New social engineering attacks are threats to the two-factor authentication (2FA) system favored by banks, but industry insiders are optimistic that additional layers of security and being open to reassessing and introducing new security technology will help keep banks and customers safe from cybercriminals.
The BBC reported last week that criminal hackers have found a way around 2FA bank tokens by making use of social engineering. Account holders, after logging into the bank's site, will be tricked into accepting an offer for training in a new "upgraded security system" by a prompt that appears to have come from the bank. Money will then be moved out of their accounts without the users' knowledge, it stated.
Commenting on this development, Gerard Tan, partner of risk & control solutions at PwC Singapore, explained the 2FA token will not work if there is a malware sitting on the account holder's computer or bank network and is able to intercept or alter his transaction details.
The token will also not be effective should a hacker manage to obtain its underlying algorithm, as well as the token's seed value and the account information, which is required to generate the second random number, he added.
Should any of these scenarios happen, the compromised 2FA system will put consumers in danger, Tan said.
Adding to the defense
That said, while hackers are developing ways to compromise 2FA devices, the PwC executive noted that banks are aware of the situation and are now issuing new devices that add a third layer of security.
The third layer is added by getting the user to enter additional information, such as his account number, transaction amount or other information only the person would know, to generate a third random one-time PIN to authenticate the transaction, he elaborated. This, he added, meant that the hacker will not be able to predict the transaction in advance and users will not be affected even if the system used to generate the second PIN had been compromised.
"This makes it more difficult, at least for now, for the hackers to break the system, as not all the information required to generate the second and third random PINs are stored in the device or at the bank's backend servers," Tan said.
Asked if the social engineering threat described by BBC is a pressing threat, Singapore-based DBS Bank told ZDNet Asia that it had not experienced such an attack. However, the bank is taking additional security precautions by issuing new transaction-signing tokens to its local customers since December last year, a company spokesperson noted. He said that with the transaction-signing capabilities, users will be given instructions to generate the code unique to each specific transaction, and this greatly reduces the chance of account holders' one-time PIN being hijacked.
User education is another key component in the fight against this aspect of cybercrime, noted Chai Chin Loon, COO of Assurity Trusted Solutions. The company is a subsidiary of the Infocomm Development Authority of Singapore (IDA), which was set up to oversee operations of the nationwide authentication framework.
"We will work with service providers to educate users so that they never sign anything they cannot identify, just like how users should not sign or endorse documents they do not understand," he said.
Beyond this third layer of security, Tan warned that hackers are able to stay ahead of the game and have been able to break into what appears to be highly secure systems before. As such, banks should not rest on their laurels and continue to invest in devising and implementing new technologies that will improve security for both the organization and their customers, he urged.
According to him, new or updated security technologies need to be implemented every few years on the assumption that hackers will eventually find a way to break into whatever is currently used.
The PwC executive also warned that the shelf life of implemented security technology may be getting shorter and a refresh every year may be the only "sensible" way to reduce system vulnerabilities.
In addition, there should be countermeasures for malware infection and attacks, Tan asserted. These include having strong, up-to-date antivirus software as well as out-of-band authentication, which might entail verifying certain transactions using a channel independent of the bank's network or tokens, he stated.