How Hackers Used A Netflix Account To Steal Banking Information

How Hackers Used A Netflix Account To Steal Banking Information





Original Source


DefCon is an annual conference hosted every summer in Las Vegas, Nevada, where thousands of hackers from around the world congregate to learn on new technology vulnerabilities and cyberattacks. (AP Photo/Jae C. Hong)

Over the past weekend in Las Vegas, Nevada, thousands of hackers congregated at the 27th annual DefCon, the world’s oldest and largest running hacker convention, to learn from their peers about the latest hacking techniques.

During the show, there were sessions like “Say Cheese, How I Ransomwared Your DSLR Camera” by Check Point Software security researcher Eyal Itkin (more on that in a later post), “Defeating Bluetooth Low Energy 5 For Fun”, “Breaking Google Home” or “Reverse Engineering 4G Hotspots For Fun, Bugs, And Net Financial Loss”.

And if that’s your thing, then check out the conference’s schedule here as well as the event’s media server where most of the presentations are available for free.

In this report, I’ll focus on the presentation titled “Black Mirror: You Are Your Own Privacy Nightmare–The Hidden Threat of Paying For Subscription Services” given by security expert Cat Murdock on how she used information from online subscription services like Netflix, Apple Music or Spotify to access a banking account and steal confidential financial information.

“60% of the U.S. adult population has at least one subscription service in their name,” said Murdock, a security researcher at GuidePoint Security, in an exclusive interview. “And 30% of the remaining 40% are using the login information of the 60%!”

GuidePoint Security researcher Cat Murdock giving a presentation this past weekend at DefCon 27 in Las Vegas, Nevada, about how a hacker could gain access to your bank account data using a Netflix subscription information.

Cat Murdock

Here’s how she described the way an attacker could use your Netflix account to access your banking information:

What happens is that many financial institutions have policies for when users forget their account number. So if you call and say, ‘Hey, I’m traveling, I’m having some issues with my mortgage payment, can you please confirm the account number, I don’t have it memorized’. They then have a set of rules to follow on how to release that account number. And this will vary from like institution to institution. But generally, in multiple cases, they’ll ask first for the last four digits of you social security number, but a lot of times people don’t know that or you’re might be in a place where you don’t want to disclose that. So, if the consumer don’t have that and they don’t have a credit card on them they will go through a set of questions. And if you just search Netflix on Twitter, you have a whole bunch of people who recently posted like, ‘Hey, I just got a new Netflix subscription’, and you’re like, It’s August 1, and they just bought a new Netflix subscription today. You can then calculate the day of the month that that Netflix subscription, or whatever subscription will renew and use that piece of information with a banking institution to prove ownership of an account. So the vulnerability comes in when you call to get more information about an account, but not quite the account number, they won’t verify as hard. Banking institutions will use publicly available information, like your birthday, your address, your full legal name, even where you opened the bank account, which is very easy to find out, especially if the user has not moved around a lot. So when you call first, you don’t ask for the account number first and you’re going to use the fact that you know the subscription services that were recently charged to the account to prove that you have knowledge of the account. And you’ll say, ‘hey, so I got this weird text message, one of the short numbers, you know, and it said that my Netflix subscription renewed yesterday, that should be my most recent charge on this account, could you to verify the balance. And they’ll be like, sure, here’s your account balance, you’re like, great. So now, you know, the most recent charge (Netflix) and you know the account balance, two critical piece of information. And then you can keep going ‘Can you just verify the prior few charges for me, I just want to be sure that no pending charges that are going to change the balance. And a lot of times the person to be helpful will hand over all the seemingly inconsequential information very easily. And you, as the attacker, say ‘Sweet, now I have the last few charges, and I have the account balance’. So you slowly use the first call to build your knowledge-base around the account: You already have knowledge about what this user spending on subscription services and other openly available information. So then you call back a second time and you’re armed with all of these details and you say ‘Hey, can I verify the account number? But I don’t know my social security number’, and they’re like, Okay, let me go through this checklist. And the checklist is pretty similar among multiple financial institutions including what is your most recent charge? Can you verify this pending request? Do you have credit cards on the account? So now with all this information, you can pretty much tap off your ID account folder and the financial institution will confirm the account number for you.

Although the hack is a multi-tiered attack involving several calls to the same financial institution, “the threat is that subscription services are usually a fixed amount and anyone who does research on the vendor can figure out what that fixed rate is.”

In addition, with all the information available after the Equifax and the Capital One breaches, attackers now have a really robust profile on a large portion of the American population.

“And then it’s important to remember that on the attacker side, these are entire criminal organizations, not just a single person, with lots of manpower and time to spend, already aggregating information on individuals,” explained Murdock.

Finally, Murdock suggested asking your telephone company or your financial institution to set a verbal passphrase or verbal PIN (six digits or more) that anyone who calls for the account must know.

Atherton Research Insights

The first advice is to try not to divulge too much about yourself—even if you think it’s of no importance—which, I know, in the era of social networks is a hard thing to do for a lot of folks, me included.

And the next best thing would be to add an extra layer of security in the form of a 2-factor authentication method that is tokenizedas opposed to receiving an SMS text message that can be easily intercepted or spoofedlike Google AuthenticatorDuo Security or Authy.






Subscribe To Sky-News

* indicates required



Follow us on Twitter