Marketwatch banking reporter Priya Anand explains how hackers were able to bypass online security setups at 34 banks across Switzerland, Sweden, Austria and Japan. Online security is a constant game of chess played by attackers and defenders. With each move one makes, the other makes a counter move.
The attack can get past two-factor authentication, which requires customers to type in a code sent to their cellphone or inbox to ensure the user is who he or she claims to be, by convincing customers to download a malicious smartphone app.
The growing problem of online banking malware, banks in some countries have moved to secure logging into online accounts by using two-factor authentication schemes that utilize “session tokens.”
The security firm has been monitoring a campaign which it has dubbed "Operation Emmental," because similar to the Swiss Emmental cheese, the security systems used by financial institutions can be full of holes.
The individuals behind this operation have been trying to gain access to the accounts of users in Switzerland, Austria, Japan and Sweden by obtaining the security tokens sent by banks to customers' mobile devices via SMS.
TrendLabs researcher David Sancho demonstrates how attackers have been able to come up with a complex yet effective way to attack the latest security countermeasures that protect online banking.
By leveraging the openness of the Android platform to install apps from third-party sides, attackers are able to marry traditional phishing attacks to get a user’s username and password with malicious mobile apps to get the session tokens sent to their mobile devices.
Research shows that these attacks are focused on users in Austria, Switzerland, Sweden, other European countries and Japan. And indications are that those behind the attacks are most likely based in a Russian-speaking country.
But while these attacks may be limited in scope now, they bode ill for the future. Online banking malware is a significant problem already.
This shows that even advanced security schemes are vulnerable now. This means that for online banking to be secure, it’s going to be on the industry to come up with a new countermove that meets this latest threat.
Advice to Online banking users install official mobile apps from official, trusted sources: Google Play and the Apple App Store. Additionally banks should move to support transaction authentication in addition user authentication.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
