Phishing Tackle for Sale

At TMT ID there are a number of reasons why we’re excited about our Authenticate service – our frictionless silent authentication service – partly because we believe it represents the mobile ecosystem getting back on the front foot in the fight against fraud.

Some interesting intelligence from Microsoft illustrates very efficiently why things need to move forward.

Microsoft’s threat intelligence team have been monitoring the activities of a group they call DEV-1101, who have started to sell a ready-to-go phishing kit which, amongst other things, allows fraudsters to bypass the very security mechanisms designed to protect users, such as SMS one-time passwords (OTPs).

Put simply, the kit includes a range of standard templates to mimic things such as Microsoft Outlook, but the really interesting thing is that it uses AI bots to sit in the middle of the authentication process, circumventing existing two-factor authentication (2FA).

When the victim falls for a phishing email and clicks the link, they are taken to a web page that looks and feels like the real login page of their favourite brand, but is there to harvest their login data. The AI will gather these credentials and in parallel open a login session with the real site. When the real site sends a request for two-factor authentication such as a one-time password, the bot mirrors that on the fake site — so the user inputs the correct code into the fake site, and the bot quickly transfers it to the real login attempt being perpetrated by the fraudster.

Microsoft say this kit was first advertised online almost a year ago, and sells for as little as $300 for the standard version and $1,000 for the deluxe version.

Whilst the above is not doing anything we haven’t seen before, it is substantially lowering the fraudster’s barrier to entry and is expected to herald a significant increase in this type of crime — circumventing an OTP, which is the most common form of two-factor authentication and still in use by the majority of online brands.

Why this is relevant to Authenticate is also pretty simple. Because it works directly in conjunction with the mobile network operators who are authenticating the device from encrypted data held on the SIM card, it does not require a user to enter any credentials — so there is nothing to share with any bad actors.

Furthermore, the communication flow does not just involve the device, because the authentication messaging goes directly between the operator, TMT ID and the website you are trying to access — not the handset. Therefore, it’s never going to be susceptible to these kinds of man-in-the-middle attacks because there is nothing to intercept.

As ever, the advice from the industry remains the same

1. Always be on the lookout for suspicious emails.
2. Don’t click the link unless you are sure it’s genuine.
3. Talk to TMT ID about Authenticate and see if it can improve the security and user experience of your customers.