light bulb

Did You Know?



Reply
Highlighted
Posts: 6,736
Topics: 4,523
Kudos: 8,624
Registered: ‎06-12-2013

Hackers bypass online security at 34 banks

Things are looking as if 2 factor authentication is nearing the end of its usefulness in on-line banking. The fight continues to stay one step of the criminals.

 

By Priya Anand, MarketWatch July 22, 2014

 

"The attack can get past two-factor authentication, which requires customers to type in a code sent to their cellphone or inbox to ensure the user is who he or she claims to be, by convincing customers to download a malicious smartphone app, according to a report released Tuesday by the security firm Trend Micro. The researchers dubbed the technique “Emmental” — like the Swiss cheese — because they say it shows the security flaws in online banking. So far, funds “in the seven figures” have been taken from bank accounts, according to Trend Micro spokesman Thomas Moore"

 

Full Article and Video

Sr. Community Leader

Posts: 4,236
Topics: 2,457
Kudos: 3,445
Blog Posts: 0
Registered: ‎06-02-2014

Attackers Bypass 2FA Systems Used by Banks in 'Operation Emmental'

Comment:Once again cybercriminals have cercumvent SMS-based two-factor authentication. Using a combinatioin of malware techniques.

=================================================================================================

By Eduard Kovacs on July 22, 2014
 

SMS-based two-factor authentication (2FA) mechanisms used by banks to secure their customers' accounts have been bypassed by cybercriminals using a combination of malware, mobile apps, rogue DNS servers, and phishing sites, according to a report published by Trend Micro on Tuesday.

The security firm has been monitoring a campaign which it has dubbed "Operation Emmental," because similar to the Swiss Emmental cheese, the security systems used by financial institutions can be full of holes. The individuals behind this operation have been trying to gain access to the accounts of users in Switzerland, Austria, Japan and Sweden by obtaining the security tokens sent by banks to customers' mobile devices via SMS.

 

SecurityWeek/ Full Read Here/ http://www.securityweek.com/attackers-bypass-2fa-systems-used-banks-operation-emmental

Community Leader

Community Manager Community Manager
Community Manager
Posts: 5,342
Registered: ‎12-16-2013

Re: Hackers bypass online security at 34 banks

I'm speechless at this one - that is some involved hackery.

Posts: 6,123
Topics: 223
Kudos: 5,964
Ideas: 9
Registered: ‎02-03-2012

Re: Hackers bypass online security at 34 banks

Hi Nic, am not surprised as there has been a lot in the press recently that 2LA is about dead and that 3LA is the way forward...what makes me laugh is I can see someone having a similar conversation in 2 or 3 years re. the fact that by then 3LA will be on its last legs and everyone will be advocating 4LA...it is a bit like multi bladed razors, first it was 2 blades, then 3 blades...some where brave and went to 4 baldes but we seem to have settled on 5 blades...or have they...

 

download (1).jpg

 

or have they?  Now extrapolate that to security authentification...LOL Smiley Wink

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.2.22...+ VoodooShield v2.82 Beta ...working together as the NEW perfect combination! And backed up by Macrium Reflect v6

EP
New Member
Posts: 1
Registered: ‎07-23-2014

Re: Hackers bypass online security at 34 banks

Not so fast... or shoud I say, not so 2FaaS.  2-Factor is still king here if used with the right form of authentication... such as Device Fingerprinting http://www.secureauth.com/wp-content/files_mf/2faasdevice.pdf  A device print authentication does not require the end user to download an app to ones computer, or mobile device.  In fact, a small company or enterprise can and should write a policy that no one should download any such security app to ones phone to prevent a mess such as this one.

 

Device Fingerprint Authentication is a low-friction solution with heuristics built in, which makes it the fast, silent, and very secure.  

 

EP

 

Posts: 902
Registered: ‎06-20-2014

Re: Hackers bypass online security at 34 banks


EP wrote:

Not so fast... or shoud I say, not so 2FaaS.  2-Factor is still king here if used with the right form of authentication... such as Device Fingerprinting http://www.secureauth.com/wp-content/files_mf/2faasdevice.pdf  A device print authentication does not require the end user to download an app to ones computer, or mobile device.  In fact, a small company or enterprise can and should write a policy that no one should download any such security app to ones phone to prevent a mess such as this one.

 

Device Fingerprint Authentication is a low-friction solution with heuristics built in, which makes it the fast, silent, and very secure.  

 

EP

 

Welcome to the community EP! Happy to have you here.
Thank you for your input!
Hope to see you here in the community often!
Browse around and post often!

 

Beth

 

sig



Experience Shared is Knowledge Shared, Share Yours! I'm a volunteer – my reward is your SMILE!Smiley Very Happy


Helpful Webroot Links:


                         Submit Trouble Ticket • User Guides • BrightCloud URL lookup • Account Console 

Download (PC) • Download (Best Buy/Geek Squad Subscription) • Download (Walmart and Target) • Download (MSN Subscription) 


                                         Register and Introduce yourself to The Community!

Posts: 6,736
Topics: 4,523
Kudos: 8,624
Registered: ‎06-12-2013

Operation Emmental, a sophisticated campaign which is targeting banking industry

An update which goes into a little bit more detail.

 

by paganinip on July 23rd, 2014

 

"The malicious campaigns start with a fake email that pretend to be sent by a legitimate and well known entity, the cyber criminals serve the malware attached to the email as an apparently harmful Control Panel (.cpl) file that’s inoculate the malicious code through a bogus Windows update tool.

Emmental

 

Once it infected the machine, the malware redirects victims to domains, controlled by attackers, by changing the device’s Domain Name System (DNS) settings, in this way every bank customers try to access visit bank websites, they are redirected to a phishing page. The experts have discovered that at least 34 financial institutions were targeted by attackers, six of which are in Austria, five in Japan, 16 in Switzerland, and seven in Sweden."

 

Full Article

Sr. Community Leader

New Member
Posts: 1
Registered: ‎07-24-2014

Re: Hackers bypass online security at 34 banks

Agreed two-factor authentication is a solid security practice, but the techniques vary quite a bit.  The OTP exploited by Emmental is obviously flawed because the hackers have redirected the OTP to themselves.  I’m not quite sure the machine ID is a total answer, the end user still has the same mobile device.  An interactive second factor to authenticate the actual person like a voice biometric or fingerprint would have stopped some of the Emmental account hijacks.  A phone call over the voice channel of the mobile phone repeating the actual transaction details, like “To send $5,000 to an account ending in Ivan666 do this… to cancel  do that” would catch the end users attention if they were sending $50 to the electric company.