Cybercriminals are increasingly gaining access to bank accounts and user credentials by beating strong two-factor authentication security, warns research firm Gartner.
Fraudsters are raiding bank accounts by using Trojans that steal passwords and credentials.
Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, are similarly being defeated.
“These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009,” said Avivah Litan, an analyst and vice president with Stamford, Conn.-based Gartner. “However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data.”
Examples of new attacks that are emerging in the “wild” include:
• Malware on the users’ computer overwrites transactions sent to an online banking Web site. This happens behind the scenes, so that the user does not see the revised transaction values. Many online banks will then communicate the transaction details back to the user’s browser for confirmation, but the malware changes the values seen by the user to reflect the values originally entered. In so doing, neither the user nor the bank realizes that the data has been altered.
• Authentication used in voice telephony applications is being circumvented by a simple technique whereby the cybercriminal asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone.
In respect to the telephony fraud attacks, Litan says server-based fraud detection and security policies which prevent forwarding calls have proven effective.
“Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions,” she added.
The FBI’s Internet Crime Complaint Center recently reported that as of October cybercriminals had attempted to steal approximately $100 million from U.S. banks using stolen passwords and credentials.
In many cases the cybercriminals have been successful in planting keystroke logging Trojan horse programs on the computers used by employees to conduct online banking on behalf of their companies.
Gartner says that cybercriminals are becoming more sophisticated in their attacks and that it may be necessary for banks and users to introduce more sophisticated security layers.
Litan noted the following technologies may prove to be effective:
• Fraud detection that monitors user access behavior. This method captures and analyzes all of the user’s Web traffic (assuming the targeted application is Web-based), including log-in, navigation and transactions. It can spot abnormal access patterns that indicate that an automated program is accessing the application, rather than a human.
• Fraud detection that monitors suspect transaction values. This technology looks at a particular transaction and compares it to a profile of what constitutes “normal” behavior for a user or a group of users.
• Out-of-band user transaction verification. This system employs a type of verification other than the same primary communication channel (such as a user’s PC browser).
“Fraudsters have definitely proven that strong two-factor authentication processes can be defeated,” said Litan.
“Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high-risk transaction.”