A customer must confirm every transaction for online banking using a TAN (transaction number). The financial institutions use different procedures for conveying the TAN safely to the customer from the bank. In the case of mTAN (mobile transaction number), the bank sends the TAN via SMS to the stored cell phone number. This procedure, which was apparently the safest propagated procedure, has been cracked by the hackers.
For this the hackers use the banking-based TrojanerZeus. The security service provider S21sec has now invented a new ciariant which goes one step further, a fake version would appear on the browser window when a bank’s page is called.
It’ll ask for a so-called essential update for cell phones, in the form for a firmware. To download this, users need to enter his phone number for the download link to be sent to his phone.
Accessing this link the user inexplicably installs the mobile ZeuS version on the cell phone. Every incoming SMS then will automatically be forwarded to the hacker.
Unauthorised transfers can then be carried out in combination with the PC version. In earlier variations of the crime the crooks could even loot the accounts where they used to send collective bank transfer to the bank server.
Cell phones running Symbian and Blackberry systems are affected. A patch is not available to date. Thus bear in mind that you need to install software for your PC only from reliable sources. Also ensure that you read the bank SMS in detail and compare the number of transfers the account number and with your entries.