Virus attack on HSBC Transactions with OTP Device

Disclaimer:  Author takes no responsibility for any actions with provided information

Latest Update:

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.facebook.com/BrokenInternet page.
  • “Expert Group on E-Banking Security” has given live demo to RBI(Reserve Bank of India)
  • “Expert Group on E-Banking Security” has given recorded demo and discussion DVD to CERT-IN Head personally
  • FIR registered in police station against HSBC Bank for sending people to my residence
  • 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
  • 02/02/2012: HSBC has sent goons to my residence, after failure attempts to bring down content with the help of service provider. I was not present at that time; they have asked my family members rude questions. HSBC showed their method how they deal with cyber security in India.
  • 01/02/2012 : HSBC again asked this hosting provider to remove video of Man-in-browser attack. Based on the request of hosting provider i have removed video from this site and given  external references to watch the same videos at Vimeo and Facebook.
  • 21/01/2012: www.yashks.com is disabled by hosting provider (www.bluehost.com) without any notice to me. They have acted based on complaint by HSBC Bank. Bank has provided a reason saying “I am teaching how to hack HSBC bank”, this is wrong reason. In video, it only shows the consequences and how it is going to effect onling banking customers.

We saw the virus in the proof-of-concept video attack two other banks over the last few weeks. The latest one is on HSBC Online banking using a similar Man-in-Middle / Man-in-Browser attack method. I am releasing this video to show what an attack can do to an online banking customer using HSBC online banking facility with OTP (One Time Password) Device and how it can result in a similar financial loss. Like in the previous instances, I am not releasing source code or binary of virus in order to prevent any kind of misuse from black hat hackers.

This video shows how a virus can take control of your internet explorer and manipulate HSBC Bank transactions in real-time. The user logs into HSBC online bank with the help of One time Password (OTP) (Hardware Device is provided to each user by HSBC Bank) and performs an online transactions. He should provide a One Time Password (OTP) (OTP is Generated by hardware token every one minute) to confirm any kind of online transaction. The user is unaware that a virus is running in the background. In spite of the dual authentication, the virus is able to manipulate the transaction in real-time without the user’s knowledge and redirects the fund to the attacker’s account.

For this demo, I have used Windows 7, Internet Explorer and Kaspersky anti-virus with latest patches. The same virus can be extended to other browsers.


High level description of the video:

User account name is: Naveen T.G in HSBC Bank with OTP Device

Destination account name is: Yash K.S in ICICI Bank

Attacker’s account name is: Yash K.S in Citibank

  1. User login & Transact : User logins as Naveen T.G (HSBC Bank), with login password and One Time Password (OTP) into HSBC Bank. User enters the details of destination account information along with the amount of Rs. 34 and confirms the transaction by entering One Time Password (OTP) and completes the transaction.
  2. User Realization : The user checks the account statement of HSBC Bank, the user sees that Rs. 10,000 has been transferred instead of Rs. 34 and also, instead of transferring it to Yash K.S – ICICI Bank account, the virus has transferred the amount to Yash K.S – Citibank account in real-time.
  3. Verification of the Attacker’s account : This video also shows the attacker’s account i.e Yash K.S – Citibank account where the money has been transferred confirming that the virus has been successful in diverting transactions.
Video is removed from this site due to request from Hosting provider. If you like to watch the video, Please follow instructions:

  • Search “Virus attack on HSBC Transactions with OTP Device” in www.vimeo.com and watch the video - Even this is blocked now. Vimeo has removed my account itself due to Bank request. You can still watch in Face Book page.
  • Visit “Broken Internet” Face book page and watch this video

Frequently Asked Questions

 Q1) Why an antivirus is not able to identify this Trojan/Virus?

A) Virus detection is done either using signature based or heuristics based. To detect based on signature Anti-virus should get this virus sample, otherwise they cannot detect this virus.  Heuristics based detection is always based on behavior of executable file, most of the virus which are in wild today know how to evade all these anti-viruses and other protection technologies.

Q2) Should the Trojan/Virus be different for different banks or the same for all the banks?
A) The Trojans are specific to a Bank. The attacker identifies the flaw in a particular bank and develops a Trojan to exploit the flaw.

Q3) What is the co-incidence that the Trojans/Virus present in my system is for the bank that I use?
A) A simple approach is to write a Trojan that can identify the bank and report back the data to the attacker. The attacker can then infect the computer with a bank specific Trojan. Smart Trojans can adapt to the situation because they contain code for multiple banks.

Q4) I don’t share my computer with strangers and I perform online transactions only from my computer, then, how can I get infected?
A) Computers can get infected when users visit malicious websites or download freeware’s. From more than 10 years, Trojans/Virus writers have mastered the art to infect end user systems. Today’s underground market hackers provide Pay-Per-Install (PPI) service to other criminals.

Q5) I perform online transactions from my office environment only, which is supposed to be updated with the latest antivirus updates, is there still a probability of infection?
A) Anti-viruses detect and cure only known Trojans/Viruses. The protection mechanisms help in mitigating risks, but attackers invent new ways by using a combination of exploits to by-pass these protections.

Q6) Can I get infected when I visit malicious online websites?
A) Yes, you cannot really identify which site is genuine or not, even if you have the most updated Antivirus patch.

Q7) Every time I transact, I immediately call the recipient to find out if he/she has received the money. Is this a safe measure?
A) This is a good practice.. But, if you make NEFT/RTGS transactions it will take a while to reach the destination account and it is really hard to recover your money back in case of attacks.

Q8) Can I identify the Trojans/Virus from the task manager and kill it? What are the ways it is hidden in my computer?
A) Trojans/Viruses are hidden from the task manager. Hiding from the task manager was in fact the first step in the evolution of Trojans/Viruses.

