Feeds

Hackers may be able to 'outwit' online banking security devices

Investigators probe malware threat to 2-factor authentication

Protecting against web application threats using SSL

Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn.

An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such two-factor authentication devices means that even if hackers trick consumers into handing over their bank login passwords they still won't be able to raid online banking accounts.

But although basic phishing attacks will fail, it might still be possible to hackers to monitor and alter a user's communication with a banking site using malware. Hackers could set up a fake banking website and prompt users attempting to log into their account for both their online login credential and, for example, a PINSentry code, a pseudo-random number that changes every every minute or so. This information would allow cybercrooks to log onto the genuine banking website, posing as a customer, before authorising fraudulent transfers or other payments.

This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years, so the attack isn't new.

Phishers have been having a pop at two-factor authentication devices since at least 2006, if not earlier. Targets over the years have included customers at Citibank and some Nordic banks, among others.

While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue.

The investigation – which does not highlight new instances of fraud or include quotes from victims – makes it clear that the threat is not tied to the technology supplied by any particular bank.

A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.

"Consumers ought to keep using the banking authentication devices," she said, adding that "even if consumers are unlucky enough to become victims of fraud they ought to be able to get reimbursed because the onus is on the bank to prove negligence."

This seems fair enough but it's worth noting that disputes over phantom withdrawals from ATMs are far from unknown. Consumers will probably get reimbursed for fraudulent transfers authorised using two-factor authentication devices but they're likely to have a tougher job in persuading banks that they didn't have anything to do with a transaction than might otherwise be the case.

Wolfgang Kandek, CTO of Qualys, said even though using banking authentication devices wasn't a foolproof way to stay safe while banking online, they are still worth using.

"Banks that offer two-factor authentication devices raise the bar for online security by a large margin. Common malware often found on PCs is not equipped to deal with the additional authentication steps required when using these devices.

"Nevertheless, no protection is complete. Advanced attackers have found ways to circumvent the additional security measures by infecting the user's browser and monitoring and altering the user's communication with the banking site. However, the malware needs to work much harder, because the user needs to be tricked into disclosing additional token codes, and the malware needs to act quickly, before they expire, typically after 60 seconds.

"Keeping your browser up to date will repel these infections at the onset, as attackers typically use well known browser vulnerabilities as their entry method to your PC," he added.

Banks deploying two-factor authentication have reportedly benefited from a substantial drop in fraud levels, we're told, although hard figures on this are hard to come by. Trust in authentication devices shouldn't be undermined by what boils down to a malware attack targeted at an end user's computer.

Hugh Callaghan, a security expert at management consultancy Ernst & Young, said that banks needs to rely on multiple security measures to reduce the possibility of fraud.

"There is no single, easy, solution for the banks to ensure the security of their online banking systems," he said. "A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack."

"We are also witnessing the emergence of newer techniques which require further development to be effective. For example, the use of full transaction data signing that requires users to input data to the token that they know is directly linked to the payment; this is usually a beneficiary account number. Unfortunately this can also be attacked, for example it can be dressed up as a 'security test' by misleading pop-ups in the browser," Callaghan added. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.