Feeds

Hackers may be able to 'outwit' online banking security devices

Investigators probe malware threat to 2-factor authentication

Security for virtualized datacentres

Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn.

An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such two-factor authentication devices means that even if hackers trick consumers into handing over their bank login passwords they still won't be able to raid online banking accounts.

But although basic phishing attacks will fail, it might still be possible to hackers to monitor and alter a user's communication with a banking site using malware. Hackers could set up a fake banking website and prompt users attempting to log into their account for both their online login credential and, for example, a PINSentry code, a pseudo-random number that changes every every minute or so. This information would allow cybercrooks to log onto the genuine banking website, posing as a customer, before authorising fraudulent transfers or other payments.

This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years, so the attack isn't new.

Phishers have been having a pop at two-factor authentication devices since at least 2006, if not earlier. Targets over the years have included customers at Citibank and some Nordic banks, among others.

While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue.

The investigation – which does not highlight new instances of fraud or include quotes from victims – makes it clear that the threat is not tied to the technology supplied by any particular bank.

A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.

"Consumers ought to keep using the banking authentication devices," she said, adding that "even if consumers are unlucky enough to become victims of fraud they ought to be able to get reimbursed because the onus is on the bank to prove negligence."

This seems fair enough but it's worth noting that disputes over phantom withdrawals from ATMs are far from unknown. Consumers will probably get reimbursed for fraudulent transfers authorised using two-factor authentication devices but they're likely to have a tougher job in persuading banks that they didn't have anything to do with a transaction than might otherwise be the case.

Wolfgang Kandek, CTO of Qualys, said even though using banking authentication devices wasn't a foolproof way to stay safe while banking online, they are still worth using.

"Banks that offer two-factor authentication devices raise the bar for online security by a large margin. Common malware often found on PCs is not equipped to deal with the additional authentication steps required when using these devices.

"Nevertheless, no protection is complete. Advanced attackers have found ways to circumvent the additional security measures by infecting the user's browser and monitoring and altering the user's communication with the banking site. However, the malware needs to work much harder, because the user needs to be tricked into disclosing additional token codes, and the malware needs to act quickly, before they expire, typically after 60 seconds.

"Keeping your browser up to date will repel these infections at the onset, as attackers typically use well known browser vulnerabilities as their entry method to your PC," he added.

Banks deploying two-factor authentication have reportedly benefited from a substantial drop in fraud levels, we're told, although hard figures on this are hard to come by. Trust in authentication devices shouldn't be undermined by what boils down to a malware attack targeted at an end user's computer.

Hugh Callaghan, a security expert at management consultancy Ernst & Young, said that banks needs to rely on multiple security measures to reduce the possibility of fraud.

"There is no single, easy, solution for the banks to ensure the security of their online banking systems," he said. "A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack."

"We are also witnessing the emergence of newer techniques which require further development to be effective. For example, the use of full transaction data signing that requires users to input data to the token that they know is directly linked to the payment; this is usually a beneficiary account number. Unfortunately this can also be attacked, for example it can be dressed up as a 'security test' by misleading pop-ups in the browser," Callaghan added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.