Tag Archives: Transaction authentication number

Another Ratchet Up in the Phishing War

I must confess I’m not sure how it works, but it seems like an interesting, but potentially flawed, approach in the battle against phishing. German bank PostBank, IDG reports, has launched a new system to combat phishing, extending the existing German practice of using transaction numbers, or TANs:

Until now, Postbank customers transferring money from their account to another electronically have had to type in their PIN followed by a TAN from a list provided by the bank for each transaction. In Germany, most banks providing online services offer a similar PIN-TAN service.

Under Postbank’s new iTAN service, online customers are told by the computer which TAN to use, and only with this TAN can they complete a transaction at that very moment.

Alongside each five-digit TAN appears an index number, which the computer uses to point customers to the TAN they must use to activate the transaction.

The IDG piece doesn’t explain further how this works. I believe that banks in Europe that use transaction numbers either supply them as a printed list which customers select from when they do a transaction, or else they receive a transaction number via SMS for each transaction as it happens. This former approach has only limited safety, because phishers can and have been trying as part of their attacks to request not just PINs and passwords, but transaction numbers too. So although this is another layer of security, it remains as vulnerable to social engineering attacks as ordinary one-factor transactions.

So how are iTANs different? I’m guessing here, but it sounds as if the bank itself randomises the selection of TANs and then instructs the customer about which one to use (‘the second on the list’, I suppose, or pehaps ‘the one ending in X’). This certainly does make it harder for the phishers unless they already have the full list of TANs held by the customer.

If this is all correct, then expect the next round of phishing attacks in Germany to involve something like ‘we are sorry there has been a data error at our bank and we need to recall all your TANs. Please enter them into the form at this web page in the order they are listed on your sheet. We will then issue you a fresh list of TANs.’ And so the game continues.

Anti-Phishing Passwords

An obvious but effective technique against phishing, here: altering each password so it’s tied to the domain name of the site. Then, if you’re trying to sign in to a phishing fake site, the password won’t match and won’t work. Here’s the story from InformationWeek – Stanford Computer Scientists Unveil New Anti-Phishing Software :

A pair of Stanford University computer science professors unveiled today a new password scheme designed to thwart phishing at bank and other sites where a user’s identity and money are at risk. Dubbed PwdHash, the technique involves hashing the user’s password with the domain name of the site in a way that ensures that the target site is the real one, and not a site designed by phishers to capture user information.

Here’s the site itself.

A Honeypot To Catch A Phisher

Netcraft. the British Internet security consultancy, highlight a new Honeynet Report on Traffic to Phishing Sites, showing that despite months of intensive anti-fraud education efforts by the banking industry a lot of people still click on through to fraudulent phishing sites:

The study of phishing scams hosted on cracked web servers from The Honeynet Project documented two recent attacks that attracted hundreds of click-throughs from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in Chinat.

The data from The Honeynet Project, which monitors activity on hacked computers, suggests that bank customers may exercise somewhat greater caution that PayPal users when presented with fraudulent electronic mails. Phishers’ behavior reinforces this assumption, as eBay and its PayPal subsidiary are far and away the most frequent targets in those attacks reported by the Netcraft Toolbar community. But the steady traffic to scam sites demonstrates that a significant number of bank customers are still being tricked by bogus e-mails.

Perhaps the most worrying part of all this, apart from people’s continued gullibility, is that phishing operations are becoming even more nimble in deploying scam infrastructure across networks of compromised servers, using automated attack tools and prepackaged spoof sites to speed their work. These include pre-built archives of phishing web sites targeting major online brands being stored, ready for deployment at short notice … (and) propagated very quickly through established networks of port redirectors or botnets according to the report. The report also suggests that organised groups are behind the setting up of bogus sites and the distribution of phishing email.

As Netcraft concludes: The banking industry and online retailers have emphasized customer education in their response to phishing. But the persistent traffic to scam sites underscores the importance of additional proactive defensive measures to protect customers from their own bad habits and the technical innovations of phishing scams. I would agree: I don’t claim to know much of what banks are doing in this area, but I have a strong suspicion it’s not enough. It’s certainly not enough to assume that educating the user is going to stop the problem, or even a bit of it. Banks have got to invest big time in tracking these scams, stopping them before they start (if the Honeynet project can do it, why can’t the banks?)

Phishing Pushes Banking To Impose Transfer Limits

Internet banking takes another knock with news from AP that Germany’s biggest retail bank Postbank has imposed an online transaction limit .

Germany’s biggest retail bank, Postbank, said Monday it was imposing a euro3,000 (US$3,860) limit on online transfers in an effort to protect customers against e-mail “phishing” scams.

The bank, which has 11.5 million depositors and is majority-owned by postal company Deutsche Post, said the move was meant as a precautionary measure and none of its clients had suffered harm from the high-tech form of identity theft.

Postbank said the limit, which will not apply to standing orders, was a response to the “heightened security needs of customers” and should make online fraud less attractive.

I don’t think Postbank is the first to do this, but it’s probably the first to draw a direct line between the fact that customers are now more at risk than they’ve ever been. Most banks, I suspect, introduce these measures without really announcing them to the public.

I don’t, for the record, think this is the best way of tackling the problem. All this means is that accounts can’t be emptied in one go — in most cases this wouldn’t have been possible anyway, because of other limits on bank transfers. But what I think will happen is that phishers will concentrate on accessing accounts surreptitiously and maintain their access to those accounts without the knowledge of the users, setting up standing orders themselves that gradually empty accounts.

