Crooks steal past multi-factor authentication

Online banking security needs tightening because malware can already breach existing measures, says Rik Ferguson
Written by Rik Ferguson, Contributor

Criminals are outsmarting security measures designed to protect online accounts, so it's vital that security improvements do more than simply authenticate the user, says Rik Ferguson.

Never let it be said that criminals are not innovative. Malware has been used to compromise the online portfolios of Belgian investors, turning the PCs of those unlucky victims into bots. The botnet was then used to influence stock prices, making the criminals more than €100,000 (£82,000).

The Belgian federal prosecutor and the computer crimes unit of the country's national police have been looking into events that took place in 2007. The investigation remained secret until this month.

Between April and May 2007, criminals infected the PCs of customers of the banks Dexia, KBC and Argenta with a bot that stole the usernames and passwords for online share-trading platforms.

Highly targeted
The attack, which appears to have been highly targeted and customised, was able to automate stock trades across the botnet. With a push of a button the botmaster instructed all the computers to buy or sell the same shares at the same time.

Of course, the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics.

Hein Lannoy from the Belgian Banking, Finance and Insurance Commission stated: "after the hack in July 2007, no further similar incidents occurred in the country".

"In April 2009, we sent a circular regarding an improvement in the security standards of our financial institutions. Belgian online banking services are now very heavily protected. We have no jurisdiction to impose our standards on foreign banks in our country," he said.

Classic authentication
Many banks are still only offering classic two-factor authentication using technology such as USB tokens that generate continually changing passcodes or scratch cards giving single-use codes. These techniques are aimed at authenticating the user rather than the transaction.

This kind of technology would certainly thwart this bot in its current form, but user authentication is not impossible to defeat. In fact, banking malware has already evolved to the stage where it can overcome multiple-factor user authentications.

Bebloh is a banking Trojan that spreads through what we call drive-by-download techniques, in which websites including legitimate ones are infiltrated and booby-trapped.

Unwary visitors with unpatched web browsers or other software that hasn't been...

...kept up to date are then infected simply by visiting the sites.

To overcome multi-factor authentication, Bebloh operates inside the web browser, hijacking authenticated sessions even to the extent of faking the balance that is displayed to the user to hide all trace of malicious activity.

The Trojan is sophisticated enough to be able to work out exactly how much money it can siphon from an account without being refused and is able to hide evidence that these transfers have taken place.

The stolen funds are then transferred to money-mule accounts where volunteers have agreed to process payments in return for a small fee or percentage.

Theft of credentials
The sheer volume of stolen personal banking credentials and the ease with which they can be accessed is staggering. Don't think for a moment that cost or lack of skill is a barrier to entry into the shady world of 'carding' and online financial fraud.

Logon details for online banking are usually sold at a price that is a percentage of the available balance on the account. Today, bank accounts are available online for as little as 3 percent, including personal, business and offshore accounts.

For n00bs, or newbies, more experienced fraudsters post tutorials on underground forums where these details are bought and sold. One article explains the process, clarifies what extra information the fraudster needs and how to avoid triggering monitoring systems designed to flag fraudulent transactions.

With this in mind it is vital that any improvement in online banking security should verify individual transactions rather than simply authenticate the user.

The authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction. This input can then be verified by both parties and cannot be modified by the malicious 'man in the browser'.

Belgian law enforcement agents are now working with their international counterparts to pursue the offenders.

Rik Ferguson is senior security adviser for Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.

Editorial standards