Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn. An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such …
If your computer is compromised with malware, someone else is calling the shots, so it doesn't matter what other security measures are in place if there are transactions that rely on the compromised computer for processing and transmission.
Using two factor authentication with a one time code defeats the vast majority of attacks, most of which use stolen credentials. Even if the token is stolen, (assuming some numpty has not scribed the pin on the back) there is still one piece of information missing and the device locks out after a number of incorrect pins.
One down side is that if the computer was compromised at token registrable time, the pin is also disclosed, but the attacker still has to target and get the token, which if missed, would, I presume be cancelled the same as a missing bank card.
Compared to secret words, numbers and pick lists, using something you physically have, something you know and generating a one time code is a big step forward in security for on-line banking authentication.
Steve Gibson on the Security Now podcast spoke bout this type of attack quite some time ago. It's particularly bad if someone manages to combine it with DNS spoofing. If that happens it looks like you are really connected to your bank rather than a dodgy third party site.
It is true however that the "something you have" authentication method is far superior to having just a password.
Re: Nothing new
There are ways to counter malware on your computer, even when it compomised already. You need to use an OS lockdown / secure session product like SafeCentral.
Once you activate the agent the OS is locked down so that only a secure browser or comms channel will function, all malware is nullified and ceases to operate. You can go and do your banking or whatever, the malware cannot get at anything anymore.
"all malware is nullified and ceases to operate" Really?
You have swallowed the snake-oil my son.
Do you know how a root-kit works? It can monitor everything going in/out of the OS (keyboard, mouse, video, network) and hide itself from detection pretty well by virtue of running first and emulating the PC (like a VM basically).
Once infected, the only safe assumption is noting is safe. You therefore need a 2nd channel to detect the 1st being fiddled with, or a bootable CD, etc, that can be run before the OS (assuming the BIOS is not infected, of course...) and with steps to identify/protect against DNS poisoning should your router be compromised to DHCP bad DNS.
Now try to explain that to Joe Public in terms they can understand.
Having both factors in the 2-factor system going through the SAME possibly compromised channel seems to be a basic flaw here.
While not perfect, having a 2nd channel such as a mobile phone seems a better approach. Unfortunately the piss-poor security practice that a large proportion of the public has (mostly due to ignorance, and a misplaced faith in AV snake-oil salesmen) will no doubt extend to their smart phones' apps and to disclosing their phone details as well to the bad guys.
uses telephone authenication. Basically they call you on one of your pre-selected phone numbers (home, mobile or work) and enter a PIN displayed on screen.
Initially I thought this seemed like a poorer, cheaper solution than the card reader/pin sentry type devices, but having a second channel is probably a good idea really. Unless the fraudster can somehow nick my mobile or break into my home or office or somehow divert my calls at the same time as getting my online banking username/password, they're going to be pretty screwed.
Some US banks send you a text when you try to log in. The texted number is valid for 15 mins and is then used as your second factor. This of course only works when you have a mobile and have coverage.
That's what my bank also uses. During logon I get a code sent to my mobile which I need to enter on the login screen. When I enter an unusual transaction I receive again a text message containing the transaction details and a code to validate the transaction. So far, so secure.
Good luck to those who use their smart phones for both online banking and receiving validation codes...
That is good.
One problem is a lot of web sites allow the change of phone number, so there needs to be a bit of delay/double checking so you get informed of the change on the old phone first, and then again on the new phone, so if its a fake change you can report it.
Another risk with "smart" phones is someone installing malware that can pre-screen the test messages, so compromising the 2nd channel as well.
Still, there is no PERFECT solution, just ones that reduces the fraud to a level that is less costly than the various protection systems cost.
Not fundamentally flawed.
Adding the cellular network as a second channel does raise the bar, but cellular networks should also be considered possibly compromised. The list of effective attacks against GSM is getting longer. On top of that you have to trust the users smartphone and there is lots of logging/monitoring going on in the mobile networks which might be compromised as well.
I'm not sure how stuff works in the UK, but my Dutch bank uses a challenge/response system where users need to type numbers (along with their PIN) into there the card reader. For large transactions the challenge includes the grand total of the transactions being send and for even larger transactions it also includes the account number the money is being send to. This effectively beats MITM attacks (provided users are paying attention) because an intercepted response is only useful for the transaction the user actually requested and modifications to the challenge will be noticed.
In the end a system which is immune to MITM attacks will always be better than using multiple channels.
As a Firefox user on Win7 with a dozen addin - each which warn caution during installation - I am worried if they might constitute the Man In the Browser.
I am quite impressed with the Barclays PinSentry. It is not connected to the computer, and cannot have it's firmware "updated" to include a virus/trojan.
