The attack, know as the Man in the Browser method, works like this. Malicious code is first introduced onto the victim’s computer where it resides in the web browser. It will lay dormant until the victim visits a specific website — in this case, his bank’s secure website. Once the user attempts to log in, the malware activates and runs between the victim and the actual website. Often the malware will request that the victim enter his password or other security pass into an unauthorised field, in order to “train a new security system.” Once that happens, the attacker has full access to the account.
Luckily, the method is only a single-shot attack. That is, the attacker is only able to infiltrate the site once with the user-supplied pass code. But, once in, the attacker can hide records of money transfers, spoof balances and change payment details. “The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking,” Daniel Brett, of malware testing lab S21sec, told the BBC.
Since this attack has shown that the two-factor system is no longer a viable defence, the banking industry may have to adopt more advanced fraud-detection methods similar to what secure credit cards. When compared to having your account silently drained, standing in line for the teller suddenly doesn’t seem like that much of a hassle. [BBC News via Technology Review]
Image: jamdesign / Shutterstock
Dan
Tuesday, February 7, 2012 at 8:41 PMThis isn’t new threat. all the malware needs to do is intercept the cookie in flight once a client has accessed their respective website and will siphon the information off to the attacker, if the malware includes key logger it will grab the token PIN and credentials and the attacker can takeover the entire session. Two factor is an added measure that protects the clients authentication not the session in progress.
Paul
Tuesday, February 7, 2012 at 9:09 PMI know that the NAB has an SMS authentication system in place for Internet banking based transactions. Since it essentially uses a one time pad for authentication, this issue seems some what limited at present, at least for NAB banking.
AJ
Tuesday, February 7, 2012 at 9:51 PMNothing new here.. looks like another attempt at FUD. MitB attacks have been there for years now and is no greater threat than non-browser based trojans like Zeus.
Mark
Tuesday, February 7, 2012 at 9:57 PMThis isn’t that new at all. A near identical attack (I’d even consider it slightly more sophisticated) was used shortly after Blizzard brought out it’s authenticators for World of Warcraft.
It involved malware on the users computer. When the user tried to login it captured the username and password. Then when the user was prompted for their authenticator code, it sent it to the attacked then sent the wrong one to the login server. This commonly meant the user would type in the code several times. This could give the attacker enough a long enough window to remove the authenticator and attach a different one.
ogre
Wednesday, February 8, 2012 at 7:04 AMHang on, my bank sends me an SMS with a code that needs to be typed in to do any transactions with people not in your address book, or to open a new account etc. I thought *this* was two factor authentication, i.e. the first factor is your password to get in in the first place, “something you know”, and the second factor is your mobile SIM that lets you receive those SMS’s, “something you have”.
So how exactly does this foil two factor authentication? Seems to me that it only tricks you into handing over the “something you know part”, and it can’t do anything truly bad (unless you have people you don’t trust in your address book) unless it can receive your SMS’s too.
Inquisitorsz
Wednesday, February 8, 2012 at 8:55 AMI agree.
I also think that those jumbling keypad passwords that you have to physically click are better than a typed password, since they can’t be keylogged.
David
Wednesday, February 8, 2012 at 9:20 AMThis is neither new nor surprising.
Once you have malicious code running on your PC at a high privilege level (ie MitB), it’s game over no matter what security you’re implementing.
Sean
Wednesday, February 8, 2012 at 9:23 AMThis is a overseas article, where banks implement “Two factor” authentication which really isn’t. Australian Banks implement real two factor authentication, usually with SMS, but sometimes with secure ID style tokens.
Timmahh
Wednesday, February 8, 2012 at 9:40 AMBanks pay out millions every year replenishing the accounts of people who’ve been hacked or duped. My bank didn’t even ask any questions when I got zapped! And that was my own fault! Quantum computers are the answer to this issue I think.