries.  

No comments: