Real-Time Hackers Foil Two-Factor Security
One-time passwords are vulnerable to new hacking techniques.
In mid-July, an account manager at Ferma, a construction firm in Mountain View, CA, logged in to the company’s bank account to pay bills, using a one-time password to make the transactions more secure.
Yet the manager’s computer had a hitchhiker. A forensic analysis performed later would reveal that an earlier visit to another website had allowed a malicious program to invade his computer. While the manager issued legitimate payments, the program initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s president.
The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.
Security experts say that banks and consumers alike need to adapt–that banks should offer their account holders more security and consumers should take more steps to stay secure, especially protecting the computers they use for financial transactions.
“We have to fundamentally rethink how customers interact with their banks online,” says Joe Stewart, director of malware research for security firm SecureWorks, in Atlanta, GA. “Putting all the issues with the technology aside, if [attackers] can run their code on your system, they can do anything you can do on your computer. They can become you.”
Bedford, MA-based security company RSA, which manufactures a one-time password device known as SecurID, argues that neither companies nor consumers should rely on any single factor to secure their transactions. Sam Curry, vice president of product marketing for the firm, which is now a division of EMC, says that one-time password technology and other additional security measures can raise the bar against attackers but will not keep them out forever. “Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security,” Curry says. “Everything is breakable.”
Security measures may not eliminate a threat, but they can make it more costly for criminals to use a particular type of attack, Curry adds. The issue is to find the best combination of cost, usability, and security for the consumer.
One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer’s communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions, suggests SecureWorks’s Stewart. Some security firms are also developing software to allow people to run a secure zone on their computer that eliminates the threat of communications being intercepted.
“It goes back to the question, ‘Can you trust the computer that you are using? Has it been infected by something that can impact you when you log on to your bank?’” Stewart says.
Another solution is to use a second means of communication, such as calling from a phone or sending an SMS message, to confirm that a transaction is valid, says Ariel Avitan, manager of information security for the Europe, Middle East, and Africa region of Frost & Sullivan, a global business consultancy based in San Antonio, Texas. “It’s a cat-and-mouse game,” Avitan says. “The [criminals] open a new door, and we shut it. Then they find another one.”
Finding solutions and pushing financial firms to adopt them are two separate challenges. Banks only implemented two-factor authentication in October 2005, after the Federal Financial Institutions Examination Council (FFIEC) mandated additional security for online bank accounts.
Ferma’s Ferrari has already arrived decided to fall back on a low-tech solution. “We have gone back to issuing manual checks,” he says.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today