Hackers are defeating strong authentication

One-time passwords and phone-based user authentication aren't enough to stop cybercriminals from stealing your money out of your bank accounts.

A new report from Gartner warns that one-time passwords and phone-based user authentication are not enough to protect online banking transactions against fraud.  Increasingly, such measures are overwhelmed by online criminals looking to rob your bank account.  Gartner's warning comes amid a sharp uptick in fraud involving the exploitation of valid online banking credentials.

How these attacks work

Small to medium-size businesses are being victimized by cybercriminals who are using increasingly sophisticated malware and spear-phishing attacks to intercept their credentials.  The attack is used to direct the unsuspecting user to a fraudulent site, designed to mimic the on-line banking web-site, or to install malware that can change the behavior of a web browser.  The end result is that once the user submits their username, password, and one-time password, the credentials are immediately transmitted to the attacker and used to submit fraudulent transactions.  The user is shown an unassuming error and would not have a reason to suspect that anything has transpired other than a technical glitch.

This attack is enabled because the one-time password is never submitted to the web-site during the user login.  The submission of the password is blocked by the malware on the user's system.  This leaves the one-time password valid for immediate use by the attacker.  This attack exploits one or more of the following: social engineering and weaknesses in security awareness, missing patches and vulnerabilities on the user's system, and lack of fraud detection and trust mechanisms employed by financial institutions.

Short-term solutions

Banks need to implement additional layers of security to protect their customers from falling victim to online fraud.  Financial institutions need to start using server-based monitoring software to detect fraudulent behavior. Fraud monitoring tools need to be used to verify that transactions are being initiated by real humans, and that usage patterns and are not significantly different from that user's profile.  Moreover, consumers need to be diligent about applying layers of security in their networks, computers and mobile devices by leveraging a defense in depth approach to securing their business environment.  This includes:

A Unified Threat Management appliance
Virus and Malware protection
Network segmentation for financial systems
Patch management solutions for all systems
Change your password often
Insurance solutions for fraud protection

Long-term solutions

Banks need to re-examine authentication solutions, trust models, and requirements for transfers of money between accounts.  The fundamental question is… should an account number and routing number be all that is required to transfer funds?