Barclays doesn't use the current time in that way, you can make yourself a long list of login codes and then as long as you use them in order they'll work for months into the future.
Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn. An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such …
Defence in Depth
No security is infallible and there always has to be a focus on defence in depth.
While a dual-authentication system is very robust (which still remains the case) the man in the middle attack may be implemented if a user does not take the appropriate precautions to ensure their system (i.e. desktop) is appropriately protected with updated malware\virus protection. The main reason this is not a 'popular' attack is that it has a very small attack time window and requires regular monitoring; the result being that it has very low value to an attacker in comparison to other attacks.
It should be noted that certain banks do offer free browser addins that will provide additional protection that are particularly designed to protect against these attacks.
While it is interesting that the BBC has done a report on this; as indicated by the comments above this is not a new attack and should not be considered your primary point of concern if you decide to use online banking or a chip-and-pin card in general.
Like hell you would put the pin for the secure key into a website.
This is a total non issue.
Repost: In The Land Of The Cold Steel, Efficient Teutons
..I get an SMS onto my mobile phone which will display the amount of the transaction, the destination bank account number and a transaction ID. I then have to enter the transaction ID into the bank web page to complete the money transfer.
The mobile phone number can only be changed by displaying my ID card at the bank and filling out some paperwork.
Before that scheme, we had TAN (transaction authentication number) lists to confirm transactions. Each money transfer would consume one TAN.
The real con men just create a bank
Please; a little warning before you say things like that!
<- My keyboard
Too much security too often?
Most of my online banking consists of checking the balance and sending money to exactly the same set of people. I expect 99% of online banking is about the same. In those cases, a hacker can't do anything other than over pay a bill. I don't want or need two factor for most operations even if it would be annoying to have someone else go through my records. What I need two factor for is when I'm adding a new account. Part of the reason PINs are needed for some low value transactions is that every time a PIN is entered, there is a risk its observed. What we need is different passwords and PINs for high value transactions but I don't think the general public will put up with that.
Re: Too much security too often?
"Most of my online banking consists of checking the balance and sending money to exactly the same set of people."
That certainly used to be the case but with cheques being phased out everybody you used to pay by cheque - builders, plumbers, electricians, etc - now need you to use the Fast Payment System (FPS - BACS on steroids) to transfer money to their account. But the banks now have you jumping through hoops just to add a payee making your life difficult.
I initially though my Natwest card reader device was a neat idea but they then stopped me using it for both my business account and personal accounts and before long I've ended up with five of the beeldin' readers in the drawer, a special transaction card just to use for my business and no idea which is the right reader for what. I'd have to say that the Halifax Intelligent Finance way of doing it by giving you half a code online then texting you the other half is a lot easier.
"Hackers MAY be able..." "Isolated incidents of this type of fraud ['man-in-the-browser' attack] have cropped up..."
I am constantly amazed that so few techies understand how 'man-in-the-browser' attacks work. Chris 68 gets it. He mentions that "in this attack the malware is activated while the victim is logged in to their bank. It intercepts the visuals and modifies them." Condiment doesn't, if he thinks that "the only thing they can do is transfer money to one of the payees I have already set up." I hope that he reads Chris 68's subsequent reply noting that "The malware would hold the transaction and modify the page..."
As for "isolated"... Not! Read KrebsOnSecurity.com for a while, and scan some of the 80 or so articles he's written detailing count after count of this type of crime. Dunno about GB, but in the US commercial account holders are not reimbursed for losses due to fraud. Instead of fixing the problem, banks throw money at lawyers to make it more difficult for customers to sue their banker. For several years malware has circumvented all known types of 2-factor auth, including redirecting cell phone numbers to the bot-master's phones.
Krebs convinced me with his first article in 2009 that booting Linux from a Live CD or Live USB is arguably the best possible protection from all of this. But, of course, it's inconvenient so no one will bother. After using this for a bit, I love the convenience... It's the ultimate portable app, with all of your account and app settings, along with encrypted data, available from the same USB stick booted using any PC or Mac with 1.5 Gig of RAM and a USB port.
Not sure you get it actually.
If you know what the PIN security device does for decent accounts then it doesn't matter if you are logged in you could let the criminal sit down at you PC while you go to the toilet. To transfer money to a new account you have to type the amount in to your device and the account number to get a code to authorise the transfer.
At this point you're going to think, why is my bank asking me to authorise a transaction to an unknown account for 100k?
If you have no clue at all then the site could tell you "pick up your authenticator and type these numbers in to it as we're just checking xyz" but you're also then the person who would fall for a 419 as well.
As for Bot Masters are hacking into the mobile phone networks to redirect phone calls and texts? Really? You'll need to provide some evidence of that one.
What they're actually doing is another MITM attack to change your contact number from the one you supplied to one of theirs. They then phone you from their phone with the altered details
Safe online Banking
> A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.
Boot from a CD and then do your online banking ..
Burden of prof should not be needed
Most banking systems follow your spending habits rather closely and if anything odd occurs should get flagged. I once had suspicious activity on my CC and had a letter sent asking if I had made them to which the answer was no. If you get scammed it should be rather straightforward to prove you did not make the transaction if it does not fall within your spending habits. Not foolproof of course but it is another thing you can use to dispute any discrepencies.
A constant battle
It really is amazing how quickly hackers are able to find exploits in the newest security technology. It’s a constant battle to consistently stay ahead in order to further protect customer data. We see it all the time in distributed denial of service attacks - and unfortunately, even the smallest attack could have terrible results.
Case in point is the latest report by Radware’s Emergency Response Team. (You can read more from the report here: http://blog.radware.com/security/2012/02/ddos-attacks-myths/).
They found that most DDoS attacks actually use less bandwidth than originally thought. While the belief is using less bandwidth means it’s a less harmful attack, the truth is that it all depends on where the hacker has decided to infiltrate the network. If they’re using the application layer, then it could potentially be a much more harmful break-in. This just goes to show the need to protect the network from attacks of all sizes.
Mike Lordi, Radware
NatWest customers are vulnerable to this paticular for of attack, as the site employs a challenge-response method, in which you generate a response code based on a 8 digit code onscreen. For a hacker to initially compromise the main login, then serve the 8 digit code on ther screen would be the implimentation of such an attack.
I'm intriqued to read the methods other banks have implemented such as code generation based upon transaction details and phone verification, which sadly NatWest do not use, perhaps it's something in the works.
In addition, the NatWest pin-thingy doesn't allow account number entry etc, so I'm assuming cannot be used for other banks.
Nat west pin thingy
I can use my partner's Smile (Co-op) PIN thing for my RBS (same as NatWest) account. Also I can use her Nationwide (or some other building society, I can't quite remember) pin thing for my Coop account.
The key is the chip on the card, the PIN thing is a dumb box with a keyboard.
The readers I've used
don't have a time-dependent code either. The device uses the chip and PIN of your card to create a hash of the amount and destination account number for any outgoing payments, which the server is able to check. The code could be re-used, but only to send the same amount to the same destination.
Quite a few posters on this thread - good to see such lively discussion. I'm always curious to know how many people/ customers have actually lost money due to online banking fraud e.g. phishing, mitb etc
I gather in many cases that if there is any doubt about culpability, the banks themselves are taking the hit, and not passing on to customers. There have been some cases that I'm aware of, published in the press, where the customer has done something silly and the bank holds them liable but this is quite rare, or is it?