Two-Factor Fraud: Threat of the Week
The threat report from Japanese security company Trend Micro was blunt. Two-factor authentication was successfully compromised by criminals and the victims were customers of 34 different financial institutions in Japan, Switzerland, Austria and Sweden.
No U.S. institutions were known to have been compromised in this attack that Trend Micro dubbed Emmental because, the company said, digital banking protections are “full of holes.”
What was especially startling to security experts was that the attack made a mockery of two factor authentication – and at least some said the insecurity of SMS-based two factor is baked in and more compromises can be predicted. More on that momentarily.
First, about this attack in particular.
“It was revolutionary because it compromised multiple platforms,” JD Sherry, a Trend Micro vice president said.
The victimized European and Japanese banks used a sophisticated login process that involved what’s called session tokens. At the online banking site the consumer input credentials. The institution fired off an SMS with a one-time password. The consumer saw the text, entered the password, and gained access.
That’s much more elaborate security than typically seen at U.S. credit unions and banks, and the way these cybercriminals – believed by Trend Micro to have been operating out of Russia and/or Romania — snared their victims was exceptionally complicated.
First, victims received a phishing email that appeared to contain receipts from well-known retailers. They clicked on an attachment and malware was downloaded to their Windows computer (only Windows, not Apple or ChromeBook, per Sherry). This was very smart malware. It changed some key security settings on the computer, and then removed itself.
When the victim next tried to access his/her banking website, the computer instead headed to a malicious site that looked exactly like the bank’s. There, the victim entered his login credentials, which the criminal snagged.
Then the victim was urged to download a mobile banking app update to his Android phone (it does not work on iPhone). Once that step was completed, it was game, set, match because now the criminal could intercept authenticating SMS sent to the phone, and he already has the login credentials for online banking.
“This is not the bank’s fault,” said Mark Stanislav, security evangelist at Duo Security in Ann Arbor, Mich. “There are a lot of failures [exploited in this attack]. It’s an example that will resonate with people.”
The core problem is user error. But, really, the only mistake the customer made was clicking on the phishing email. From there on, even sophisticated consumers might have been duped because the banking site looked perfect and the banking app was downloaded from that site. Who wouldn’t trust his/her financial institution?
That’s why some in security used this compromise to take a fresh – and harsh – look at SMS in two-factor authentication. Financial institutions use it because it’s cheap, and it has also become ubiquitous as cellphone penetration is nearly universal among banking customers. But it may not provide the sought-after security.
“Two-factor authentication has been under attack for a long time,” said John Zurawski, a vice president at security company Authentify in Chicago. “It should be no surprise that criminals have found ways to attack one-time passwords sent in SMS.”
Zach Lanier, a senior security researcher at Duo Security, insisted that “SMS is not a good mechanism for [implementing two-factor]. It’s a chink in the armor. It’s good that two-factor is rolling out but SMS is bad because it is vulnerable.”
But a big part of the problem is that, fundamentally, what those banks used is not true two-factor authentication, at least not as it is intended.
Mike Angelinovich, CEO of OHVA, a multi-factor authentication company based in San Jose, Calif., explained.
“The real issue here is this is not two-factor authentication because the user is not accessing their online or mobile account with something they have. They are accessing it with another layer of something they know that is only received by something they have. If a human (user) knows what it is, then just like your user name and password it can be stolen and re-used in real time to access an online account by a hacker," he said.
Angelinovich’s point did not split hairs. Two-factor authentication is supposed to be based on something the user knows (a PIN for instance) and something he has (a chip-and-PIN card for instance).
By making an SMS-delivered onetime password the second factor, that is, in effect, another thing the user knows (not has). And the more financial institutions turn to mobile phones and texting as an authentication target, the more aggressively criminals will seek to put disguised malware on phones that is designed precisely to intercept SMS.
The malware does not have to be a faked banking app, experts said. It could be a game, a city guide, anything. The key is that, in its permissions, it seeks access to incoming SMS. Most Android users merely glance at permission requests, so getting by the user is often easy.
What’s a more secure alternative than SMS? Zurawski suggested a voice call to the consumer’s smartphone that reports the login attempt and requires confirmation.
Zurawski acknowledged that voice can be “more costly than SMS,” but it also “is much harder to compromise.”
Other options will emerge and, either way, the one fact that seems certain is that many credit unions will be taking freshly skeptical looks at SMS as a cornerstone of security.