Crooks steal past multi-factor authentication

Summary:Online banking security needs tightening because malware can already breach existing measures, says Rik Ferguson

Criminals are outsmarting security measures designed to protect online accounts, so it's vital that security improvements do more than simply authenticate the user, says Rik Ferguson.

Never let it be said that criminals are not innovative. Malware has been used to compromise the online portfolios of Belgian investors, turning the PCs of those unlucky victims into bots. The botnet was then used to influence stock prices, making the criminals more than €100,000 (£82,000).

The Belgian federal prosecutor and the computer crimes unit of the country's national police have been looking into events that took place in 2007. The investigation remained secret until this month.

Between April and May 2007, criminals infected the PCs of customers of the banks Dexia, KBC and Argenta with a bot that stole the usernames and passwords for online share-trading platforms.

Highly targeted
The attack, which appears to have been highly targeted and customised, was able to automate stock trades across the botnet. With a push of a button the botmaster instructed all the computers to buy or sell the same shares at the same time.

Of course, the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics.

Hein Lannoy from the Belgian Banking, Finance and Insurance Commission stated: "after the hack in July 2007, no further similar incidents occurred in the country".

"In April 2009, we sent a circular regarding an improvement in the security standards of our financial institutions. Belgian online banking services are now very heavily protected. We have no jurisdiction to impose our standards on foreign banks in our country," he said.

Classic authentication
Many banks are still only offering classic two-factor authentication using technology such as USB tokens that generate continually changing passcodes or scratch cards giving single-use codes. These techniques are aimed at authenticating the user rather than the transaction.

This kind of technology would certainly thwart this bot in its current form, but user authentication is not impossible to defeat. In fact, banking malware has already evolved to the stage where it can overcome multiple-factor user authentications.

Bebloh is a banking Trojan that spreads through what we call drive-by-download techniques, in which websites including legitimate ones are infiltrated and booby-trapped.

Unwary visitors with unpatched web browsers or other software that hasn't been...

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.