Intelligent Machines

Real-Time Hackers Foil Two-Factor Security

One-time passwords are vulnerable to new hacking techniques.

In mid-July, an account manager at Ferma, a construction firm in Mountain View, CA, logged in to the company’s bank account to pay bills, using a one-time password to make the transactions more secure.

Yet the manager’s computer had a hitchhiker. A forensic analysis performed later would reveal that an earlier visit to another website had allowed a malicious program to invade his computer. While the manager issued legitimate payments, the program initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s president.

The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.

Security experts say that banks and consumers alike need to adapt–that banks should offer their account holders more security and consumers should take more steps to stay secure, especially protecting the computers they use for financial transactions.

“We have to fundamentally rethink how customers interact with their banks online,” says Joe Stewart, director of malware research for security firm SecureWorks, in Atlanta, GA. “Putting all the issues with the technology aside, if [attackers] can run their code on your system, they can do anything you can do on your computer. They can become you.”

Bedford, MA-based security company RSA, which manufactures a one-time password device known as SecurID, argues that neither companies nor consumers should rely on any single factor to secure their transactions. Sam Curry, vice president of product marketing for the firm, which is now a division of EMC, says that one-time password technology and other additional security measures can raise the bar against attackers but will not keep them out forever. “Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security,” Curry says. “Everything is breakable.”

Security measures may not eliminate a threat, but they can make it more costly for criminals to use a particular type of attack, Curry adds. The issue is to find the best combination of cost, usability, and security for the consumer.

One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer’s communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions, suggests SecureWorks’s Stewart. Some security firms are also developing software to allow people to run a secure zone on their computer that eliminates the threat of communications being intercepted.

“It goes back to the question, ‘Can you trust the computer that you are using? Has it been infected by something that can impact you when you log on to your bank?’” Stewart says.

Another solution is to use a second means of communication, such as calling from a phone or sending an SMS message, to confirm that a transaction is valid, says Ariel Avitan, manager of information security for the Europe, Middle East, and Africa region of Frost & Sullivan, a global business consultancy based in San Antonio, Texas. “It’s a cat-and-mouse game,” Avitan says. “The [criminals] open a new door, and we shut it. Then they find another one.”

Finding solutions and pushing financial firms to adopt them are two separate challenges. Banks only implemented two-factor authentication in October 2005, after the Federal Financial Institutions Examination Council (FFIEC) mandated additional security for online bank accounts.

Ferma’s Ferrari has already arrived decided to fall back on a low-tech solution. “We have gone back to issuing manual checks,” he says.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.
Subscribe today

Uh oh–you've read all five of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

You've read of free articles this month.