Phishing attack evades bank's two-factor authentication

Man in the middle

By OUT-LAW.COM, 19th April 2007

A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from the online accounts of customers who fell for a phishing scam.

Two-factor authentication for online banking usually involves passwords and tokens which provide synchronised, constantly changing numbers to use as additional evidence of identity.

The security industry has promoted the tokens as a preventative measure against hacking for users of remote corporate or banking systems. However, experts have warned that they are still vulnerable to phishing attacks, where fraudulent emails lure recipients to bogus websites that are set up to gather security details.

Four customers who used two-factor authentication have been compensated by ABN Amro for undisclosed amounts taken from their bank accounts.

"We are taking this incident very seriously and, in addition to informing our clients, are also implementing all of the technical measures that are at our disposal to stop criminals in their tracks," said Johan van Hall of ABN Amro Netherlands. "Safe usage of home and office computers is an essential requirement for secure online banking, and we plan to remind our clients even more frequently and urgently than before of that fact."

Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.

As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money.

Security experts have warned that such "man in the middle" attacks cannot be prevented by security tokens.

At the E-Crime Congress in London last month, several experts spoke out about the limitations of the systems. "Even when all the banks have it [hackers] will still attack them," said Mikko Hypponen, chief research officer of security firm F-Secure, at the Congress. "We see them using 'man in the middle' already."

"There are a whole bunch of things that can go wrong with two-factor authentication," Ross Anderson, a professor of security engineering at Cambridge University, told the same conference. "Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."

OUT-LAW.COM is part of international law firm Pinsent Masons.

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections

All Reader Comments (20)

Latest Comments

Posted Friday 20th April 2007 13:01 GMT

Edward Fingleton

RE: Single IP

<quote>

Single IP - as in from the customer's initial login, using the fob-generated number. Any further bank transactions are used against this IP, if the IP changes then it could be due to the session being hi-jacked. Once the session expires, or customer logs out - they can then re-access from any other computer/IP address. Think.

</quote>

Now now put down the handbag, a quick google search will tell you that IP spoofing isn't the most difficult thing to do, so single IP wouldn't be much help. Read. ;)

Posted Friday 20th April 2007 11:32 GMT

Howard Mirkin

All nonsense

Bookmark the https address of the real site and only use the bookmark and you won't get phished.

Posted Friday 20th April 2007 11:02 GMT

Anonymous Coward

I don't get it

I don't get it.

I have online banking.

I have to call my bank to set up payments to accounts other than those in my own name. It takes less than 2 minutes to do this because they have a vested interest in security, and so they keep the phone lines well manned for this very reason.

In order to do this I have to verify with a human being and answer questions that only I would know the answer to...and even then if someone had gone to the trouble of tapping my phone line and waiting for me to make a call like that...I don't think someone from China or whatever is going to be able to do a very convicing Limerick accent :)

So even if someone gets my details or is able to intercept the information going from my pc to the bank's sever, the worst they can do is pay off my credit card.

None of this two factor stuff. All of these authentication methods have flaws or ways around them. I'm reading a lot of "its totally secure unless..." in the above posts...you can be sure that the thieves are very very well aware of the "unless" clauses, whereas your average user is not. Even the fobs that generate unique IDs...they can be stolen, and a minute is plenty of time to hijack and redirect with a man in the middle scenario.

eh, anyway, I have nothing worth stealing...:(