Banking security and SMS authentication

After the recent incidents is seems that SMS is not very secure second factor for authentication.

Australian Telcos Declare SMS Unsafe For Bank Transactions. Telcos declare SMS ‘unsafe’ for bank transactions article tells that the lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.

SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication. Security experts have warned about the inherent lack of security posed by SMS technology for several years. SMS was not designed to act as a second authentication factor. There are numerous reports of Australians being defrauded via a phone porting scam: With only a few phone calls to a victim’s workplace or home address, a fraudster can gain enough information (date of birth and mobile phone number) to port a victim’s mobile phone number to a new SIM device and intercept one-time passwords sent via SMS for online banking sessions. Banks have said that SMS should be considered part of a “layered” security solution.

Many European banks leverage a two factor authentication approach for logging into their online portals. In addition to a standard password, an SMS message is typically sent to the user providing the required second factor for authentication. SMS text message turns 20 years and world around it has changed. Earlier SMS was received with mobile phones where the software running them was stable and did not change for no reason. Now in the smartphone age different applications and malware can have effect on how the smartphone handles your SMS messages (can easily do something to them without you knowing on that). SMS is not designed to be a secure communications channel. And it is not a very secure channel. Security experts have warned about the inherent lack of security posed by SMS technology for several years. SMS was not designed to act as a second authentication factor but it is used as such.

Last week Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million Euros ($47 million) from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process.

The Eurograbber Trojan employs a feature designed to help users feel more secure about their online banking to rip them off: When you are on banking web site the Trojan requests that the user provides their mobile phone number in order to complete a required upgrade. A user who falls for the ruse and provides the mobile phone number will then receive an SMS on their phone, purportedly from their bank. That SMS directs the user to click a link which downloads a Zeus mobile Trojan. At that point the user is basically owned, and the next time they access their bank account the attack initiates a transaction to transfer money out of the account to the attacker’s account.

For more details how this Eurograbber worked, read How the Eurograbber attack stole 36 million euros. For even more detailed information read a report published by security vendors Versafe and Check Point Software Technologies: A Case Study of Eurograbber: How 36 Million Euros was Stolen via Malware.

Article links on Eurograbber:

The Eurograbber attack is a dangerous one, but it can be prevented if users take the right steps: Mmake sure they keep everything on their phones and desktops up to date (that includes both the operating system as well as software plugins such as Java and Flash).

Just using normal virus protection does not block sophisticated attacks. User can nowadays get infected also from well known web sites.

Security is all about layers. You can’t ever block everything on one place so you need layers of security to protect yourself. The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.

F-Secure’s Hypponen points out that hackers have not even tried to break into the computer systems of banks. None of the hackers use lots of effort to break the bank systems when there are lots of unprotected home computers are easily available.

64 Comments

  1. Tomi Engdahl says:

    The Finns , will have to learn to Internet banking, check again if the European Banking Authority ( EBA), the plans are implemented .

    The Authority wants to tighten up online banking security requirements , resulting in Finland for more than four million online banking plastic and cardboard cards printed account and password list should be replaced by the new digital identification technology.

    “In Finland, online banking security is good. The EU has , however, been decided that the existing password lists , there are risks , “said Harry Leinonen, Financial Counsellor, Ministry of Finance. Already Finland’s existing online banking , however, meet the criteria for strong authentication.

    The EBA is already preparing technical recommendations for new authentication methods , which will eventually be mandatory instructions. The codes can be found in a small , transported with the device , or ” dongle ” , of a kind used today in business over remote connections . Another option could be a mobile phone based application. The reform timetable will depend on the EU’s new payment services directive, which approval is expected in spring 2015 .

    European banks’ willingness to reform has emerged that the current account lists can not prevent online banking fraud, where criminals have been able to infect your computer with malware.

    Source: http://www.tietokone.fi/artikkeli/uutiset/verkkopankkitunnukset_menevat_uusiksi

    Reply
  2. Tomi Engdahl says:

    Code-cracking teens hack into Grant Avenue ATM
    http://www.winnipegsun.com/2014/06/08/code-crackers–charleswood-teens-hack-into-grant-avenue-atm

    A couple of 14-year-old computer whizzes have the Bank of Montreal upgrading their security measures after they hacked an ATM machine.

