I caught this article that was referred to readers by PenTesting Magazine and originally came from The Register in the UK:
After Years Of Warnings...
It's about the protocol flaw that allows crook #2 to insert into financial transaction flows the logon/password/whatever information stolen from crook #1, who got the info from laptops, phones or desktops harboring the malware 'bots in crook #1's net. However, it occurred to me that although some bank customers would be vulnerable to the arrangement, there may be others that would not be. So I dropped by a local bank.
I described the situation in as-non-technical-as-possible terms and asked the loan official if it was plausible for customer immunity to result from a particular circumstance. An SS7 protocol vulnerability plus knowledge of logon credentials for an online banking account gives two crooks the opportunity to craft communication that looks like a request from the real customer for money. All one needs is the credential (or credential group) and the protocol hack (which the involved standards committee may spend months closing). But what if the list that crook #2 bought from crook #1 does not contain the credentials of customer X? Then customer X is immune.
How would this happen? The "harvester" malware operated by crook #1 looks for whatever it can find. If a particular customer, say 88 years old who's never set up an online banking profile, does business with checks, debit cards, credit cards, cash, whatever old fashioned way... then that customer would never have set up credentials with which to log onto any https site from the bank.
The loan official agreed that the lack of that information in the account holder's profile would be a problem for crooks since you can't steal what isn't there. I told her that I was interested to hear that, since the case of a customer that had not established an online profile with a financial institution described me as well. I like many types of technology but not the particular one being discussed. That's just me.
We also determined that fraud control software could possibly save the day, at least in the US for now. German banks have been seeing some successful attacks of the above type for a few months, but if the attack comes here (the US) from there, FC software might be able to tell from IP addresses that the malevolent request IP's don't match IPs from which the customer typically communicates. If it's smart enough to do that, it may even protect from attacks through closer servers in country (as well as apply contextual comparisons like 'why would a blind person buy a motorcycle?') At that point the bad guys experience something like
--- Interfere with transaction / Put up error message PLEASE CONTACT YOUR INSTITUTION / Write log entry / Run tracking script / Email admin --- .
