"This Is How Your Life Gets Hacked"... One Wrong Click, Victimized by That Hacker [Issue Interview]

"Your mobile phone has been taken over by a hacker. Right now, the hacker is reading your ID and financial information from their own PC."

The Toss Whitehacker team is conducting an interview and taking photos at Arcplace in Yeoksam-dong, Gangnam-gu, Seoul on the 7th. Researcher Jungsoo Choi (from left), Leader Jongho Lee, Researcher Hanbyul Ji, Researcher Hansol Jung. Toss
Photo by Toss

In an interview with the Toss Whitehacker team at Arcplace in Yeoksam-dong, Gangnam-gu, Seoul on July 7, held to mark Information Security Day, which falls on the second Wednesday of July each year, Jungsoo Choi, a researcher on the Toss Security Technology Team, demonstrated how a hacker could steal a consumer's phone through an ordinary text message about a parcel return.

Within one minute, Researcher Choi and the Toss Whitehacker team members were able to steal the consumer's location, contacts, text messages, consumption patterns, key documents, and photo album stored on the phone, simply by pressing a few buttons. They also took bank transaction information, photos of IDs, school records, and even National Pension enrollment certificates. The consumer became a victim of smishing (SMS payment fraud) in an instant, all because of a single mistaken click on a URL in a text message.

The hacker's method was simple. When the consumer clicked on the URL in a text message pretending to be about a parcel return, it triggered a pre-installed malicious application. At that moment, the information from the consumer's phone was synchronized with the hacker's PC, and the consumer's financial information, resident registration card, and school records were all displayed in real time. The hacker took over the consumer's phone in a matter of seconds and freely exploited the personal information.

The Toss Whitehacker team practices hacking by dividing into attack and defense teams, simulating real-world scenarios. On this day, they demonstrated training for intercepting authentication codes and phone calls. If a consumer carelessly clicks a URL, a malicious app is installed. A notice appears, prompting the consumer to enter a six-digit number commonly used for mobile payments. The consumer, unsuspecting, enters the number. The hacker then obtains personal information and sends text messages to every contact stored on the consumer's phone, causing secondary damage.

For example, the hacker might send a message such as, "This is OO Bank. We have a government-linked low-interest loan product available. Interested customers, please call us." Posing as a bank consultant, the hacker then obtains the consumer's resident registration number and payment password, logs into the bank app, and executes unauthorized loans.

Toss's malicious app detection solution, PhishingZero, detected the presence of a malicious app on the consumer's device in under three seconds. When the consumer opened the Toss app, a warning about the malicious app appeared as a pop-up. The screen displayed the name and characteristics of the malicious app (such as impersonating a courier or a bank). A delete button was activated at the bottom. The Toss app could not be used until the malicious app was completely deleted. Once the delete button was pressed, the malicious app system was removed, and the hacker's connection was also cut off.

According to Toss, approximately 3,700 users encounter PhishingZero each month. Toss developed and launched PhishingZero in April 2022. Over the past three years, it has blocked more than 70,000 new variants of malicious apps, but even now, an average of about 1,000 new malicious apps are detected each month.

PhishingZero, the malicious app detection solution by Toss, detecting a malicious app. Toss

The Whitehacker team emphasized that consumers only need to follow five rules to prevent smishing and phishing. First, always respond cautiously to calls from unknown numbers. Always suspect if there is an attempt to induce app installation. Even if a call comes from a customer service number starting with '1588-', if the content seems suspicious, be wary. In fact, during the demonstration, the Toss Whitehacker team showed a hacker making a call from a '1588-' number using a compromised consumer phone. Also, never disclose personal or financial information. Finally, immediately report to the police, the Financial Supervisory Service, or the bank's customer center.

Toss is deeply committed to artificial intelligence (AI), as evidenced by the introduction of paid ChatGPT accounts for all employees on July 7. On June 6 (local time) in Los Altos, California, CEO Seunggun Lee announced at the "Toss USA Meetup" that the company would hire more than 100 talents in the AI and data fields. In May, Toss established a dedicated Data and AI Recruitment Team. This team is responsible for managing the infrastructure for about 100 product-centered services.

The DNA of the Whitehacker team is embedded throughout Toss's company-wide AI and data management. The secret is an organization called the "Hacker Chapter." The Toss Whitehacker team has established a network to regularly communicate with hackers in major affiliates within the Toss community (referring to all of Toss's related and affiliated companies, also known as the "Group"), such as Bank, Payments, Securities, and Insurance. Regardless of whether it is the development, business, or design team, they frequently share diverse opinions on financial incidents, internal controls, and even inspections and investigations by financial supervisory authorities, from the earliest stages of product planning.

Jongho Lee, leader of the Toss Security Technology Team (nickname Hellsonic), champion of the international hacking defense competition Codegate and known as the "Faker of the hacking world," said, "CEO Seunggun Lee considers customer trust a core value and emphasizes that our team is not only protecting the Toss system, but also serving as the last line of defense for the entire Toss community and, ultimately, the trust in the financial industry." He added, "With MyData and other services, companies (clients) are tightly interconnected, so a single incident at one institution can undermine trust in the entire industry. That is why security is so important."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.