How secure are SMS one-time passwords?
Security breaches like Emmental, Eurograbber and Sandroid on European and Middle Eastern banks show how the need for analytics and advanced authentication solutions is more important than ever before.
Online and mobile banking are a part of our day-to-day lives as they offer the freedom to bank anytime and anywhere. But if there’s money involved, scammers will unfortunately always follow.
If you are an online banking user, you might be familiar with receiving a one-time password (OTP) via SMS from your bank to your mobile phone every time you log in or transfer money from your online account.
You might also have been unlucky enough to have been a victim of the Eurograbber scam in Europe back in 2012, which has more recently made its way to the Middle East. Last April, the Krebson Security blog was one of the first sources to mention the “Sandroid” botnet, which intercepted around 28,000 text messages of customers at major Middle East financial institutions.
Operation Emmental (referring to the Swiss cheese and all the security holes that might be found in online banking) is a more recent attack unveiled by researchers at Trend Micro in July 2014. The attack affected over 30 banks in Austria, Switzerland, Germany, Sweden and Japan where presumably millions were stolen from both consumer and commercial bank accounts. The attack demonstrated that hackers are upping their game and devising new advanced ways to defeat SMS OTPs.
All the scams mentioned here involve malware designed to attack customers when they’re transacting using Internet banking. The most widespread malware is called ZitMo, otherwise known as ZeuS in the mobile, and has been around for few years now.
In a ZitMo-style attack, a person logs into their online bank account from their PC, which has already been infected by the malware that the user has unknowingly downloaded. The PC malware is commonly downloaded by opening an attachment or a web link in an email that looks legitimate, or by visiting an infected website.
When the user is logged into the bank’s website, a message pops up to tell them that the bank has upgraded their mobile software to improve their online banking security and asks the user to provide their mobile number to download the upgrade.
Once the user provides their phone number, they receive an SMS with a download link that, when clicked, puts the malware on their phone. With the malware in place on both their PC as well as their mobile phone, the scammer can access the user’s account, automatically steal the OTP from the SMS, and authorize taking out all the money from the user’s online bank account. The user is unaware that the transaction took place as the malware deletes the SMS from the mobile phone once it extracts the OTP. Victims typically find out that something is wrong when they next check their bank account.
CA Technologies solution sales director for identity, access and fraud management Shirief Nosseir said the moral of the story is that OTPs via SMS are better than employing only a user id and password, but are no longer secure enough for a banking transaction.
So what’s the solution? Other banks in countries such as the UK use hard tokens to generate a unique password for each login. But if the user does not have this token to hand, they can’t login to their online account until they’ve secured one, which can be a hassle and make banking inconvenient for them.
In a competitive environment, banks can’t afford to lose customers if their online and mobile bank user experiences are ‘painful’. So how do they ensure their customers’ data is secure without inconveniencing them any further?
Many banks in Europe have opted to move to soft tokens when users complain. But Nosseir warns: “The Devil is in the detail. Not all soft tokens are created equal.” He adds that recent man-in-the-browser attacks have been designed to compromise simple tokens, whether hard or soft. Unless banks use multi-factor authentication technology that offers advanced security capabilities, banks will struggle to defend against the new generation of attacks. CA Strong Authentication, for example, offers a variety of features, such as exclusive out-of-band authentication, transaction signing (to get the user to confirm the actual transaction details before it’s completed), encrypted communications (including ensuring the uniqueness of every signed response), server domain checking, simplified user experience, CA-patented Cryptographic Camouflage (to prevent brute force attacks), amongst many others.
Either way – the ZitMo malware is out there, Nosseir says. “At present, anyone that wants to attack any system secured by OTP via SMS, including online banking, can readily buy the malware kit from the black market and easily get guidance on how to customize it for their target. The risk is there and it’s real.”
Nosseir adds that the more progressive banks are already utilizing a more intelligent approach to securing their online transactions. Depending on the perceived risk of the transaction, the bank, in real time, applies the appropriate security controls.
That’s where analytics come in to help identify the level of risk in a transaction. The well-rounded approach to security is one of four key trends that CA Technologies has identified for 2015. Rather than enforcing security on everyone in a static manner, organizations are increasingly shifting their security strategy to use analytics to determine potential vulnerabilities and out-of-pattern behaviors and take action accordingly. For example, if a user typically logs in during the day from London using Internet Explorer and does transactions below £2,000, CA Risk Authentication will be able to detect any changes in behavior. If the user one day logs in at 2am from Lagos Nigeria using Google Chrome and trying to transfer £10,000, then this transaction gets a high risk score and the appropriate workflow will be triggered.
Any banks using SMS OTPs today should learn from the breaches mentioned above. With solutions like CA Advanced Authentication, companies can reduce the risk of improper access and fraud without burdening users. To learn more, register to download the eBook here.