If you want to make a payment to someone new, you need to authorise it using the pinsentry. To authorise it, you must type into the pinsentry: your PIN, the account number of the recipiant and the amount of the transfer. The pinsentry will then give you the code to type into the website.
So for this to work, the man-in-the-browser has to convince someone to press "Authorise" and then enter their PIN, an account number and an amount of money, and then type that number back into the website. Compared to an alternative scheme with a bank I know who give you a card with a list of 200 numbers that you may be asked to type in for any number of reasons, it should be reasonably clear that you are authorising a payment. I think that this is unlikely except for vulnerable people.
I suppose that it may be possible to convince a mark to make a small payment to a company which they authorise with pinsentry, and then for a trojan to try to make a much larger transfer later. In this case I don't know what the bank does; if someone authorises a payment for £5 and then tries to make a payment for £5000, do you ask them to authorise again?
No, they don't try and capture the details with a payment and then duplicate - they wait for you to log into your bank account and redirect your browser to a "copy" of the bank's website and at the same time they internally visit your website. When you type your Pin Sentry code into the fake website they use this to log into the real website; now it is them logged in not you. They may present you with a "this page is down for maintenance for the next 30 minutes" message or something else, but meanwhile they are using their validated log-in to empty your account.
Actually, this is where the Barclay's system works and the HSBC system doesn't
With the HSBC system, the device gives you a completely random number that you type in to yet another box during login - at EVERY login.
But the Barclay's system means that the device generates a number based on a sequence you also repeat on the website (account number, etc.). So, unlike the HSBC method, the MitB attack would need to somehow trick you in to entering an account number and amount that you otherwise wouldn't. Plus, this is only for new recipients, so users should notice if this happens at an unusual moment.
The weakest link in this approach is obviously still the user understanding what the device they have is for, but the HSBC system is definitely far from secure (and bloody annoying).
Lloyds/HBOS provide a unique code (again, only on new recipients or large transfer amounts) on screen that you must then enter in to your phone when the automated system calls you. I can see how a MitB attack could trick someone to do that, but the user would have to ignore the voice reading out the account number and transfer amount.
Except for Barclays (at least) to make a payment/transfer into a new account you have to re-authenticate and put both your pin, the account number, and transfer amount into your pin sentry *after* you've logged in. So all a man in the middle hacker will see is how much money I spend on disreputable websites.
If they do that, they only have a PINSentry authorisation to make a payment to an account the target has set up, not to their own target. Without the same PINSentry device, they cannot generate a working one time code that would be produced to transfer money to the account THEY want.
Sure they can be in your account, but they can't move money to any account that the target hasn't keyed in.
PinSentry is thus - login to account with PINSentry + card. Transfer of money requires ADDITIONAL number generated by the PINSentry from account number + PIN + Card + £value.
Even if they redirect you to a hoax site, how do they make you to input THEIR account number into the PINSentry you have in your hand, unless they have even more fake websites tempting you with whatever it is you are paying for.... And then it's not the PINSentry at fault!
Missed the key point
On Barclay's, they may be able to log in to your account, but they won't be able to withdraw any money, unless they somehow trick the user into entering account number/amount and PIN into the PIN sentry device.
You need to authorise a log in, AND authorise a payment to someone you haven't paid before.
They'll still be able to see your account activity/statements, which they could probably use in combination with the other information they have to do something bad.
They could also make a nuisance of themselves transferring money to people you've made transfers to in the past.
But Barclays isn't two-factor.
The payment authorisation is admirable, but for the basic login it's not a two-factor system. There is no personal password, only the validation code generated by PINSentry from your card and PIN. That means that anyone in posession of those and any old PINSentry device can do anything with your account without any other form of identification being requested.
I also find it rather shallow that the in-branch 'advisors' hand you a PINSentry in order to access your account. Seems more of an attempt at dumping responsibility onto the customer than anything else.
I was more impressed when I had online banking for nigh on a decade without ever having a problem, or needing to carry a physical device with me everywhere just to log in to banking (HSBC). I rarely can be bothered to log in anymore, it's more of a hassle.
While i'm ranting, HSBC also cocked up numerous things while I was abroad recently. If Natwest or Santander had a "we'll match every mortgage/loan/savings product of HSBC", I'd move today.
"There is no personal password" - There is, it's your PIN.
"in-branch 'advisors' hand you a PINSentry in order to access your account" - this is rather than taking your signature, which is written on your card, and easy to copy with a little practice.
OK, you could say that if someone knows your PIN then they can do anything, but that's nothing new, anyone with your card & PIN could walk up to a cash machine and take money out without any problem!
