We frequently advise the use of two-factor authentication to protect accounts. Two-factor is certainly better than a single unchanging password, but there’s one major limitation: if you’re being sent an SMS with a one-time password but you want to access that service on the same phone, your protection level has essentially evaporated. According to AusCERT, that’s already a big enough issue to make two-factor systems based on sending text messages all but useless.
Picture: Stefan Gosatti/Getty Images
Speaking at the Digital Security Summit hosted by ACE Events in Canberra today, AusCERT general manager Graham Ingram highlighted the issue. While banks have actively encouraged the use of SMS-based systems for larger transactions, they are also encouraging the use of mobile phones to log in. As Ingram put it:
The problem the banks are having at the moment is that the two factor out-of-band device that they’re sending the messages too is now the same device being used for the banking, and the malware is fully aware of that and using the sent information to capture the session.
How can you stay secure? Firstly, use a non-obvious password for online banking, change it regularly, and don’t store it in unencrypted form. Secondly, use security software on your mobile (and require that of phones you manage for others).
Even more basic: Set passwords on your mobile devices so they can’t be accessed by miscreants. We’d suggest not doing your banking on your phone, but that ship has sailed — banks consistently report that half their online banking traffic comes from mobile devices.
Comments
10 responses to “Two-Factor Can’t Be Trusted Anymore For Online Banking: AusCERT”
In theory, posession of the phone is itself already one of the factors (“something you have”), making the SMS code redundant.
Trouble then is that to implement “true” and secure 2-factor on mobile, you’d have to have something else to substitute for the “something you have” factor (e.g. NFC Ring – http://www.kickstarter.com/projects/mclear/nfc-ring), or else use “something you are” (fingerprint scanner) because “something you know” (your PIN/password) is already the 2nd factor.
They’re actually hyping the malware issue – so no – possession of an infected phone is not a useful factor (nor is much anything else if it’s relying on the phone still).
There are interesting solutions that do cover the problem, unlike most of the legacy “1980’s” stuff, which are all basically rip-offs of the RSA changing number idea.
I work for CryptoPhoto, which is a new kind of two-factor-authentication (or 3-factor even – we include face-recognition-unlock as an option) which incorporates mutual-authentication as well as malware protection.
Chris
I think CBA has enough protection in place to minimize these issues
1) SMS sent when transferring money with one time code
2) ios device can have PIN, and the kaching app can have a PIN
3) any new transactions taking place, be it to CBA or other bank, still takes next business day
4) email confirmation sent of transactions.
I think without making it too painful, this should minimize most of the issues.
The thing with this process is that it’s still only single-factor authentication if the transaction is taking place on the mobile device. People also (at least, in my experience) tend to use the same PIN for both their lockscreen and application.
The transfer delay doesn’t necessarily prevent loss, as if you don’t check your balance every day (and it’s your prerogative not too; I don’t) you mightn’t notice that the transfer has been done until a transaction is declined.
The email doesn’t necessarily prevent loss, it’s more of an FYI to let you know that something has happened – and not everyone checks their email regularly.
CBA had their first case 2FA being compromised years ago. You are right in that what they have in place minimises these issues, but if they wanted to spend the money, they could do more.
Most banking malware nowdays modifies your banking session so that when you complete a transaction, it actually works in the background to complete a different transaction, using the OTC you entered to sign off on the fraudulent transaction. The malware will then for that and subsequent sessions modify your Internet Banking sessions to hide the fraudulent transaction and falsely display the transaction you believed you made.
The email confirmation would catch this out, however it would be interesting to see how many people actually reconcile these emails if the timing of it matches up with a transaction they believed they made.
It should also be noted that CBA’s 2FA SMS actually includes payee details eg “Your NetCode to authorise the payment of $10.00 to BSB 012345 Account Number 12345678 is 123456.”
The problem is that not everyone reads the full message, they go straight to the OTP.
If they have access to your phone, they can easily delete the email, and erase it from the trash. You’ll never know it was sent. And it’s still the 1 password they need. If they have the password to the app, they can do anything they want. You don’t need another password to check your SMS.
All banks have a PIN to login to their mobile app, and send emails when making a payment to someone for the first time or over a certain amount.
The banks knew this would be the case years ago. The reason for going two-factor was mainly because users perceive it to be more secure, not because it is fail-proof (because that’s far from the case).
SMS being used for two-factor authentication is even more insecure, however it is infinitely cheaper, which is why the banks offer it (the cost of providing 2FA tokens and upkeeping them is very high when you look at the number of users banks are dealing with).
The best usable banking security involves accurate real-time analytics based on a large dataset (i.e. significant amounts of user history), tied into efficient manual processes and unobtrusive automatic measures. This is easier said then done however as alot of the not-quite-off-the-shelf solutions (looking at you Oracle) just don’t work at the scale bank’s need them to, despite costing enormous amounts of money.
Having said all that however, the vast majority of stolen funds are acquired through fairly simple means. That being phishing, black-market-off-the-shelf-malware (SpyEye and Zeus), scams and credentials being given to ‘trusted’ people (family, partners, secretaries, etc).
I wouldn’t discount the efficacy of phishing calls – I know of a number of people (who, unfortunately tend to be less tech-savvy and more vulnerable to these scams) who have had people calling them, claiming to be from Microsoft or wherever, then getting them to make Western Union transfers. When Western Union prompts for the 2FA SMS, the caller simply claims that it’s “the maximum that can be transferred, not the actual amount” or “the RRP, but you’re getting a discount”.
Having said that, Western Union, to my knowledge, can cancel these transfers if you call them soon enough.
Sadly, the majority of people are at least a little bit ignorant, and it’s that small number who fall for these that give scammers the incentive to continue.
My 2 factor authentication with my bank is an extra dongle attached to my key chain.
I don’t actually do phone banking, but even if I did it’ll still keep the 2 factor authentication functioning.
i’m with hsbc and they use a token that sits on your keychain
This is such a non-issue. If the hacker has direct access to your phone/computer then all security bets are always off. All we can do is minimize the risk, cancel your sim card and imei, use encrypted storage and an unlock pin on your phone. Even if the bank gave people RSA keyrings, how many people do you think would attach it to their phone directly? How many would keep it in their handbag with the phone? Any account is only going to be as secure as the weakest link the user allows it to be.
Steveo, you’re absolutely right. I would also like to add that SMS based authentication is insecure regardless, it’s not out-of-band. There are mobile device based solutions that are out-of-band however, which minimize risk much more than SMS auth can. Toopher is a great location-based, out-of-band solution which sends push notifications to your phone asking you to ‘allow’ or ‘deny’ a login or transaction attempt. However, receiving a push notification every single time you login would defeat the purpose of the notification and cause repetition poisoning. You’ll be trained to click allow every time you receive a notification, increasing security vulnerability. But Toopher isn’t vulnerable to repetition poisoning – users can automate logins from safe locations – home, office, etc. That way, users are notified when something out of the ordinary occurs, and left alone when it is genuinely them logging in. Even further, users have the option to add another factor of authentication – gesture based auth – in which the user must enter a unique pattern to ‘allow’ an action. Thus, two-factor or multifactor can still be trusted. Toopher can be trusted.