Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

dixiegrrrrl

(60,010 posts)
Wed Jul 23, 2014, 02:37 PM Jul 2014

Hackers bypass online security at 34 banks-can get past two-factor authentication

Cybercriminals are sneaking past security protections to access online accounts across 34 banks in Switzerland, Sweden, Austria and Japan. And in doing so, experts say, the hackers are defeating what’s often touted as one of the more effective online security protocols.

The attack can get past two-factor authentication, which requires customers to type in a code sent to their cellphone or inbox to ensure the user is who he or she claims to be, by convincing customers to download a malicious smartphone app, according to a report released Tuesday by the security firm Trend Micro. The researchers dubbed the technique “Emmental” — like the Swiss cheese — because they say it shows the security flaws in online banking. So far, funds “in the seven figures” have been taken from bank accounts, according to Trend Micro spokesman Thomas Moore.

In typical form, the attack begins with realistic-looking phishing emails that install malware to give hackers control. Then the malware deletes itself, leaving no traces, and users are redirected to malicious servers when using banking websites. The website asks users to log in, and then install a special mobile app to receive the security code to log on. Instead of fostering more secure transactions, the app intercepts customer data.

Two-factor authentication, hailed as an essential second gatepost for online accounts, can sometimes prove to be an empty promise. Experts have found that the text messages that banks send customers can be intercepted, or in other cases, the hackers can scrape peoples’ screens to know the answers to extra security questions. Last month, PayPal said it was working to fix a flaw in its two-step authentication that virtually made the extra layer useless.
http://www.marketwatch.com/story/hackers-bypass-online-security-at-34-banks-2014-07-22?link=mw_suggested

Takeaway: European banking security is more stringent and “if this attack code is viable against those institutions, then it will be even more prevalent here in the U.S.”
1 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Hackers bypass online security at 34 banks-can get past two-factor authentication (Original Post) dixiegrrrrl Jul 2014 OP
Not All Two-Factor Authentications are the Same Krista H_Authentify Jul 2014 #1
1. Not All Two-Factor Authentications are the Same
Thu Jul 24, 2014, 03:01 PM
Jul 2014

Two-factor authentication is a solid security practice, but the techniques vary quite a bit. The OTP exploited by Emmental is obviously flawed because the hackers have redirected the OTP to themselves. An interactive second factor to authenticate the actual person POST-LOGIN like a voice biometric or fingerprint would have stopped some of the Emmental account hijacks. A phone call over the voice channel of the mobile phone repeating the actual transaction details, like “To send $5,000 to an account ending in Ivan666 do this… to cancel do that” would catch the end users attention if they were sending $50 to the electric company.

Latest Discussions»General Discussion»Hackers bypass online sec...