Network News

X My Profile
View More Activity

Scams Target Latest Upgrades in E-Banking Security

Financial institutions across the country are scrambling to meet a Dec. 31 deadline set by banking industry regulators to have security processes in place for online banking that go beyond simply requiring customers to enter a user name and password. While some of the protections being adopted should help people feel more confident about online banking, there are signs that criminals already are adapting their techniques to defeat those measures.

Some institutions, such as Citibank, have chosen to require certain online customers to use a supplied token in addition to their user name and password. This approach generally relies on a small device that generates an additional password that changes every minute or so. Yet, a high-profile attack Security Fix detailed in July shows that this method is reliable only so long as phishers don't also ask the user to enter the token-generated password.

Other financial institutions are adopting variations of a "challenge/response" type technology, an approach that relies in part on requiring the user to supply the answer to a prearranged secret question if the customer is logging in from an Internet address that the bank doesn't recognize.

Bank of America was one of the first major institutions to adopt such technology with PassMark Security's SiteKey," which displays a picture of the customer's choosing when he or she goes to log in to their account. If the system detects that the user is not logging in from their normal PC, the image is not displayed and the customer is asked to provide the answer to one of their pre-selected questions, such as "What is your mother's maiden name," or "What was your first pet's name?" The idea is that even if the bad guys manage to swipe the victim's login credentials, they will be unable to log in to a bank account without the answer to the victim's secret question.

But challenge/response measures suffer from the same flaw as physical tokens: They work only if the bad guys don't somehow trick the user into entering that information at counterfeit scam sites. Take, for example, a phishing e-mail from earlier this week targeting Bank of America customers with the usual message urging the recipient to "update their account information," in this case due to a supposed "server update" by the bank.

Users who click on the included link are brought to a page that prompts the visitor to reset their account data by supplying their "old" password and user name, as well as their "previous" two SiteKey questions and answers.

This phishing scam highlights an inherent weakness in the challenge/response approach; namely, that in the name of security customers are being asked to provide even more personal information about themselves in order to bank online.

This particular attack isn't new. According to Rich Miller, an analyst with Web site monitoring firm Netcraft.com, this same exact scam has been spotted no fewer than 53 different times since July on Web servers based in China, so there is little doubt that phishers are experiencing some success with this scam.

Finally, I remarked a couple of days ago that it would be interesting to compare the results of the anti-phishing technology built into the latest releases of both Microsoft's Internet Explorer 7 and Mozilla's Firefox 2.0 browsers. When I visited this particular site in Firefox, I received a pop-up alert from Netcraft's anti-phishing toolbar, but also from Firefox, which flagged the scam site as a "suspected web forgery" and included links I could click on to earn more about phishing scams. When I visited the Bank of America scam site in IE7, I received no such alert.

By Brian Krebs  |  October 27, 2006; 9:00 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ZoneAlarm's New Auto-Updater Prompts Confusion
Next: Boarding Pass Hacker Gets Visit From FBI

Comments

I'm sure you've seen it already because it's a couple weeks old, but another E-banking Security risk I've seen lately is the virtual keyboard trojan. Here's a link the blog, video, and report:

http://blog.hispasec.com/virustotal/9

Posted by: James B. | October 27, 2006 8:40 AM | Report abuse

Worse, a user's SiteKey image can actually be placed by a scammer, on a fake site.

There are two papers at this site that discuss this risk and explain how it can be done:

http://cr-labs.com/publications/

Posted by: James | October 27, 2006 8:45 AM | Report abuse

"This approach generally relies on a small device that generates an additional password that changes every minute or so. Yet, a high-profile attack Security Fix detailed in July shows that this method is reliable only so long as phishers don't also ask the user to enter the token-generated password."

Correct me if I'm wrong but I thought that once you log in with the token-generated password, that password is no longer valid. You must get a new token-generated password.

