Hackers bypass online security at 34 banks

  • 22 July 2014
  • 7 replies
  • 1224 views

Userlevel 7
Badge +54
Things are looking as if 2 factor authentication is nearing the end of its usefulness in on-line banking. The fight continues to stay one step of the criminals.
 
By Priya Anand, MarketWatch July 22, 2014
 
"The attack can get past two-factor authentication, which requires customers to type in a code sent to their cellphone or inbox to ensure the user is who he or she claims to be, by convincing customers to download a malicious smartphone app, according to a report released Tuesday by the security firm Trend Micro. The researchers dubbed the technique “Emmental” — like the Swiss cheese — because they say it shows the security flaws in online banking. So far, funds “in the seven figures” have been taken from bank accounts, according to Trend Micro spokesman Thomas Moore"
 
Full Article and Video

7 replies

Userlevel 7
Comment:Once again cybercriminals have cercumvent SMS-based two-factor authentication. Using a combinatioin of malware techniques.
=================================================================================================
By Eduard Kovacs on July 22, 2014 SMS-based two-factor authentication (2FA) mechanisms used by banks to secure their customers' accounts have been bypassed by cybercriminals using a combination of malware, mobile apps, rogue DNS servers, and phishing sites, according to a report published by Trend Micro on Tuesday.
The security firm has been monitoring a campaign which it has dubbed "Operation Emmental," because similar to the Swiss Emmental cheese, the security systems used by financial institutions can be full of holes. The individuals behind this operation have been trying to gain access to the accounts of users in Switzerland, Austria, Japan and Sweden by obtaining the security tokens sent by banks to customers' mobile devices via SMS.
 
SecurityWeek/ Full Read Here/ http://www.securityweek.com/attackers-bypass-2fa-systems-used-banks-operation-emmental
Userlevel 7
Badge +56
I'm speechless at this one - that is some involved hackery.
Userlevel 7
Hi Nic, am not surprised as there has been a lot in the press recently that 2LA is about dead and that 3LA is the way forward...what makes me laugh is I can see someone having a similar conversation in 2 or 3 years re. the fact that by then 3LA will be on its last legs and everyone will be advocating 4LA...it is a bit like multi bladed razors, first it was 2 blades, then 3 blades...some where brave and went to 4 baldes but we seem to have settled on 5 blades...or have they...
 


 
or have they?  Now extrapolate that to security authentification...LOL ;)
Not so fast... or shoud I say, not so 2FaaS.  2-Factor is still king here if used with the right form of authentication... such as Device Fingerprinting http://www.secureauth.com/wp-content/files_mf/2faasdevice.pdf  A device print authentication does not require the end user to download an app to ones computer, or mobile device.  In fact, a small company or enterprise can and should write a policy that no one should download any such security app to ones phone to prevent a mess such as this one.
 
Device Fingerprint Authentication is a low-friction solution with heuristics built in, which makes it the fast, silent, and very secure.  
 
EP
 
Userlevel 6
@ wrote:
Not so fast... or shoud I say, not so 2FaaS.  2-Factor is still king here if used with the right form of authentication... such as Device Fingerprinting http://www.secureauth.com/wp-content/files_mf/2faasdevice.pdf  A device print authentication does not require the end user to download an app to ones computer, or mobile device.  In fact, a small company or enterprise can and should write a policy that no one should download any such security app to ones phone to prevent a mess such as this one.
 
Device Fingerprint Authentication is a low-friction solution with heuristics built in, which makes it the fast, silent, and very secure.  
 
EP
 
Welcome to the community EP! Happy to have you here.
Thank you for your input!
Hope to see you here in the community often!
Browse around and post often!
 
Beth
 
Userlevel 7
Badge +54
An update which goes into a little bit more detail.
 
by paganinip on July 23rd, 2014
 
"The malicious campaigns start with a fake email that pretend to be sent by a legitimate and well known entity, the cyber criminals serve the malware attached to the email as an apparently harmful Control Panel (.cpl) file that’s inoculate the malicious code through a bogus Windows update tool.


 
Once it infected the machine, the malware redirects victims to domains, controlled by attackers, by changing the device’s Domain Name System (DNS) settings, in this way every bank customers try to access visit bank websites, they are redirected to a phishing page. The experts have discovered that at least 34 financial institutions were targeted by attackers, six of which are in Austria, five in Japan, 16 in Switzerland, and seven in Sweden."
 
Full Article
Agreed two-factor authentication is a solid security practice, but the techniques vary quite a bit.  The OTP exploited by Emmental is obviously flawed because the hackers have redirected the OTP to themselves.  I’m not quite sure the machine ID is a total answer, the end user still has the same mobile device.  An interactive second factor to authenticate the actual person like a voice biometric or fingerprint would have stopped some of the Emmental account hijacks.  A phone call over the voice channel of the mobile phone repeating the actual transaction details, like “To send $5,000 to an account ending in Ivan666 do this… to cancel  do that” would catch the end users attention if they were sending $50 to the electric company.

Reply