477 k stolen by online banking malware - despite using multi-factor authentication

probe

A company in the US is suing its bank for negligent online security procedures after they had $477,000 taken (the entire available balance) from their account, in a minute or two.

An authorised employee was properly logged-in using a multi-factor authentication system, and the malware on the PC was smart enough to determine how much cash was in the account, and made several fraudulent transfers within seconds to other bank accounts – taking advantage of the active legitimate login.

It seems to me that banks need to require a separate variable authentication code for each transaction – rather than relying on a single code for an entire session. Furthermore, this code needs to be tied to some variable in the payment (eg the last 4 digits of the payee’s IBAN).
While this would be a pain to use for large volumes of small transactions, the additional factor (last 4 digits) could be required for transactions and online banking sessions over a certain value only.

This would be open to a large number of small fraudulent transactions to "slip in under the radar" so in addition perhaps batches of small payment transactions could have a control total validation, before the batch of payments is released into the payments system.

In other words if one entered 30 transactions totalling EUR 42,123.45, a separate multi-factor authentication device would produce a one-time password to authenticate the batch based on the total value of valid transactions. This could also improve the internal control system in a company because it would allow them to require a second employee to electronically “counter-sign” each batch of payments – in the same way as two signatories might be required on a cheque.

http://www.technologyreview.com/computing/23488/page1/

This is another case I came across of large scale unauthorised transfers from a bank account - in this case the bank wasn't even using multi-factor authentication!

http://voices.washingtonpost.com/securityfix/Complaint%20091809.pdf

bSlick

Well if they know the cash was taken fraudulently surely it must be easy to recover it? They know the destination accounts, therefore they can get the money back and arrest the perpetrator, no?

copacetic

this seems like an ususually poor security system?

eg for BOI here, every transaction would have asked for confirmation by entering a different 3 digits from a 6 digit pin. You also would have only been able to transfer funds to a previously registered account, which is a postal method.

jhegarty

With AIB you need to use a one time code to add a new account for transfers.

probe

bSlick wrote: »

Well if they know the cash was taken fraudulently surely it must be easy to recover it? They know the destination accounts, therefore they can get the money back and arrest the perpetrator, no?

One would assume so within the EU at least - even though Ireland is not a full member of the EU yet (Schengen Treaty still not implemented).

There is nothing to stop a criminal from specifying an IBAN in some backstreet country that won't extradite to Ireland. Once the payment is made to one of these jurisdictions, finito.

While some banks in Ireland seem to enforce a list of authorized payees for ebanking payments, that is not practical for corporate banking systems. Companies are paying new suppliers for one-off transactions all the time. There have been cases in Britain where ebanking fraudsters have tapped people's mortgages. The current account had an automatic top-up when it was overdrawn by transferring money from the unused equity balance in the home mortgage. Some people thought that their home mortgage was nearly paid off, and bingo - there was another 30 years of hard slog to get it down again after an online attack (unless the bank compensated them for the fraud).

probe

jhegarty wrote: »

With AIB you need to use a one time code to add a new account for transfers.

Where do you get that one time code from? What is to stop malware from intercepting the one time code as you enter it, and using it for another transaction, ultra fast, before you have clicked on OK to use the code for the legit transaction?

copacetic

probe wrote: »

Where do you get that one time code from? What is to stop malware from intercepting the one time code as you enter it, and using it for another transaction, ultra fast, before you have clicked on OK to use the code for the legit transaction?

I think you misunderstood, as with BOI my understanding is that they post you the one time code and you can only use it to add the account you asked to be added, not for any other transaction.

probe

copacetic wrote: »

I think you misunderstood, as with BOI my understanding is that they post you the one time code and you can only use it to add the account you asked to be added, not for any other transaction.

It does not matter if they snail mail one time codes to you, or use a carrier pigeon or the branch manager invites you to lunch to hand over the code!

The latest generation of malware is smart enough to grab the one time code as you keyboard it in to your machine, and use it before you do, to set-up a fraudulent transaction in the background. In a split second. It probably logs you out of your bank account before doing it.... so the bank's system does not notice two logins for the same account. The malware can be customised for each bank - send your IP number back to its control system (via compromised machines in a bot net) - determines target is in Ireland - high chance s/he is an AIB or BoI customer. Send the action profiles for these two banks online systems to the malware client - ready and waiting for you to go into an online banking session.

If the creation of the one time code is customised for the beneficiary account, and it is done outside your online banking software (eg you call or write to the bank to get it sent out) you are probably OK. But if you request the online code using your online banking application, the malware could manipulate your request so you would see one transaction being set-up and it would send a different transaction set-up suiting its own purposes.

Malware can be distributed via email, flash, pdf files etc. There are unpatched vulnerabilities in flash and adobe reader software at the moment - they have been around for weeks/months.

Check your PC now using this Danish security website:
http://secunia.com/vulnerability_scanning/

Click "Scan online" > "Start Scanner" > Start

I suspect you will find a few applications with security vulnerabilities that have not been patched. It is the same with most machines.

copacetic

again you misunderstood, this one time code is tied to adding the account you requested to be added. It can't be used for any other transaction. There are misunderstandings in your post too. Have you ever actually used BOI or AIB online banking? You don't seem at all familiar with how they work.

probe

copacetic wrote: »

again you misunderstood, this one time code is tied to adding the account you requested to be added. It can't be used for any other transaction. There are misunderstandings in your post too. Have you ever actually used BOI or AIB online banking? You don't seem at all familiar with how they work.

I accept that - you posted while I was finishing my post :-) They really need to be running boards on Google Wave, so you can see the keystrokes in real time!

How do you get the one time code ? Online or offline?

