As is widely known, two-factor authentication leverages something you know and something of which you have possession. Usernames and passwords meet the standard for the first factor. The second factor is usually accomplished through a four-digit code delivered to a separate device, usually a hard token, or, more frequently lately, a mobile phone.
But, a sophisticated cybercrime campaign that was operating in Europe last summer found a way to defeat two-factor authentication by attacking both devices.
"Through a phishing email or general Web surfing, the user would click on a malicious link that downloads the Eurograbber version of the Zeus Trojan," explained Darrell Burkey, director of IPS at Checkpoint Software, one of the two companies that discovered and investigated the exploit, which yielded more than 36 million Euros from approximately 30,000 European bank customers. "After the infection, it would sit silently until the next time the person accesses their bank account online. At that point, the Trojan would inject instructions to complete a purported upgrade of the online banking software that was supposed to actually improve the security. As part of that, it would ask for the user's mobile phone number. Then it asks you to go to the mobile phone and complete the instructions there."
Those instructions would include a link that would download a mobile version of the Trojan, at which point both devices would be effectively "owned." From that point forward, each time the user would access their bank account, the malware would initiate a transaction to be paid to a separate mule account. The bank would then generate an SMS to the mobile phone that included an authorization number that would need to be transmitted back to the bank by the authorized telephone. But, that exchange was intercepted by the Trojan, which forwarded the request to command-and-control servers that would initiate approval. "The whole thing was invisible to the customer, who had no idea that money was being moved out of their account," said Burkey.
While two-factor authentication remains a viable component to a defense-in-depth strategy, this exploit also tends to point toward hard tokens, rather than soft tokens on smart phones, as a more secure option. Lacking Web browsers and similar means of gaining access to the device, hard tokens become more difficult to penetrate. But, costs are typically higher due to the need to produce and distribute devices, as well as replace devices that are lost or stolen.
In addition, Burkey also stresses the need for ongoing updates to operating systems and antivirus packages, as well as the adoption of other security technologies to block the malware.
PUBLISHED DEC. 5, 2012