Clever attacks changing the game of online banking
31 October 2009, 14:00
Here’s a little reaction from MIT’s technology review article: Real-Time Hackers Foil Two-Factor Security
What is interesting to notice here is that for attackers it is probably easier to get system compromised (through web browsers vulnerabilities) than to steal bank account credentials.
Think about it for a second, lets assume that the user isn’t fooled into using his bank account website without the padlock (https). Then to steal credentials without system compromise means to do a TLS man-in-the-middle scenario (exploiting other vulnerabilities such as ASN.1 parsing). Then immediately feed the bank website with the credentials received if the dongle is a timer-based one. A much more complicated scenario than to serve malware on a website and wait for infected PCs to phone home.
So since it’s easier to compromise why focus on stealing credentials and have a little window of opportunity (dongle timer), why not just piggyback when a user authenticate and push POST in the background while the user is doing his stuff. Well, that’s just what happened.
Now, what is the security industry going to do next?
Banks could send harden computers to its customers and ask them to perform banking transactions only on these PCs. Haha like that’s going to happen.
Of course, the ideal solution would be to establish that the system hasn’t been compromised by malware or establish trust in the system so to speak. There is work being done in that field as part of the bigger Trusted Computing technology push. But this is far from being able to remotely attest the trust in a piece of software as complex as an OS. And then again, you would have to do the same thing for the browser (another complex piece of software). Then, each and every patch would change the hashes so people trying to attest the trust would need to track that.. We are really not there yet..
Being realistic, more granular authentication is what is going to happen. If a transaction stands out in some parameters (target account, amount, etc.) then you would be prompted for another 6 digits of your dongle. At the expense of user experience, more security would be achieved. The question is, how long before attackers figure out the weakest link in this new chain?
— Olivier Bilodeau
