back to article Online bank punters tricked into approving theft of their OWN CASH

Security researchers have discovered a malware-based attack against the chipTAN system used by bank customers in Germany to authorise transactions online. The chipTAN system involves the use of a card reader into which a chip-n-PIN bank card is inserted, which generates a transaction authentication number (TAN) used to green- …

COMMENTS

This topic is closed for new posts.
Holmes

C'mon, name and shame...which bank???

0
0
Facepalm

Stupidity is a luxury

and luxury must be paid for.

My bank (HVB) sends TANS by SMS with the transaction details, which then have to be entered into the webform. I'd like to see someone circumvent that :D

1
0

Re: Stupidity is a luxury

No probs: what's your logon details?

Lets hope I can't edit your destination SMS number without an mTAN...

0
1
Headmaster

Re: Stupidity is a luxury

SMS is a reasonably secure transport, but it relies on the handset being trustworthy. In the past two important phones (Nokia 6210i and Ericsson T610, I think) had Bluetooth bugs such that it was possible to pair with them without authentication, then read and delete an SMS without the user's knowledge. These days there may be other vulnerabilities introduced by Smartphones with malware installed, which could allow receiving and manipulating SMS from a distance.

I don't want to give the impression that SMS authentication is a bad method: it isn't, particularly if it is part of two-factor authentication. However as with most methods, it cannot be seen as a silver bullet.

0
0

Re: Stupidity is a luxury

If it's anything like the TAN SMS system used by my bank, changing the phone number requires either going to the bank in person, with the bank card and ID or going through a lengthy process involving snail mail and verification from the old phone.

0
0

Re: Stupidity is a luxury

I make sure to use a very dumb phone for this, and for a BT attack one would need if not access at least proximity.

0
0
FAIL

Re: Stupidity is a luxury

>> My bank sends TANS by SMS .... I'd like to see someone circumvent that :D

Already been demonstrated, so you can wipe that smug expression off your face.

http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/

0
0
Anonymous Coward

Injecting Code

Banks should randomise HTML div names etc when generating the web pages.

This would make is a lot more difficult for malware to inject code in the right places..

0
1
Linux

Malware attack against the chipTAN

Any idea as to what Operating System this malware runs on?

0
0
Gold badge

Re: Malware attack against the chipTAN

Well it's a German bank, so I imagine it is Linux.

0
1
Silver badge
Happy

Re: Malware attack against the chipTAN

Sad to say it, but it's hardly Linux. You do find Linux on POS systems like Wincor Nixdorf. Or are you perhaps sarcastic Ken. Nixdorf used to deliver banking terminals but that was a long time ago.

Perhaps somebody has more up to date information.

0
0
Thumb Down

Re: Malware attack against the chipTAN

It is the users machines that are affected, not the banks. Quote "...by fooling users of malware-infected machines..." unquote.

0
0
This topic is closed for new posts.

Forums