Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns.
"Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled by one-time password tokens," Gartner wrote in their report of December 3, 2009. "Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated," Gartner said.
For instance, a request to transfer a certain amount of money from one account to another could be modified so that the request the bank gets would be different from the request sent by the user. However, when the bank asks the customer to confirm the transaction, the details of the transaction would appear to the user to be the same as the one he had requested, Gartner said. "The malware is changing what the user sees. So even if you put in a one-time password, you are confirming the wrong transaction," Gartner said.
So why not add phone (smart or dumb) to confirm the transaction content?
But can we trust our money to our phones?
In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said.
If security application places outbound call, synchronized to a Web session - then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone - then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.
Nokia 1100 became VERY POPULAR amongst fraudsters as seen by Google Searches worldwide. For simple reason : it was used to spoof other people phones.
Measuring risks and probabilities changed over the last year. The attacks are becoming increasingly focused and targeted on people performing high-value transactions. For them - the probability of hacker "cloning" mobile phone as well as planting man-in-the-browser may be very high! For those inclined for further reading :
Phone cloning and confirmation message spoofing and that's it...
So putting together these "weak" defenses cannot prevent fraud. Nokia 1100 incident happened a year ago, in 2009. So out-of-band transaction confirmation is already late,