No I don't have AIB or BoI online banking.

rmacm

probe wrote: »

How do you get the one time code ? Online or offline?

No I don't have AIB or BoI online banking.

Can't speak for AIB but with BOI you are posted out the one time code.

probe

rmacm wrote: »

Can't speak for AIB but with BOI you are posted out the one time code.

But how do you *apply* for the code - online or offline? If the application process is comprimised by malware, and the code comes back to you in the post like a PIN notification for a card, there is still a vulnerability.

In my experience card PIN notifications contain little or no information beside the 4 to 6 digit PIN.

If you applied for the one time code online, and the code notification document was along the lines of

Dear Customer,

You requested a verification code for via our online banking system on 2009.10.11 at 14:03 IST. Please check the following details before using the verification code on your system.

The beneficiary bank will be: Прачечная Bank Corporation, Город Москва

The account holder to be credited will be:
реструктурирование предприятий кибер-преступностью AG

IBAN to be credited: RU89 2345 1234 2323 9999
BIC: LAUN RU 5G 3XX

If you did not request a facility to make online payments to this entity, please phone 1800 112 112, quoting reference 523812928.

If you did request this facility, your verification code is 123456 and you should do xyz with it.

or something along these lines.

---

The above account details are needless to say intended to be fictional, and one is not casting aspersions on Russia in the example.



search

copacetic

you have to phone up asking for an account to be added, you need to enter 3 digits from a 6 digit pin first then the operator asks you various details of your account and security questions before they will enter an account. It's not valid until you then enter the code posted to you.


I see what you are saying in general but it does appear the irish banks are well on top of it. At first on BOI i had a token key generator but they have moved on since.

probe

copacetic wrote: »

you have to phone up asking for an account to be added, you need to enter 3 digits from a 6 digit pin first then the operator asks you various details of your account and security questions before they will enter an account. It's not valid until you then enter the code posted to you.


I see what you are saying in general but it does appear the irish banks are well on top of it. At first on BOI i had a token key generator but they have moved on since.

Aside from validating who you are (the account holder being debited) do they determine any elements from the beneficiary's details? If they are not locking the validation code to a specific destination account, it is a worthless exercise in terms of the risk posed by this type of malware.

All they (your bank) would need to do is capture something simple like the last 4 digits of the destination IBAN, and lock the verification code to this beneficiary. If the malware tried to use the one time code to transfer to a fraudulent account, it would fail in the task because the last 4 digits of the IBAN would be different from the account the originator had specified.

copacetic

as I mentioned above the code is locked to that account. You add the account via the phone and then activate it using the code. You can only activate the account you added via the phone.

rmacm

probe wrote: »

But how do you *apply* for the code - online or offline?

When I've done it I add the beneficiary through 365online.com and then they post out a letter with the one time code in it. I can't remember the exact content of the letter that gets posted out (I usually shred them when I'm finished with them) but it's along the lines of what you posted.

probe

copacetic wrote: »

as I mentioned above the code is locked to that account. You add the account via the phone and then activate it using the code. You can only activate the account you added via the phone.

Forgive me, but this is vague. What do you mean by "code is locked to that account"? Let's take an example:

1. I go to a virus laden machine, which has this smart malware, go into the bank's ebanking system, and enter the ESB's IBAN so I can pay ESB bills.

2. The malware tells the bank's computer that I want to set up a payment to a Ukrainean bank account IBAN, riding on the back of my login credentials (which could include multi factor).

3. I call the bank call centre, validate my identity, tell them what I want, and get a validation code. My concern is that the bank might see my new payment request in their system, receive a phone call, authenticate me, and because I have phoned in as well as done the transaction online, issue an approval code for me to use - but in reality I am talking about a completely different payee to that notified by my PC to the bank.

ie does the bank answering agent do anything to verify the beneficiary I intend to receive the payment(s) during the phone call, before issuing the code? If they don't do that, the code is not locked down to the correct beneficiary.

Gavin

The bank sends out a letter with the activation code. The letter clearly describes the account which is to be activated with the code, so the user could see any discrepancy between the account they requested and the actual account the malware requested.

The issued code can only be used with that particular request.

probe

Gavin wrote: »

The bank sends out a letter with the activation code. The letter clearly describes the account which is to be activated with the code, so the user could see any discrepancy between the account they requested and the actual account the malware requested.

The issued code can only be used with that particular request.

It seems that you have to both call the bank as well as setting up the transaction on your PC, AND wait for a letter with a code to arrive. I had assumed that one bank used the phone approach and another used the letter approach.

Surely it would be simpler to set-up the new payee on your PC (with the usual login controls), and for the bank to automatically write to the account holder with the one time code specific to that account relationship pair, before any payments can be made.

I can't see the added security benefit of also having to call the bank to request the verification code document, and it must add to the cost. Belt and braces!

If there is a concern that some customers store their banking passwords in their browsers without a browser security password, AND the customer does not have multi-factor authentication, AND that some insider could steal the authentication letter before the customer got their hands on it, (lots of ANDs) the letter could be re-worded.

Perhaps offer them a grid of ten possible verification codes in the letter, with only one code being the correct code. If someone uses a wrong code from the letter, the authorization is locked.

eg:

Dear Customer

Details of the intended payee

Your four digit verification code is one of the ten codes shown below. The correct code is based on the line number corresponding to the second digit of your online banking PIN.

If the second digit
of your online banking PIN =

1 - your verification code is 1234
2 - your verification code is 2345
3 - your verification code is 8765

etc.

You have only one opportunity to enter the correct 4 digit verification code.

This type of letter would provide more security in the event of the document getting into the wrong hands - with no additional transaction processing cost.