In Europe, millions of online banking customers use hardware to authenticate their online banking sessions.
Todos recently shipped it's 20 Millionth device. (See Todos Delivers 20 Millionth eBanking Security Product)
What these devices do is generate OTP's. (one time passwords) The problem with OTP's is real-time OBT's (online banking trojans) are able to intercept the OTP's. Thus, OTP's are rendered inadequate to protect online banking sessions as graphically illustrated on the right.
In America, we type in our username and password and answer questions like what is your mother's maiden name, what month were you born, what are the last 4 digits of your SS numbers or what city were you born in? Yesterday, McAfee Labs released a report saying that Online Banking Trojans are getting Smarter. Thus the question that begs to be asked is: When will the Online Banking Industry do the same? Will it happen in 2010?
Sometimes the simplest solutions are the best. For example: How do you withdraw cash from an ATM? You insert your bank issued card, you enter your bank issued PIN. The bank customer might be hundreds, even thousands of miles from their bank, yet the process is trusted enough to dispense hundreds of dollars in cash into the hands of the card holder.
So the second question that begs to be asked of the online banking community is this: If I was to inform them that there is a patented device which 100% replicates the same two factor authentication trusted process used to disperse cash from an ATM, but instead, could be used to authenticate the online banking session...and instead of generating an OTP, it would generates residual income (i.e. ROI) do you think they might be interested?
I guess it all depends on the answer given to previous question asked in the title of this post...
From the McAfee Labs "2010 Threat Predictions" released yesterday.
In 2009 criminals adapted their methods to more effectively attack online banking and get around current protections used by banks.
Trojans demonstrated new tactics that went well beyond the rather simple keylogging-with-screenshots efforts that we had seen in previous years. Most Trojans now use rootkit techniques to hide on a victim’s system and disable anti-virus software or prevent signature updates. Often the victim’s computer becomes part of a botnet and receives malware configuration updates.
Free Myspace Generators
Simple Trojans, such as those predominant in South American countries, lie dormant until the victim opens the bank’s website. They then add fields for the user to fill in, asking for credit card number and ATM PIN, for example, or for a couple of indexed transaction authorization numbers (iTANs). The Trojan usually comes with a configuration file that contains information for hundreds of banks, specifying the additional fields and their layout and mimicking the bank’s design. Although these Trojans, such as Torpig, are still popular today, they are far from state of the art.
More troublesome is the Silentbanker family. These Trojans can silently change the details a user enters to transfer the money to the attacker during a transaction. The user is not aware that anything is amiss until the next account statement arrives. Bebloh, also known as URLZone, takes this deception even further. This Trojan not only changes the transaction details to suit the attacker but it will also check the user’s account and transaction limits and stay just below them to avoid alerting the bank. Bebloh also keeps track of the transactions the user originally made and changes the account statement to display these instead of the real transactions. Of course, the account balance is modified as well.
The latest, and perhaps most worrisome, development comes from the Zeus family. These Trojans are frequently updated with new versions and are sold on underground forums to anyone interested in starting a career in crime. Zeus comes with a command and control server and is extremely flexible in its configuration, allowing easy adjustments to a criminal’s specific needs. Now there is a man-in-the-middle console that allows an attacker to operate in real time. The attack could occur like this: When the victim logs into an online banking account the user sees a maintenance bar that moves slowly until it is full, and then must answer additional security questions, with everything in the bank’s website design.
These steps help buy time for the attacker. The moment the victim logs in, the attacker is notified and initiates a transaction while the victim is waiting. In the next step the victim is asked to register his or her mobile phone number and to confirm this with a specific iTAN. The attacker uses this iTAN, which the bank requests, to complete the illicit transaction. Once the victim enters the iTAN, the attacker completes the transaction and the victim gets to see a message saying the phone registration was successful but that online banking is closed for maintenance.
One variant of Zeus is JabberZeus, which has a complex structure for providing near real-time stolen information to an attacker. This version is most often used to steal one-time passwords, which certain banks require to add another layer of protection for large transactions. With this variant, an attacker uses the Jabber protocol as an instant message system to gather the stolen data. The attacker then selects which information is most (financially) important.
Given the widespread use of the Zeus kit we anticipate many more similar attacks in 2010, and not only against banking sites. This variation allows attackers to circumvent all types of two-factor authentication on websites.