There is a unique online banking ID number that you also need before PINSentry is even involved in the login process. This, in conjunction with surname, is another barrier. The reason they only pass you the sentry device in branch is that they already have you online number (as they supplied it).
Any external purchase would require THAT to be supplied by the user as well.
The HSBC system works in a similar way. When adding a new payment recipient into HSBC IB you have to enter your PIN and part of the recipients account number into the security device. It then generates a 6 digit security code which you enter on to the website. I had to do this a couple of days ago. It may do a similar thing for large payments, I wouldn't know since I haven't made any recently.
@Joefish - two-factor
Two-factor, in this case is something you have and something you know>
You have your bank card, you know your PIN. Therefore two-factor.
"That means that anyone in posession of those" - they must steal both your bank card and 'torture' you for your PIN - not your everyday purse snatcher or phisher? By then they have tied you up and been around the cash points for a few days nicking your money and buying high value goods.
surely they look up your address info and call up the bank saying that for some weird reason they've been locked out. By the way while we are on the subject they'd like an address change and a new pin device posted.
OK, I appreciate that Card+PIN counts as 'two factors',
but they're pretty poor factors, and basically go hand-in-hand with each other. I can come up with a more secure password than four numeric digits that I have to enter in full view of whoever is behind me in pretty much every queue I find myself in nowadays, and who also gets to see which pocket my wallet goes into. As for my 'unique ID', anyone can get that emailed to them so it's hardly a security feature either. Anyone who's seen me enter my PIN and can then pick-pocket me for my card gets access now not just to a cashpoint (with is protected by daily withdrawal limits) but has full access to take out a loan in my name and transfer the money to a complete stranger. I would like to see a second secure factor involved that actually means something in security terms.
If they've physically got the card AND the email address you have attached to said online account, AND the password for the email address, AND they have intercepted the POSTAL MAIL that they supply your online membership number via (no email for that, not secure enough) then yes, it's not much of a barrier... but then neither would your front door be after that.
Barclays *is* two factor...
The Barclays implementation requires something that you know: i.e. your PIN and your personal customer number (not the same as your account number), plus something that you have - i.e. your debit card.
The pin device isn't important.
In fact you can use the pin pad from any other bank, they're an open standard. You could even use your Dutch friend's Pin Device from their Dutch Bank with your Barclays card/account (or Nationwide, or any other)
@jediben - none of that applies to the Barclays PINSentry system.
About 2 years ago, Blizzard made a statement to the effect that under certain circumstances a WoW authenticator could be compromised. The attack that they outlined was identical to this one, not surprising as the hardware is effectively the same. Last year my bank sent me an authenticator (about 2 years after I got the one from Blizzard) and must have been aware of the security issues but failed to mention them (I hope that's the case, the other alternative is that they were unaware which is worse by several factors). Why is it that Blizzard seem to care more about my security than my bank does?
That's probably because the bank is interested in their security rather than your security
Have a read of the story of Eve Russell at Ross Andersons website
The security devices and PIN allow banks to claim wrongdoing or carelessness by the customer and deny failings in the bank system and/or fraud by bank employees.
No they don't...
It's written into law that the burden of proof is on the bank, PIN auth'd or not, they have to prove that that customer was there and involved in a fraud.
Ross Anderson et al continually wheel this out with nothing other than "we've got some letters from some people" as proof.
The answer is obvious...
The problem is the software and protocols used for the transactions.
Highly secure software should be used to communicate with the banks, using secure communications protocols (perhaps even NEW protocols devised specifically for banking) NOT - repeat NOT - a browser.... banks have taken the cheap approach to allowing access to their systems and the resultant issues are predictable.
re. The answer is obvious...
"Highly secure software"
> Written for which platforms? Windows, Mac, Linux, iOS, Android? And now I need admin rights on a computer to use if for banking; this just makes it easier to get malware on the machine.
"using secure communications protocols"
> We've already got loads of those (HTTPS etc.)
"NOT - repeat NOT - a browser"
> If you read the article, then it should be obvious that the "man in the browser" attack can also be the "man in the banking software" attack. All they need to do is replicate the user experience of the software and the user will treat it as if it is the the genuine article and hand over all the necessary credentials when it asks for them.
re. re. The answer is obvious...
Quite right - and going on from that the most secure protocols are those that are open and used billions of times every day as then the inevitable flaws will be found and fixed.
The alternative is a bit of closed source code knocked-up by your bank who have a vested interest in claiming that it is secure and will use expensive lawyers against anyone who claims (or even demonstrates) otherwise. See Bagged and tagged's post above and the link to the truly excellent Light Blue Touchpaper security blog.
