In mid-July, an account manager at Ferma, a construction firm in Mountain View, CA, logged in to the company's bank account to pay bills, using a one-time password to make the transactions more secure.
 |
|
Credit: Technology Review
|
Yet the manager's computer had a hitchhiker. A forensic analysis performed later would reveal that an earlier visit to another website had allowed a malicious program to invade his computer. While the manager issued legitimate payments, the program initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes. "They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit," says Roy Ferrari, Ferma's president.
The theft happened despite Ferma's use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs--real-time Trojan horses--that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. "I think it's a broken model," Ferrari says.
Security experts say that banks and consumers alike need to adapt--that banks should offer their account holders more security and consumers should take more steps to stay secure, especially protecting the computers they use for financial transactions.
"We have to fundamentally rethink how customers interact with their banks online," says Joe Stewart, director of malware research for security firm SecureWorks, in Atlanta, GA. "Putting all the issues with the technology aside, if [attackers] can run their code on your system, they can do anything you can do on your computer. They can become you."
Story continues below
Bedford, MA-based security company RSA, which manufactures a one-time password device known as SecurID, argues that neither companies nor consumers should rely on any single factor to secure their transactions. Sam Curry, vice president of product marketing for the firm, which is now a division of EMC, says that one-time password technology and other additional security measures can raise the bar against attackers but will not keep them out forever. "Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security," Curry says. "Everything is breakable."
Security measures may not eliminate a threat, but they can make it more costly for criminals to use a particular type of attack, Curry adds. The issue is to find the best combination of cost, usability, and security for the consumer.
E-mail
Audio »
Print
Favorite
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Massachusetts Institute of Technology
Comments
"We have gone back to issuing manual checks,"
A more reasonable, yet still drastic reaction, would be to dedicate a terminal or virtualized OS to only be able to connect to the business's bank website.
colinnwn
09/18/2009
Posts:51
The solution, technically, is simple and cheap - just get a simple PINPad, just like those used at any supermarket/gas station/any merchant and enable it to be connected to the business/home PC (USB/bluetooth/etc). This enables a trusted device (hard-wired/coded in PROM) to possess the crypto keys needed by the bank and the user to authenticate each and every transaction that is displayed on the little screen and any data entered on its own little keyboard - just like shopping! Simple, easy and secure!
So, why not now? Again simple. Governments have not been willing to regulate for security in the computer and data comms industries!! Remember, as Ralph Nader knew and Al Gore portrayed in another area as an "Inconvenient Truth", safety and security has NEVER been market driven, e.g. fire extinguishers in offices, seat belts in cars, and on and on.
PS: That PINPad, with its associated "card present" transaction backing, would also enable secure social service operations and the like and, by the way, in large quantities we are talking about less than $35 per unit(cheaper than any anti-Trojan/Virus/Botnet or like malware detection package.
The trusted solution is there, now...Is there the willingness of government to act in the interest of the security of its citizens and the protection of a critical national infrastructure, the banking, finance and payments sector.
wjc
09/18/2009
Posts:2
nhjeff
09/18/2009
Posts:2
On top of that I use a bootable DVD of Ubuntu, so no viruses are present for my banking session, even if the rest of my computer potentially contains trojans, my banking should stay safe.
nanobody
09/18/2009
Posts:3
Furthermore we need greater encryption for transmission on the web. My bank (Huntington) for my business for instance gave me my account information via 3 different methods (not one instance provided all the required information to login and access the account) as well as the securID generator.
Perhaps a NFC technology could be implemented here, or a 2d barcode scan via webcam then encrypted while transmission between the server and client take place. Thoughts? Cheers!
brianjking
09/24/2009
Posts:4
Thus, the problem has nothing to do with the authentication. Would it be one, two or even three factor authentication, the exploit would work. The problem is the integrity of the user's computer. And this one is tougher to succeed, especially with generic open computers. If using non dedicated device, then we will have to access this risk and try to mitigate it: checking the integrity of computer often, monitoring often banking transactions,...
Wunderbarb
09/18/2009
Posts:6
Call_me_a_ko...
09/18/2009
Posts:1
Creator1326
09/18/2009
Posts:3
Shiladie
09/18/2009
Posts:56
If malware is on the device, it can take over what is displayed, so a confirmation can be thwarted.
To use a second device for a confirmation, need to make sure the malware doesn't change the phone number or address while you are logged in.
Too many people don't read confirmations carefully enough.
I'd have to ask how a bank site can allow 27 transfers to accounts that have never been used by this account holder before, all in one session. The transaction system needs to be smarter. For may account, I'd say if there is ever a transfer to an account I haven't used before, flags should go up and should require double verification. Two such transfers, or one over $1000, I want triple verification. Especially if the target account is not a well-trusted business account. This is a problem with some of these accounts. They don't let me put limits on what can be done.
gvguy
09/19/2009
Posts:1
skingw
09/22/2009
Posts:20
Having the user actually see the type and amount of the transaction they are sopposed to be authenticating embedded within the actual visual challenge would prevent the average user from authenticating them.
MattPW
09/24/2009
Posts:1
An email with a confirmation "link" should be sent informing you of that activation. That would give you notice to confirm and a timely phone call to lock/remove unauthorized entries.
steverjk
09/28/2009
Posts:1