Feeds

Phishing attack evades bank's two-factor authentication

Man in the middle

The essential guide to IT transformation

A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from the online accounts of customers who fell for a phishing scam.

Two-factor authentication for online banking usually involves passwords and tokens which provide synchronised, constantly changing numbers to use as additional evidence of identity.

The security industry has promoted the tokens as a preventative measure against hacking for users of remote corporate or banking systems. However, experts have warned that they are still vulnerable to phishing attacks, where fraudulent emails lure recipients to bogus websites that are set up to gather security details.

Four customers who used two-factor authentication have been compensated by ABN Amro for undisclosed amounts taken from their bank accounts.

"We are taking this incident very seriously and, in addition to informing our clients, are also implementing all of the technical measures that are at our disposal to stop criminals in their tracks," said Johan van Hall of ABN Amro Netherlands. "Safe usage of home and office computers is an essential requirement for secure online banking, and we plan to remind our clients even more frequently and urgently than before of that fact."

Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.

As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money.

Security experts have warned that such "man in the middle" attacks cannot be prevented by security tokens.

At the E-Crime Congress in London last month, several experts spoke out about the limitations of the systems. "Even when all the banks have it [hackers] will still attack them," said Mikko Hypponen, chief research officer of security firm F-Secure, at the Congress. "We see them using 'man in the middle' already."

"There are a whole bunch of things that can go wrong with two-factor authentication," Ross Anderson, a professor of security engineering at Cambridge University, told the same conference. "Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."

Copyright © 2007, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?