Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsHackers bypass online security at 34 banks-can get past two-factor authentication
Cybercriminals are sneaking past security protections to access online accounts across 34 banks in Switzerland, Sweden, Austria and Japan. And in doing so, experts say, the hackers are defeating whats often touted as one of the more effective online security protocols.
The attack can get past two-factor authentication, which requires customers to type in a code sent to their cellphone or inbox to ensure the user is who he or she claims to be, by convincing customers to download a malicious smartphone app, according to a report released Tuesday by the security firm Trend Micro. The researchers dubbed the technique Emmental like the Swiss cheese because they say it shows the security flaws in online banking. So far, funds in the seven figures have been taken from bank accounts, according to Trend Micro spokesman Thomas Moore.
In typical form, the attack begins with realistic-looking phishing emails that install malware to give hackers control. Then the malware deletes itself, leaving no traces, and users are redirected to malicious servers when using banking websites. The website asks users to log in, and then install a special mobile app to receive the security code to log on. Instead of fostering more secure transactions, the app intercepts customer data.
Two-factor authentication, hailed as an essential second gatepost for online accounts, can sometimes prove to be an empty promise. Experts have found that the text messages that banks send customers can be intercepted, or in other cases, the hackers can scrape peoples screens to know the answers to extra security questions. Last month, PayPal said it was working to fix a flaw in its two-step authentication that virtually made the extra layer useless.
http://www.marketwatch.com/story/hackers-bypass-online-security-at-34-banks-2014-07-22?link=mw_suggested
The attack can get past two-factor authentication, which requires customers to type in a code sent to their cellphone or inbox to ensure the user is who he or she claims to be, by convincing customers to download a malicious smartphone app, according to a report released Tuesday by the security firm Trend Micro. The researchers dubbed the technique Emmental like the Swiss cheese because they say it shows the security flaws in online banking. So far, funds in the seven figures have been taken from bank accounts, according to Trend Micro spokesman Thomas Moore.
In typical form, the attack begins with realistic-looking phishing emails that install malware to give hackers control. Then the malware deletes itself, leaving no traces, and users are redirected to malicious servers when using banking websites. The website asks users to log in, and then install a special mobile app to receive the security code to log on. Instead of fostering more secure transactions, the app intercepts customer data.
Two-factor authentication, hailed as an essential second gatepost for online accounts, can sometimes prove to be an empty promise. Experts have found that the text messages that banks send customers can be intercepted, or in other cases, the hackers can scrape peoples screens to know the answers to extra security questions. Last month, PayPal said it was working to fix a flaw in its two-step authentication that virtually made the extra layer useless.
Takeaway: European banking security is more stringent and if this attack code is viable against those institutions, then it will be even more prevalent here in the U.S.
InfoView thread info, including edit history
TrashPut this thread in your Trash Can (My DU » Trash Can)
BookmarkAdd this thread to your Bookmarks (My DU » Bookmarks)
1 replies, 946 views
ShareGet links to this post and/or share on social media
AlertAlert this post for a rule violation
PowersThere are no powers you can use on this post
EditCannot edit other people's posts
ReplyReply to this post
EditCannot edit other people's posts
Rec (4)
ReplyReply to this post
1 replies
= new reply since forum marked as read
Highlight:
NoneDon't highlight anything
5 newestHighlight 5 most recent replies
Hackers bypass online security at 34 banks-can get past two-factor authentication (Original Post)
dixiegrrrrl
Jul 2014
OP
Krista H_Authentify
(1 post)1. Not All Two-Factor Authentications are the Same
Two-factor authentication is a solid security practice, but the techniques vary quite a bit. The OTP exploited by Emmental is obviously flawed because the hackers have redirected the OTP to themselves. An interactive second factor to authenticate the actual person POST-LOGIN like a voice biometric or fingerprint would have stopped some of the Emmental account hijacks. A phone call over the voice channel of the mobile phone repeating the actual transaction details, like To send $5,000 to an account ending in Ivan666 do this to cancel do that would catch the end users attention if they were sending $50 to the electric company.