Since phishers don't (normally) access the account once you "submit" the info, you would negate the token-generated password just by logging in yourself, right?

Posted by: Anonymous | October 27, 2006 9:01 AM | Report abuse

To whomever posted the last question,in the Citibank case, the phishers were relaying the information supplied by the user to the bank's site (acting as a man-in-the-middle). In such a case, the crooks could indeed ride that session.

Posted by: Bk | October 27, 2006 9:18 AM | Report abuse

Yahoo! is doing something similar to the SiteKey image. With Yahoo!, you create a Sign-In Seal one each computer you use to access their services and it displays the image or text when you go to log-in. The seal is tied to a cookie so it can be deleted. Also, I worry that the cookie can be retrieved by a virus or trojan.

Posted by: Troy | October 27, 2006 9:48 AM | Report abuse

One of the problems I see with using 2 levels of questioning is remembering my answers.

One place has their 4-5 questions and another has 4-5 different questions. Ok, now I have to think of 8-10 things.

Sure, most things like "mother's maiden name" and "street I grew up on" are easy to remember (for now) but they are also easy for somebody else to know. My credit report has my old addresses.

Some questions are "what is your favorite food" or "who is your favorite author". Those change and depending on how I feel, my favorite food might change weekly. Remembering what I used 2 months ago (i.e. when I use a new computer) is hard.

People are either going to write them down (risk) or make up a common answer to all the questions (i.e. "george" is my favorite auther, food, animal, vacation place)

Posted by: Anonymous | October 27, 2006 10:23 AM | Report abuse

The bad guys are always going to be trying to figure out ways around security systems. Nothing is 100% safe. However, the SiteKey system adds a layer of protection to help protect users online. Its not foolproof, but does make a significant difference. Rather than try and poke holes with institutions like Citi and BofA who are proactively trying to protect their customers, you should spend your time calling out those that aren't doing enough.

Posted by: Anonymous | October 27, 2006 12:39 PM | Report abuse

Using information like mother's maiden name as an additional authenticator is just plain stupid for a couple of reasons. The biggest reason is that in a phishing attack, it just reveals your mother's maiden name to the attacker.

Generally, personal information should never be used as an authenticator because it is difficult or impossible to change. The fundamental requirement of a password is that it be easy to change when it's compromised. Things like mother's maiden name and SSN are immutable, so once they're compromised you're permanently screwed.

Posted by: antibozo | October 27, 2006 1:44 PM | Report abuse

Brian, how about asking the FDIC about this issue? They are the ones requiring banks to implement two-factor authentication. What is there response to the fact that it can be fairly easily broken _before_ its even completely rolled out to the entire banking community and customer population.

What will there response to this problem be?

Thanks!

Posted by: David | October 27, 2006 2:17 PM | Report abuse

What is so difficult about "never click on links in email messages??" If everyone would remember that this industry would vanish.

Posted by: King | October 27, 2006 2:33 PM | Report abuse

"What is so difficult about "never click on links in email messages??" If everyone would remember that this industry would vanish."

Because we need to protect the stupid people. And because of the stupid people, it's harder for us to do our business (i.e. log on and get my information).

Posted by: To King | October 27, 2006 2:55 PM | Report abuse

If I have an account in a bank whose name is in the subject or sender of the email, I forward it, unread, to the bank's fraud email address.

Posted by: NoVA | October 27, 2006 3:29 PM | Report abuse

"The sooner you sign in to Online Banking, the simpler your life will get."

Did BoA seriously put that on their site, or is that the phishing site? (See Brian's linked image.) Because as soon as you sign up, you just have to remember your 4 or 5 challenge questions, plus an image that you pick, plus some random text that you think of when they first present the image.

I agree that it's better than before, but it's not "making my life simpler." Please. I had a problem before when the challenge question answer was case sensitive, but I couldn't remember if I entered in all lowercase or what, so they froze my online account. Gimme a break! Challenge questions should not be case-sensitive.