    Matthew Hewlett and Caleb Turon, both Grade 9 students, found an old ATM operators manual online that showed how to get into the machine’s operator mode.

    “We thought it would be fun to try it, but we were not expecting it to work,”

    “I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,”

    As further proof, Hewlett playfully changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”

    Reply
  3. Tomi Engdahl says:

    Forget Passwords. Now Banks Can Track Your Typing Behavior On Phones
    http://www.forbes.com/sites/parmyolson/2014/08/18/forget-passwords-now-banks-can-track-your-typing-behavior-on-phones/

    Password theft is an ongoing problem. Finger print and voice recognition is still years away. What’s a bank to do if it wants to verify the thousands of customers using its mobile app? One way is their behavior — or at least their typing behavior.

    Banks in Europe’s Nordic region have begun rolling out a new kind of security technology for their mobile apps that tracks the pressure and speed of how customers type a pin number into their smartphones. This way even if a friend knows someone’s pin, they wouldn’t be able to get in thanks to all the automatic nuances in the way people type, such as rhythm and pressure on the keys.

    “We’re monitoring the small stuff,”
    “It’s constantly learning,”

    Nordic banks including Danske Bank have trialled Behaviosec’s tracking technology and found it worked so well that by the end of the year, every Internet bank user in Sweden, Norway and Denmark will be doubly verified by their typing behavior, not just their pin number, Costigan claims.

    The startup claims a high success rate on verification: it reached 99.7% session accuracy when it trialled its behavior-tracking technology in conjunction with a pin number for Danske Bank.

    If the technology takes off, it could add a whole new layer of security for apps and phones that would be much harder for fraudsters to rip off. Hackers can put millions of user accounts at risk by raiding a database of passwords, but it’s far harder to spoof someone’s typing behavior remotely, especially on smart phones.

    Reply
  4. Tomi Engdahl says:

    JPMorgan and Other Banks Struck by Cyberattack
    http://www.nytimes.com/2014/08/28/technology/hackers-target-banks-including-jpmorgan.html?_r=0

    A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes.

    The hackers infiltrated the networks of the banks, siphoning off gigabytes of data, including checking and savings account information, in what security experts described as a sophisticated cyberattack.

    The motivation and origin of the attacks are not yet clear, according to investigators. The F.B.I. is involved in the investigation, and in the past few weeks a number of security firms have been brought in to conduct forensic studies of the penetrated computer networks.

    The intrusions were first reported by Bloomberg, which indicated that they were the work of Russian hackers. But security experts and government officials said they had not yet made that conclusion.

    Reply
  5. Tomi Engdahl says:

    Banking apps: Handy, can grab all your money… and RIDDLED with coding flaws
    Yep, that one place you’d hoped you wouldn’t find ‘em
    http://www.theregister.co.uk/2014/08/27/coding_flaws_study/

    The whopping 70 per cent of retail and 69 perc ent of financial services apps are vulnerable to data breaches.

    That’s according to an analysis of 705 million lines of code as used by 1,316 enterprise applications carried out by software analysis and measurement firm CAST. The firm reckons a growing number of data breaches and security incidents can be directly linked to poor code quality, which can be attributed to tightening project deadlines and other factors.

    He added: “Businesses handling customer financial information have a responsibility to improve software quality and reduce the operational risk of their applications – not only to protect their businesses, but ultimately their customers.”

    Input validation errors gave rise to the infamous Heartbleed bug and are among the most common class of coding error more generally.

    The research also revealed that the financial services industry has the highest number of input validation violations per application

    Reply
  6. Tomi Engdahl says:

    JPMorgan, Four Other Banks Hit by Hackers: U.S. Official
    Aug 28, 2014
    http://www.bloomberg.com/news/2014-08-27/customer-data-said-at-risk-for-jpmorgan-and-4-more-banks.html

    Computer hackers targeted JPMorgan Chase & Co. (JPM) and at least four other banks in a coordinated attack on major financial institutions this month, according to a U.S. official.

    The attack led to the theft of customer data that could be used to drain accounts, according to another person briefed by U.S. law enforcement.

