TMCnet News
'Secure' 2FA has more holes than Swiss cheese: Trend Micro [ITP.net (United Arab Emirates)](ITP.net (United Arab Emirates) Via Acquire Media NewsEdge) Users of online banking services through Android-based smartphones, even those using two-factor authentication (2FA) may not be as secure as they think, according to a new report from digital security specialist Trend Micro. Comparing banks' cyber protection methods to Swiss cheese, in reference to vulnerabilities, or "holes", in their security layers, Trend said in a statement: "Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, co-ordinate cards, TANs, session tokens - all were created to help prevent banking fraud." But recently Trend Micro researchers discovered a cyber-criminal ring that was engaged in an operation to compromise session tokens. Trend dubbed the operation "Emmental", in reference to the hole-ridden Swiss cheese. In Europe, many banks implement 2FA by texting a session token to a user who logs in using their correct username and password. After the text is sent to the user's mobile phone, they have a short space of time to enter the session token before it expires. The Emmental gang targets countries where the use of 2FA by SMS is widespread. Users will receive an email that spoofs a well-known online retailer. If they click a link within the message their phone will become infected with malware. The malware changes configuration settings and then removes itself, and so cannot be detected in subsequent infection scans. Continues on next page>> The configuration revisions are to DNS settings, which then point to a server controlled by the cyber-criminals. The malware even installs a rogue SSL root certificate in the target device so the malicious HTTPS servers are trusted by default and no security warning is flagged by the target's protection software. When infected users access their bank's website, they are redirected to a malicious site disguised as that of their bank. Once users enter their credentials, they are instructed to install an Android app on their smartphone. The app is disguised as the bank's session-token generator, but it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number. This means the cyber-criminal not only gets the victim's online banking credentials through the phishing website, but also the session tokens needed to bank online. Trend Micro believes the Emmental group has been in operation since 2011. For most of that time it targeted only Europe, but in May this year the cyber gang added Japanese users to its list of hunting grounds. The Middle East may not be far behind. (c) 2014 ITP Business Publishing Ltd. All Rights Reserved. Provided by SyndiGate Media Inc. (Syndigate.info). |