Give me a secure open source OS and a secure open source browser every time.
Open... and shut
"Give me a secure open source OS and a secure open source browser every time."
Yes, the keyword of course being SECURE. You would have to exclusively use security conscious distros and software, and preferably even review the code yourself. There's really no way to make absolutely sure that no malicious code is checked in with code contributions.
Of course OS code gets reviewed. But with the amount of code being contributed to large active projects, if someone with malicious intent would gain enough trust, it would take a long time before anyone would notice something amiss.
IronKey have an interesting approach
Build a secure VM - there's a demo here including the attack listed above where 2-factor is useless (as you log in and THEN have your secure channel compromised)
But is it bootable on the PC before you run the potentially compromised OS?
If not, they still have access to the keyboard/mouse/video via a rootkit, and if the VM lacks steps to detect poisoned DNS, can still be directed to a fake site.
OK, the sort of person who runs a VM for security is also likely the sort to check SSL certificates are valid, but given the recent spate of massive failures in the certificate chain model, that is not impossible to fake as well.
In case you ask, I didn't view the demo as they asked for my contact details first...
Some people are missing the point
2-factor helps ensure that the person logging on or authorising a transaction is who they are. Separate channels for delivery, etc, all good points made above.
However in this attack the malware is activated while the victim is logged in to their bank. It intercepts the visuals and modifies them. So for example if a user wants to transfer 50 quid to another account, the malware will intercept the info going to the bank and make that 10 grand to the criminal's account. The malware will rejig the pages so the victim sees the expected figures, but the bank sees the criminal's figures.
It is a very specific, targeted attack obviously tailored to specific sites with a lot of attention to detail.
The user then authorises the transfer and the criminal is sorted. Meanwhile the malware presents the updated figures to reflect what the victim thought they were doing. 2-factor means nothing here - it's like having a bad guy sat in your chair in your bank account, calling you over when he needs something authorising, but in this case totally hidden from view.
On Nationwide's 2-factory system, you have to enter the sum into the calculator thing. If the criminal changed the sum, the generated code would not be valid. They could change the target account - but they may be encapsulated in the code that you have to supply to the calculator.
Wont work with HSBC
If I want to transfer £10k (or even £10) to another account I have to add that account to my list of payees. To do this I enter the the last 4 digits from the account code into the secure key and it then generates a 6 digit code to use. Without this I can not transfer money to another account. The six digit code is time dependant.
If somebody gains access to my account via any means the only thing they can do is transfer money to one of the payees I have already set up. They can not transfer money to their own account without me setting the account up in the first place.
Point about two channels still stands
All the bank needs to do is send you a text saying "You've asked to send £10k to Russian Brides Inc, a/c number 1234-12312312. To confirm enter the code 23123 in browser".
The point about using two distinct channels is that they can't (yes, yes, insert caveat here) both be compromised, so you use one to verify the other. Two channels is distinct from two factor in this case, and I think it's an important distinction.
The malware would hold the transaction and modify the page to say "We are sorry, your authentication failed, please enter these digits to validate your token and confirm the code here" and display the last 4 digits of the dodgy account. The victim enters them and confirms the code, and it then says "Thankyou, your token has been re-validated".
Meanwhile they've actually authorised the fraudulent transaction on the real, invisible site behind what they are seeing. With the malware talking to the bank and the user being manipulated via a normal looking, https, Tusteer-enabled site, for example, they would have no reason to suspect there was anything wrong going on.
Only a cynical, suspicious user might question the chain of events and abort, but the point is that the user's behaviour might save them but the technology per se hasn't.
if someone had that much control over people's machine they would be better off just bringing up a popup saying "DANGEROUS VIRUSESES DETECTED ON YOUR MACHINE. YOU NEED TO BUY WINDOW ANTI VIRUS11!!! CLICK TO SEND THE MONIES!!11"
I have an HSBC Account
I am not sure what would happen if I was getting the code number from the 2nd Factor gadget, and something interrupted the process. There seems to be no way to synchronise the bank's number generator with mine, if the two get out of sync. What happens if, the 20th time I log in, I am supplying the 21st number from the gadget?
Out of sync?
It doesn't seem to be an issue as I suspect it 'catches up' in background. I had a few instances where I was slow/distracted and the number vanished of the dongle before I could enter it so I pushed the button again and got a new one which worked fine. I would hope that they have figured that possibility in and as long as the number you enter comes after the last one you used ( and is not too far out of sequence) it will let you pass.
It doesn't have a list of numbers it works its way through.
It has an internal clock and a unique key. It uses the time and the key to generate the pin number you type in on the website. In the bank they know the unique key of the device you use so they can calculate what the pin should be.