Cyber-criminals are increasingly attacking banks and other financial institutions to transfer funds fraudulently into accounts under their control.
There are a number of ways for attackers to gain control, and malware is just one of them, according to Jorge Solis, a senior vice president of security at First Midwest Bank in Itasca, Illinois.
A recent Financial Services Information Sharing and Analysis Centre (FS-ISAC) report found that banks saw more account takeover attempts in the first half of 2010 than they did the full year 2009. However, the banks were better at blocking the fraudulent transfers in the first year of 2010, blocking them 36 percent of the time, the report found.
Attackers are often using malware such as the Zeus Trojan to monitor keystrokes and intercept login credentials, Solis said. Zeus, the malware family the industry sees the most often, can also launch man-in-the-middle attacks by popping up fake Web pages to intercept the commands the customers enter to initiate and confirm a transaction.
The user may successfully log in to the site, but the malware may modify the user experience so that the user is actually entering the transaction details on the “fraudster’s splash page” as opposed to the legitimate site, allowing attackers to intercept all the date before it reaches the bank’s servers.
The man-in-the-middle attack can succeed even if the user is working with token-based authentication, Solis said. As soon as the user enters the one-time password generated by the token into that fake splash page, the attacker is simultaneously putting in the code into the real banking page with the user’s credentials to initiate the wire transfer. The attacks are “happening live”, Solis said, noting that the one-time passwords generated by hardware tokens in most two-factor authentication schemes have a shelf-life for 30 seconds to two minutes.
First Midwest Bank has a lot of “other controls” on the back-end that customers never see as part of the bank’s approach to layered
One of the reasons attackers succeeded with man-in-the-middle attacks even with multi-factor authentication enabled was because the user was entering the PIN code into the computer that was already compromised, according to Solis.
First Midwest Bank shifted tactics and stopped rolling out tokens. Instead, they deployed an automated phone-based authentication product from PhoneFactor, Solis said. Instead of sending users a PIN code to their mobile device that the user has to enter into the computer, PhoneFactor calls the telephone number associated with the person who initiated the electronic transaction.
The phone call lists the transaction details and asks the user to confirm the transaction by entering the secret code into the phone. If the transfer is a fraud, the user would not enter the code, so the transaction is cancelled and a fraud alert is issued on the account.
This mechanism works, despite the growth of mobile malware designed to intercept confirmation codes sent by banks to the mobile device, because it is a more difficult task for the attacker to compromise both the PC and the mobile device, according to Solis. A “simultaneous compromise is a challenge”, Solis said.
First Midwest Bank has seen a dramatic drop in attacks since rolling out PhoneFactor over the summer, Solis said, although he was not sure whether it was because the attackers had decided not to “bother” with the new security measures in place, or because it was part of a natural and temporary dip in fraudulent activity and the pace would pick up again in the future. He did say that at least one attack on a customer account had been blocked with PhoneFactor.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…