Posted by: BoA ha! | October 27, 2006 7:14 PM | Report abuse

Why not require all banking sessions that result in transfers of funds to have to be authorized by an automated phone call from the bank to an approved phone number?

Posted by: Anonymous | October 28, 2006 2:43 AM | Report abuse

Most of the "phising" and spam sites are located in China and Korea. I wonder why Sprint does not knock them off of the backbone. Sprint is the backbone provider for most of the ISPs involved in "phising" and "spamming".

Posted by: Anonymous | October 29, 2006 10:54 AM | Report abuse

The security situation is in to much flux to trust an online banking site!

Posted by: david a galler | October 29, 2006 2:26 PM | Report abuse

Checkout ING Direct's login procedure (at INGDirect.com). After you enter your customer number, it displays a user-selected image and phrase each time you are about to log in. If it's not your phrase and picture being displayed, it's a phish site. If it is, you can procede to log in.

Posted by: DaveWest | October 29, 2006 5:28 PM | Report abuse

"...When I visited this particular site in Firefox, I received a pop-up alert from Netcraft's anti-phishing toolbar, but also from Firefox, which flagged the scam site as a "suspected web forgery" and included links I could click on to earn more about phishing scams. When I visited the Bank of America scam site in IE7, I received no such alert."

Thanks for including that observation. Additionally, Secunia's unpatched IEv7 vuln list is now up to 3:
- http://secunia.com/product/12366/?task=advisories

.

Posted by: J. Warren | October 30, 2006 9:13 AM | Report abuse

It seems to me that all the so called solutions being put into place by the banking industry are new version of the old password strategies that are proving to be equally as vulnerable. These solutions are at best an estimate of who is at the other end of the internet, not who is actualy there. Is this not the time for some new thinking, a more proactive approach to online security? Is this the best the banks can come up with. I would think the bank that steps out front in this area would really differentiate itself from its competitors in a way that would be hard to match.

Posted by: Harry Hudson | October 30, 2006 12:16 PM | Report abuse

David posted: "Brian, how about asking the FDIC about this issue? They are the ones requiring banks to implement two-factor authentication. What is there response to the fact that it can be fairly easily broken _before_ its even completely rolled out to the entire banking community and customer population.

What will there response to this problem be?"

The problem is that nearly all approaches rely on "old" technology. The only radically new approach out there, which BTW guarantees security of on-line transactions, is the one using National Institute of Standards and Testing HASH algorithms. It reports a process that not only is 100% effective against phishing, but also against pharming, vishing, key logging, and malware. Someone ought to do an article on it

Posted by: Gary Beal | October 31, 2006 12:46 AM | Report abuse

All of the aforementioned vulnerabilities stem from a lack of incorporation of human-factors considerations in the design of authentication systems intended to address a human vulnerability. Phishing exploits a human vulnerability, not a technology weakness, and leveraging human psychology within the authentication system is critical if you don't want the system to be vulnerable to next-generation phishing attacks.

I co-authored a white paper on the subject of human factors impacting the effectiveness of online authentication - you can download a copy at:

http://www.greenarmor.com/a-pwp.shtml

Posted by: Shira Rubinoff | October 31, 2006 1:20 PM | Report abuse

Most solutions proposed above while sounding great on their face, unfortunately are as completely vulnerable as plain old passwords and even one-time passwords (OTP) are now shown to be. Man-in-the-middle attacks capture ALL input in the session between the victim and their intended, but intercepted target. Doesn't matter if the "extra" bits are OTP digits from an electronic gadget or from a bingo card or from a code sent to your phone or e-mail. The data all ends up back at the attacker that relays it to the intended destination and the victim is had.

Showing users a picture is a user-training solution and as several above have commented, a large number of people either by inattention, inexperience or stupidity will get burned regardless. Indeed, recent studies (http://cr-labs.com/publication s/SiteKey-20060718.pdf) show that "the picture thing" is effectively useless in reducing phishing because a majority of people end up ignoring the picture for a wide variety of reasons.

