Crooks steal past multi-factor authentication

Summary:Online banking security needs tightening because malware can already breach existing measures, says Rik Ferguson

...kept up to date are then infected simply by visiting the sites.

To overcome multi-factor authentication, Bebloh operates inside the web browser, hijacking authenticated sessions even to the extent of faking the balance that is displayed to the user to hide all trace of malicious activity.

The Trojan is sophisticated enough to be able to work out exactly how much money it can siphon from an account without being refused and is able to hide evidence that these transfers have taken place.

The stolen funds are then transferred to money-mule accounts where volunteers have agreed to process payments in return for a small fee or percentage.

Theft of credentials
The sheer volume of stolen personal banking credentials and the ease with which they can be accessed is staggering. Don't think for a moment that cost or lack of skill is a barrier to entry into the shady world of 'carding' and online financial fraud.

Logon details for online banking are usually sold at a price that is a percentage of the available balance on the account. Today, bank accounts are available online for as little as 3 percent, including personal, business and offshore accounts.

For n00bs, or newbies, more experienced fraudsters post tutorials on underground forums where these details are bought and sold. One article explains the process, clarifies what extra information the fraudster needs and how to avoid triggering monitoring systems designed to flag fraudulent transactions.

With this in mind it is vital that any improvement in online banking security should verify individual transactions rather than simply authenticate the user.

The authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction. This input can then be verified by both parties and cannot be modified by the malicious 'man in the browser'.

Belgian law enforcement agents are now working with their international counterparts to pursue the offenders.

Rik Ferguson is senior security adviser for Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.