Android malware steals one-time passcodes
One-time passcodes, a crucial defense for online banking applications, are being intercepted by a malware program for Android, according to new research from Symantec.
The malware, called Android.Bankosy, has been updated to intercept the codes, which are part of so-called two-factor authentication systems.
Many online banking applications require a login and password plus a time-sensitive code in order to gain access. The one-time passcode is sent over SMS but also can be delivered via an automated phone call.
Some banks have moved to call-based delivery of passcodes. In theory, that provides better security since SMS messages can be intercepted by some malware, wrote Dinesh Venkatesan of Symantec in a blog post on Tuesday.