Online security is a constant game of chess played by attackers and defenders. With each move one makes, the other makes a counter move.
In response to the growing problem of online banking malware, banks in some countries have moved to secure logging into online accounts by using two-factor authentication schemes that utilize “session tokens.” These are one-time codes that are usually sent to users via their mobile devices. When a customer goes to their online bank, they enter their username, their password and the session token they’ve been provided.
With nearly 1M pieces of online banking malware in 2013 it’s no wonder that banks are taking these steps. And these increased countermeasure have helped: online banking malware is significantly less an issue in those countries that use these more stringent countermeasures (like in Europe) than those who don’t (like the United States and Brazil).
Unfortunately though, the attackers have moved to counter this latest move. In our new report, Finding Holes: Operation Emmental, our researcher David Sancho demonstrates how attackers have been able to come up with a complex yet effective way to attack the latest security countermeasures that protect online banking. By leveraging the openness of the Android platform to install apps from third-party sides, attackers are able to marry traditional phishing attacks to get a user’s username and password with malicious mobile apps to get the session tokens sent to their mobile devices.
Our research shows that these attacks are focused on users in Austria, Switzerland, Sweden, other European countries and Japan. And indications are that those behind the attacks are most likely based in a Russian-speaking country.
But while these attacks may be limited in scope now, they bode ill for the future. Online banking malware is a significant problem already. This shows that even advanced security schemes are vulnerable now. This means that for online banking to be secure, it’s going to be on the industry to come up with a new countermove that meets this latest threat.
Meanwhile, the lesson for banks and their customers is clear: only install official mobile apps from official, trusted sources: Google Play and the Apple App Store. Additionally banks should move to support transaction authentication in addition user authentication.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.