Q9) If the InPrivate mode in web browsers is developed for sensitive activities, then, is it not safe enough?
A) This InPrivate mode is useless for securing online banking. Online banking facilities have been provided by banks, it’s up to them to find secure ways for the facilities they provide. The core focus of web browsers has never been to secure online banking transactions anyway.

Q10) Which is a safe web browser?
A) The same Trojan/Virus can be extended to any browser. The core architecture of a specific web browser remains the same for many years and attackers don’t need that many years to master a browser.

Q11) So many millions of online transactions happen in India. I haven’t heard any such incidences, especially, when the media hypes any such incidences of online attacks if it has occurred. Why should I bother now?
A) Most of these attacks go un-noticed by the user since they happen in stealth modes; banks also attempt to hush away any such incidences. After all, it’s their reputation at risk.  Having said, the media attention is still less on such topics.

Q12) My online bank account has a small amount and I don’t transact more than a couple of thousands. I will alert myself if I hear any such incidence or been attacked once.
A) It will be too late when you are a victim to say “next time”.

Q13) Some of the banks allow transferring only to pre-registered recipient accounts. In this case, how does the bank allow transferring to a non-registered attackers account?
A) You can take a look at Citibank and ICICI Bank videos to learn more on how attacks could be performed. When an attacker is targeting a specific bank, his design will consider countering the banks security measures. He performs an end to end attack.

Q14) Isn’t this a world-wide problem? Our banks will copy the western world for such advanced safety measures and most of the banks in India where I have online accounts are foreign banks. Haven’t all these problems been already solved?
A) Yes, it is worldwide problem. Banks world-wide have similar problems but they only “feel” their online banking is secure. Such optimistic feelings from banks are not backed with substantial proofs.

Q15) Is it possible get hold of such Trojan/Virus code by a criminal who is not a hacker and infect in a few machines to usurp money?
A) Yes, many tool kits are available on the internet, where criminals can configure and release in the wild. Banks should think outside-the box and invest in building controlled network for online banking.

Q16) I use the banks many other online facilities. Is there a possibility of high extent of such attacks where without my knowledge; I can lose a large sum of money?
A) A risk exists all the time. Banks should take the right measures, before a well-coordinated attack is planned by attackers.

  • Pingback: Virus attack on HSBC Transactions with OTP Device | Thoughts

  • Vijendra Kumar H.

    Dear Yash,

    Good to see that you are going out of box to show the world how bank websites and online transactions are vulnerable. Articles are good for the banks to strengthen their security in online transactions. But bad for the end users. These articles leaves scary impressions to any end user. Online transactions are really helping the environment by getting rid of lot of paper work. So, promoting online transactions would be really good.

    It would be really good if you can give few tips to the end users about necessary precautions to be taken while doing the online transactions so that they can continue to use online transactions and contribute to environement indirectly.

    • Yash

      Users need to call up customer care of bank and confirm if the money has really gone to intended or not. This is not preventive step, its rather mitigation step.

      Regards,
      Yash

  • Neeraj Goel

    Thanks Yash for awareness. It was really I washing. I had also thought, security measures by HSBC are really good, and difficult to break!!

    But you have not mentioned what is the way to avoid?

    Is it : Don’t do online banking transactions.?

    Best regards,
    Neeraj

    • Yash

      To avoid these problems, bank need to think out of the box and build proper controls in internet to perform secure transactions.

      Regards,
      Yash

  • aravind

    The FAQs are very informative…

  • Anurag

    Dear Yash,

    its eye-opener and scary both..and very informative for all.
    but wonderfull…clean way of showing the attack….!!!

    Regards
    Anurag

  • Pingback: Expert: Bank Transactions Can Be Manipulated Even if OTP Devices Are Used | CISSP 2 CISSP

  • Fabian Llanos

    Better solution, don’t use cheap antivirus,

    • Yash

      Almost all anti-virus fails in detecting botnets, since these knows to disable defence which exists in user system. Even if you use some other anti-virus it is same fate.

  • bhawesh

    Man!!!!

    wot else left with the innocent end customers, who just believe’s himself on the the bank’s quality standard. Wot a thrilling video. Virus people are always one step ahead then any one of us, till now nothings has been made full-proof measures , only the ethical hackers like us can invent one more mitigation process…and the process goes on

  • Virendar

    I do understand that the current loopholes in Antivirus products get hackers to go loose and ultimately end user like us suffer. I also know that banks do send alerts to their users after their transfers are done and one of the ways also to be doubly sure is to call up the customer care execs and confirm and finally you can also check with the recipient on the receipt.

    Now user can at the best adhere to the security best practices including the latest patches for the Installed Antivirus product, however, in a situation, where AVs can be circumvented, how would you recommend to safeguard apart from baseline from such attacks and what would you recommend to be adopted by the bank as the countermeasures so as to avoid these kind of attacks impacting financially the bank as well as the user.
    This is one of the most important activities that users have started to use to transfer funds and Banks also use RTGS/NEFT transactions and do transact heavy amounts globally.
    It would be really appreciable, if you can come out with certain measures, which can at least stop this malice. I also agree with you that, Banks do need to stress upon their security measures from their end and that goes without saying.

    So look forward to your reply.

  • Robert A

    HSBC management in India is as stupid as any other bank, corporate or political class. Even though brain is the biggest muscle in the body, these morons know not how to use it. They’d use limbs instead and talk bullshit and continue to serve their customers from the ass.

    They will not learn, unless better alternatives come up. Not even when their online face is actually hacked to shame. They think hacker means someone who breaks into, and not that he is a good programmer.

  • Aparna

    doing the online transaction on a linux box would solve the problem largely?

    • Yash

      As long as your system is clean from malicious programs, there is no issues