Feeds

Hackers may be able to 'outwit' online banking security devices

Investigators probe malware threat to 2-factor authentication

Internet Security Threat Report 2014

Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn.

An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such two-factor authentication devices means that even if hackers trick consumers into handing over their bank login passwords they still won't be able to raid online banking accounts.

But although basic phishing attacks will fail, it might still be possible to hackers to monitor and alter a user's communication with a banking site using malware. Hackers could set up a fake banking website and prompt users attempting to log into their account for both their online login credential and, for example, a PINSentry code, a pseudo-random number that changes every every minute or so. This information would allow cybercrooks to log onto the genuine banking website, posing as a customer, before authorising fraudulent transfers or other payments.

This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years, so the attack isn't new.

Phishers have been having a pop at two-factor authentication devices since at least 2006, if not earlier. Targets over the years have included customers at Citibank and some Nordic banks, among others.

While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue.

The investigation – which does not highlight new instances of fraud or include quotes from victims – makes it clear that the threat is not tied to the technology supplied by any particular bank.

A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.

"Consumers ought to keep using the banking authentication devices," she said, adding that "even if consumers are unlucky enough to become victims of fraud they ought to be able to get reimbursed because the onus is on the bank to prove negligence."

This seems fair enough but it's worth noting that disputes over phantom withdrawals from ATMs are far from unknown. Consumers will probably get reimbursed for fraudulent transfers authorised using two-factor authentication devices but they're likely to have a tougher job in persuading banks that they didn't have anything to do with a transaction than might otherwise be the case.

Wolfgang Kandek, CTO of Qualys, said even though using banking authentication devices wasn't a foolproof way to stay safe while banking online, they are still worth using.

"Banks that offer two-factor authentication devices raise the bar for online security by a large margin. Common malware often found on PCs is not equipped to deal with the additional authentication steps required when using these devices.

"Nevertheless, no protection is complete. Advanced attackers have found ways to circumvent the additional security measures by infecting the user's browser and monitoring and altering the user's communication with the banking site. However, the malware needs to work much harder, because the user needs to be tricked into disclosing additional token codes, and the malware needs to act quickly, before they expire, typically after 60 seconds.

"Keeping your browser up to date will repel these infections at the onset, as attackers typically use well known browser vulnerabilities as their entry method to your PC," he added.

Banks deploying two-factor authentication have reportedly benefited from a substantial drop in fraud levels, we're told, although hard figures on this are hard to come by. Trust in authentication devices shouldn't be undermined by what boils down to a malware attack targeted at an end user's computer.

Hugh Callaghan, a security expert at management consultancy Ernst & Young, said that banks needs to rely on multiple security measures to reduce the possibility of fraud.

"There is no single, easy, solution for the banks to ensure the security of their online banking systems," he said. "A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack."

"We are also witnessing the emergence of newer techniques which require further development to be effective. For example, the use of full transaction data signing that requires users to input data to the token that they know is directly linked to the payment; this is usually a beneficiary account number. Unfortunately this can also be attacked, for example it can be dressed up as a 'security test' by misleading pop-ups in the browser," Callaghan added. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.