I can tell you as a vendor selling to financial institutions in this space that
the number 1 reason you aren't getting truly secure solutions is because the solution requires a client installation on user's PCs. Sure, you're downloading and installing anti-virus, firewall, anti-spam, anti-spyware, etc. applications by the million every week, but banks believe that such a download will have several terrible impacts: 1) you'll bury their help desk with calls at the next glitch of any kind to your computer since you'll blame the authentication tool for breaking your printer or somesuch thing, 2) you won't actually see the feature as a benefit, but an impedance and go to another financial institution. Bummer of it is that there is some truth to what they say. I believe they are exaggerating the situation given that something as simple as "the picture thing" buried their helpdesks anyway.

Also, at the end of the day the financial institution is interested in protecting your transactions, but not actually you. They manage for fraud and if a bad transaction happens, they make you whole. However, what worries you more:
a) Someone stealing $1,000 from you, even if the bank doesn't make you whole?;
b) someone stealing all your personal information data from your financial institution web pages and stealing your identity to set up all kinds of credit ruining accounts? Note that the bank manages risk at the transaction level and if you get your identity stolen, they have no liability, so what do they really care? You'll lose sleep, spend money trying to clear your name, fight for your next loans, etc. potentially for years.

Want better security? Demand it.

Posted by: Who is Hahleq | November 2, 2006 11:21 PM | Report abuse

Actually, x509 client certificates would be a pretty effective solution that is platform-independent and doesn't require installing or supporting any custom software.

Posted by: antibozo | November 3, 2006 8:09 AM | Report abuse

Banks that follow the new security standards early on will create an opportunity to gain a competitive advantage by offering a higher level of security and convenience to the customer. Yet, regulations alone can not effectively protect consumers against identity theft.

To truly secure consumer data, the financial services industry must take a holistic approach to solving this issue. The industry needs to look beyond technology solutions, like tokens and SiteKey, and hold financial institution chief executive officers and Boards of Directors accountable for safeguarding sensitive information. Unless these executives are held personally liable, the financial and reputation risks are not enough to motivate top executives to develop, implement and monitor a holistic, preventative security process. Although government is taking a step in the right direction with security regulations, the CEOs and board members still need to be committed to conforming and financial institutions must recognize the benefits of becoming compliant with the regulations in order for these mandates to be effective.
Frank Liddy, Unisys, Global Financial Services

Posted by: Frank Liddy | November 20, 2006 1:14 PM | Report abuse

My credit union, TCU in South Bend, IN, is requiring that all customers fill in challenge questions by an undisclosed date. I didn't realize this was something the government was requiring them to do. Do they have to implement these measures, or just offer them? I wrote TCU and informed them that I believe their challenge questions are not of a secure nature. As stated above, they ask for things like maiden names, birth days, old addresses and pet names. This is information that doesn't change and is often accessible to dumpster divers or people who just know you well enough. I take security very seriously on my home computer. I believe that its the banking industries duty to make things as secure as possible on their end, but it is my responsibility to keep my passwords strong and safe. As far as phishing scams and such go, it's out of their hands and if someone can't keep their passwords safe from others, then they shouldn't be banking online. On other websites that have required such challenge questions, i put in long lines of junk that even I couldn't reproduce. If I lose my password, I'm out of luck, but I rest secure no one is going to access my accounts through those methods. Why not require in person verification with photo ID? I understand this may cost money for the banks, but they could charge 5 or 10 dollars for password resets. This would put the responsibility on the user where it belongs and allow a much more secure internet banking environment. As it is now, I won't be able to bank online as I travel because even though it recognizes my home computer and doesn't challenge me, it will challenge me on any other computer I use. This isn't just about security, its about responsibility, and where that responsibility should lie.

Posted by: Jason | December 8, 2006 8:45 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company