SMS 2-factor authentication has been implemented by a number of security conscious organisations, including banks, to secure online transactions. SMS 2-factor authentication has had a major impact in reducing online fraud. This is because an attacker most not only capture the victim's username and password to login to their bank account, but they must now also have the victim's phone to receive the SMS 2-factor authentication token. This restricts the number of possible attackers dramatically.
This security control has been around for a while now and has been very successful. With the introduction and dramatic increase in the number of smartphones available these days, such as iPhones and Androids, the effectiveness of this security control is slowly decreasing. Why?
Previously, a user would login to their internet banking on their laptop, and then receiving the SMS token on a separate device (their mobile). The attacker may be able to capture the username and password of the victim, but they are unable to capture the SMS token. Nice and secure.
Now we find that users are logging into their internet banking on their smartphone, and then receiving the SMS token on the same device. This means that an attacker who has hacked the victim's smartphone, most likely via a malicious website, is now able to capture the username, password, and SMS token all on the one device. Doh!
I have put together a quick demonstration video performing this attack. The victim's iPhone has already been compromised and the attacker has remote command line access on the iPhone. Take a look below.