Wednesday, March 25, 2009

"Two-factor Authentication Failing" - Doh!

This morning I came across a short news article by Jeremy Kirk over at IDG titled "German Police: Two-factor Authentication Failing". My initial response - Doh!

For anyone familiar with the rapidly evolving class of malware often coined "Brazilian Banking Trojans", you'll have known that two-factor authentication hasn't been an inhibitor to financial online fraud for the last 3 or so years.

Now, I'm not saying that the German Police have been left in the dark, or that the iTan system for transaction signing doesn't have a value, but Brazilian Banking Trojans have defeated this particular security technology for quite some time. In fact over the last couple of years I've traveled to many countries and met with most of the security teams at the major banking establishments around the world, and had the opportunity to educate them about the threat targeted at the transaction (well, at least I thought so).

Given the nature of man-in-the-browser attack vectors and the relative complexity of the online banking application (in the eyes of the customer), it's very easy to socially engineer the customer (i.e. victim) to unknowingly become a key component in the success of the fraud.

Without going in to the minutia of the threat and it's attack vectors here (I'll write a whitepaper on the topic some time soon - probably available over at readers may want to check out the presentation I gave at OWASP late last year on the topic (from a security consulting perspective - but you'll get the idea) - titled "Multidisciplinary Bank Attacks" and a Video of the presentation is also available.

Perhaps more importantly, many of the newer man-in-the-browser engines now come with quite advanced scripting engines that greatly improve the speed and efficiency of the attack. Features of these engines not only include the ability to alter any content being received by the Web browser before its rendered to the customer, but also to make numerical calculations of balances and effectively "erase" extra transactions from what the customer sees - and keep their account balances looking good.

I could go on for hours about the topic - but I think it'll be best covered by a technical whitepaper. In the meantime, any banking organizations out there that need more details on the topic and best practice advice in countering the threat - well, I'm pretty easy to get hold of.

One last point. The news story makes mention of CAPTCHA's as a anti-fraud mechanism. Sorry - but that's been defeated too. In fact it's already evolved in to subscription-based criminal managed service. Check out my other blog "CAPTCHA's and Mechanical Turks".


  1. Gunther,
    While this threat has been known for a couple of years, isn't it true that the majority of fraud is still based on stealing passwords.


  2. I've never seen any public stats on the issue, but I suspect that that is probably still the case for most banking sites that haven't implemented some kind of temporal challenge-response or one-time passkey, or haven't built a robust back-end anti-fraud monitoring system (e.g. browser/GeoIP heuristics and behavioral session analysis).

    For those that have (which are the larger international banks - and is the case of the German iTan code), merely recycling keylogged user credentials will not be enough. Hence the focus on the transaction (since that's where the money is) and conducting the attack in real-time from within the users (victims) Web browser.