Hacker News new | ask | show | jobs
by getsaf 4937 days ago
The article describes the "sophisticated" attack

* Phish the users. The user must fall for this attack.

* Prompt the user to MANUALLY download AND install an application on their pc.

* Then (if that's not enough) download and MANUALLY install an app on your phone.

That's a whole lot of poor decisions on the end user's part. I wouldn't be surprised if these user's wouldn't have just replied to an email with their account number and PIN. Better yet just ask them to mail you cash, seems like something they would do too.

Think people. C'mon.
4 comments
lmkg 4937 days ago
The attacker bootstraps a small exploit (clicking phishing link) into a much larger one (bank access) by using a multi-step escalation of privileges, that in several cases subverts or co-opts standard chains of trust. Sounds pretty slick to me.

Technical sophistication isn't the only form of sophistication. The attack is sophisticated in the trickery it employs to gains the user's trust and give the appearance of being legitimate. A security hole doesn't have to be an OS zero-day to be impressive.

link
hcarvalhoalves 4937 days ago
Yep, always the user's fault.

Never mind that it's still easy as ever to phish by email since the protocol doesn't give any guarantees of anything, not even that the "From" field can be trusted; or that SMS sucks in a similar way; or that their PCs and Android/RIM phones still allow to install untrusted apps by default.

It's quite sophisticated indeed. The prompt to install the PC app happens when the user visits the bank's site. They manage to get the user phone number and send an SMS as if they are the bank. Everything appears legit from the user's point of view. It's shortsighted to blame it on the user.

link
chill1 4937 days ago
I was thinking the same thing. Why was this comment down-voted? Nothing wrong with honesty.
link
IheartApplesDix 4937 days ago
What is wrong with people today when you sell them a simple smartphone with no training and they don't immediately learn to tell a valid cert from a forged one or a trustworthy application developer from one hired by a bank? The biggest WTF here the fact that we use email for anything and continue to not have a standard encryption protocol. I'm sure they'll get that nailed down though as soon as they find a good way to access all the required decryption keys from a Nasus device.
link