Criminals Using SMS Messages to Beat Multifactor Authentication

For several years, cyber criminals have used text message scams called “smishing” to steal personal information. Now, SMS messages are being used to infiltrate peer-to-peer (P2P) payment service used by many financial institutions.

According to Krebbs on security, criminals have deployed a Zelle fraud scam that allows them to circumvent multifactor authentication and access a victim’s bank account without knowing the username or password.

The scam starts with a text message about a suspicious bank transfer:

Any response elicits a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member. The criminal then uses the code to complete the password reset process, changes the victim’s online banking password and uses Zelle to transfer the victim’s funds to others.

By sharing their username and reading back the one-time code sent via email, the victim is allowed the fraudster to reset their online banking password. The fraudster never needed to phish for the victim’s password.