    Reply
  7. Tomi Engdahl says:

    U.S. banking group says unaware of any ‘significant’ cyber attack
    http://www.reuters.com/article/2014/08/29/us-jpmorgan-cybersecurity-idUSKBN0GS1CO20140829

    The group, known as the Financial Services Information Sharing and Analysis Center, or FS-ISAC, includes all major U.S. banks and dozens of smaller ones along with some large European financial institutions.

    “There are no credible threats posed to the financial services sector at this time,” the group said in an email to its members.

    “Banks are getting attacked every single day. These comments from FS-ISAC and its members indicate that this is not a major new offensive,” said Dave Kennedy, chief executive officer of TrustedSEC LLC, whose clients include several large U.S. banks.

    “While we should remain diligent and active in monitoring, it doesn’t appear there is a major offensive,” said Kennedy.

    Reply
  8. Judith says:

    Thankfulness to my father who informed me concerning
    tis website, this weblog iis genuinely amazing.

    Reply
  9. Tomi Engdahl says:

    Hitachi and Barclays announce a vein scanner for online banking security
    Claims to be more secure than fingerprint scanning
    http://www.theinquirer.net/inquirer/news/2363671/hitachi-and-barclays-announce-a-vein-scanner-for-online-banking-security

    BARCLAYS BANK AND HITACHI have unveiled a biometric security device that scans the unique vein patterns in fingers to prevent fraud.

    The Barclays Biometric Reader consists of a SIM card that holds the unique vein structure information of a single user and a small infra-red scanner. Using Hitachi’s VeinID technology, the reader captures the image of the vein pattern in a user’s finger, which, like a fingerprint, is unique to each individual.

    Unlike fingerprints, the internal structures of veins are very difficult to reproduce artificially and the scanner only operates if there is a constant blood flow to the finger, meaning the severed finger of a finance officer could not be used to bypass the device’s authentication.

    In 2015, the reader will be offered to corporate banking clients who will be able to access their bank accounts and authorise payments without the need for PINs, passwords or other authentication.

    Both companies believe there is a wider potential to use the biometrics scanner in the consumer sector and integrate it with mobile devices.

    Reply
  10. anxiety attack vs panic attack says:

    Hi there to every one, it’s really a pleasant for me to pay
    a visit this web page, it includes precious Information.

    Reply
  11. Tomi Engdahl says:

    JPMorgan hack investigation finding dozens of the company’s servers breached over two months; one source says SSNs and account data not stolen:

    After Breach, JPMorgan Still Seeks to Determine Extent of Attack
    http://www.nytimes.com/2014/09/13/technology/after-breach-jpmorgan-still-seeks-to-determine-extent-of-attack.html

    The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon.

    Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.

    They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.

    The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.

    Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.

    Reply
  12. Tomi Engdahl says:

    Could your credit score soon be based on your FACEBOOK FRIENDS? Expert predicts future of banking will rely on social networks
    http://www.dailymail.co.uk/sciencetech/article-2773349/Could-credit-score-soon-based-FACEBOOK-FRIENDS-Expert-predicts-future-banking-rely-social-networks.html

    The predictions were made financial tech expert Gi Fernando
    He claimed that credit scores could soon be based on Facebook friends
    Banks could also move into coffee shops and supermarkets
    Payment technology will become wireless and be based on biometric data
    And Mr Fernando claims this could happen within the next decade

    Reply
  13. Tomi Engdahl says:

    Infected ATMs Give Away Millions of Dollars Without Credit Cards
    http://it.slashdot.org/story/14/10/07/215222/infected-atms-give-away-millions-of-dollars-without-credit-cards

    Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.

    Infected ATMs gave away millions of dollars
    http://blog.kaspersky.com/tyupkin-atm-malware/

    What do you need in order to withdraw cash from an ATM? First, you need to have a debit or credit card, which acts as a key to your bank account. Second, you must know the PIN code associated with the card; otherwise, the bank wouldn’t approve the transaction. Finally, you need to have some money in your account that you can withdraw. However, hackers do things differently: they don’t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software.

    Infected ATMs give away millions of dollars without credit cards
    http://www.net-security.org/malware_news.php?id=2880
    Posted on 07.10.2014
    Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.

    “Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,”

    Reply
  14. Mike says:

    I was recommended this web site by way of my cousin. I’m not sure whether this publish is written through him as
    nobody ekse realize such disztinct approximately my trouble.
    You’re amazing! Thanks!

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*