ABN Amro systems compromised

ABN Amro systems compromised

Summary: Bank's two-factor authentication system has been circumvented by hackers who broke in after sending a phishing email to their victims

TOPICS: Security

A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from four customers who fell victim to a phishing scam.

The man-in-the-middle attack occurred after the customers opened an email with an attachment purporting to be from the bank, downloading malware onto their machines. When they next tried to visit the bank's website, their browser was redirected to a fake site, allowing the attackers to overcome ABN Amro's two-factor authentication system by piggy-backing on a legitimate log-in.

Two-factor authentication systems normally use passwords as well as tokens, which provide pseudo-randomly generated numbers. Use of both is supposed to make online banking identity verification more robust.

But security experts have warned that two-factor authentication is ineffectual against man-in-the-middle attacks.

Speaking at the E-Crime Congress in London in March, Cambridge University professor Ross Anderson spoke of the limitations of two-factor authentication. "There are a whole bunch of things that can go wrong with two-factor authentication," said Anderson. "Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten," Anderson added, according to Out-Law.com.

The four ABN Amro customers have been compensated by the bank for the money taken from their accounts.

Barclays bank on Wednesday said it would send 500,000 chip and PIN devices to its customers to secure online banking.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • communication paths

    Nearly all man-in-the-middle attacks are broken once different communication paths are used during two-factored (or more) authentication methods.

    In short, don't fight symptoms, solve causes. Diversity is the key to real security. As long as it's KISS. Until then ignorance rules and arrogance kills.