Skip to Content

Real-Time Hackers Foil Two-Factor Security

One-time passwords are vulnerable to new hacking techniques.
September 18, 2009

In mid-July, an account manager at Ferma, a construction firm in Mountain View, CA, logged in to the company’s bank account to pay bills, using a one-time password to make the transactions more secure.

Yet the manager’s computer had a hitchhiker. A forensic analysis performed later would reveal that an earlier visit to another website had allowed a malicious program to invade his computer. While the manager issued legitimate payments, the program initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s president.

The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.

Security experts say that banks and consumers alike need to adapt–that banks should offer their account holders more security and consumers should take more steps to stay secure, especially protecting the computers they use for financial transactions.

“We have to fundamentally rethink how customers interact with their banks online,” says Joe Stewart, director of malware research for security firm SecureWorks, in Atlanta, GA. “Putting all the issues with the technology aside, if [attackers] can run their code on your system, they can do anything you can do on your computer. They can become you.”

Bedford, MA-based security company RSA, which manufactures a one-time password device known as SecurID, argues that neither companies nor consumers should rely on any single factor to secure their transactions. Sam Curry, vice president of product marketing for the firm, which is now a division of EMC, says that one-time password technology and other additional security measures can raise the bar against attackers but will not keep them out forever. “Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security,” Curry says. “Everything is breakable.”

Security measures may not eliminate a threat, but they can make it more costly for criminals to use a particular type of attack, Curry adds. The issue is to find the best combination of cost, usability, and security for the consumer.

One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer’s communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions, suggests SecureWorks’s Stewart. Some security firms are also developing software to allow people to run a secure zone on their computer that eliminates the threat of communications being intercepted.

“It goes back to the question, ‘Can you trust the computer that you are using? Has it been infected by something that can impact you when you log on to your bank?’” Stewart says.

Another solution is to use a second means of communication, such as calling from a phone or sending an SMS message, to confirm that a transaction is valid, says Ariel Avitan, manager of information security for the Europe, Middle East, and Africa region of Frost & Sullivan, a global business consultancy based in San Antonio, Texas. “It’s a cat-and-mouse game,” Avitan says. “The [criminals] open a new door, and we shut it. Then they find another one.”

Finding solutions and pushing financial firms to adopt them are two separate challenges. Banks only implemented two-factor authentication in October 2005, after the Federal Financial Institutions Examination Council (FFIEC) mandated additional security for online bank accounts.

Ferma’s Ferrari has already arrived decided to fall back on a low-tech solution. “We have gone back to issuing manual checks,” he says.

Keep Reading

Most Popular

conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other
conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other

Forget dating apps: Here’s how the net’s newest matchmakers help you find love

Fed up with apps, people looking for romance are finding inspiration on Twitter, TikTok—and even email newsletters.

digital twins concept
digital twins concept

How AI could solve supply chain shortages and save Christmas

Just-in-time shipping is dead. Long live supply chains stress-tested with AI digital twins.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.