Of course, some customers will notice this kind of thing, but we’re likely to see phishing combine with more sophisticated efforts — such as those illustrated by Fabrice Marie in March — to gain access to accounts for more complex purposes than merely emptying them.

What I would like to see is some sort of dual- or triple-layered authorisation process for any kind of transaction or alteration of settings/standing orders/notifcation within accounts. Before making any such transaction or configuration change, the user would be required to enter data from a separate device, or else confirm via email or SMS or phone before the change/transfer was made. I think we have to stop assuming that entry/logging in is the main security fence. Phishers, scammers and social engineers have shown that is not the real issue. There are other ways to get in, so the security has to be at the transactional level, however much it upsets the user.

Bottom line: Don’t remove services from online banking to deter fraud because all you do is undermine its usefulness, and likely dissuade users from using it. Better to add multiple layers of security that may inconvenience the user but which help them to feel safer. In the end, they’ll still figure it saves them going to the bank, or spending hours diving through voice-driven menu options via phone-banking.

Phishy Behaviour Down Under

I don’t really need to introduce this piece from Sam Varghese of the Sydney Morning Herald. It touches on a theme I’ve harped on before: How banks still don’t understand phishing and how it has changed consumer attitudes, and how it must change the way banks approach the Internet.

Phishy behaviour or harmless spin points to emails sent out by Westpac banks, which contain “four links, none of which goes to a secure link, nor to the main Westpac site.

Asked why the bank still sent emails despite the prevalence of online scams, a Westpac spokesman said the bank thought it was a “good idea.””

Phishing Your Yahoo! Account

More evidence that phishers are widening their net. Munir Kotadia of ZDNet Australia reports that Yahoo’s free instant-messaging (IM) service is being targeted by phishers in an attempt to steal usernames, passwords and other personal information.

Yahoo confirmed on Thursday its service was being targeted by a phishing scam. According to the search giant, attackers are sending members a message containing a link to a fake Web site that looks like an official Yahoo site and asks the user to log in by entering their Yahoo ID and password.

The scam is convincing because the original message seems to arrive from someone on the victim’s friends list. Should the recipient of the phishing message enter their details, the attackers can gain access to any personal information stored in their profile and more importantly, the victim’s contact lists.

The bigger point about this is that any kind of password may be enough for the phisher. WIth Yahoo! the successful phisher may be able to get quite a lot of personal data for a future social engineering attack, and may even be able to access payment details such as addresses from within the profile. A phisher could also access the user’s Paypal account, redirect shipments, learn about the user’s investments, impersonate the user in auctions, etc etc. I’m not sure whether the phisher could access credit card details, but it’s feasible, I guess.

The Phishing War Escalates

The guys at Netcraft, a British security consultancy that has done a good job of tracking, exploring and warning about phishing, say they’ve come across the first case of cross site scripting being used in the wild for phishing purposes. This isn’t as arcane as it sounds, since it allows phishers to make their lure appear to even the wariest eye to be from a legitimate source — your bank.

Usually the weak link in a phishing email is the link itself. However much they disguise it phishers can’t get away from the fact that they are trying to lure the victim to a site that is not the bank or other institution they’re pretending it is. Cross site scripting lets them do so.

This is done by phishers exploiting a vulnerability to ‘inject’ their own code into the legitimate website. It’s this code that the link will appear to go to in the phishing email — and so will begin with a legitimate bank URL — www.citibank.com, or whatever. The URL will then, without the victim’s knowledge, load some JavaScript from somewhere else to redirect the user to another site. This is what some fraudsters have done with a SunTrust bank phish, which Netcraft says was sent in large numbers in recent days. Netcraft says SunTrust has so far failed to reply to their emails:

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank’s own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

If true (and I’ve no reason to doubt it; Netcraft know what they’re doing) this is a pretty sad state of affairs. I have two main concerns: Firstly that banks still don’t seem to understand what they’re dealing with, and don’t respect security companies enough to keep up a dialogue with them so these problems are nipped quickly in the bud, and secondly, I suspect these kind of attacks render most ‘anti-phishing tool’s useless. This is not only annoying, but dangerous.

Something I’ve noticed in recent months is a shift on the part of anti-virus manufacturers to push out software that will protect the user from phishing attacks. This is just bad marketing, and foolish. Nothing can protect the individual from phishing attacks than their own wariness and savvy. To suggest tools can will just give people a false sense of security. Examples like this SunTrust case prove the point, which I’ve banged on about for nearly a year now, that phishing is a war of escalating technology and that pushing out some feeble toolbar and suggesting it will protect the user from all such attacks is irresponsible, and thoroughly underestimates the scale of the problem and the kind of adversary we face.

Phishing And The Future Of Banking

Could phishing kill off online banking?
Probably not, but it’s likely to force greater regulation by central banks and others which will, reckon British-based Internet security consultants mi2g, mean “the next generation of electronic banking may have to rely on deeper layers of authentication that couple passwords with biometric security and smart card authentication.”
Mi2g estimate there have been 110 unique incidents of phishing — identity theft by faked emails and/or keyboard-logging viruses — in less than a year. Here’s an abbreviated list:
  • USA (7 banks; 82 incidents)
  • UK (6 banks; 8 incidents)
  • Australia & New Zealand (5 banks; 16 incidents)
  • Canada (2 banks; 2 incidents)
  • Spain (1 bank; 1 incident)
  • Hong Kong and Singapore (1 bank; 1 incident)
  • Latvia (1 bank; 1 incident)

I have to say I think that’s an underestimate. And it’s not quite clear from mi2g’s release as to whether these are successful attempts, or just attempts. Given banks’ reluctance to admit to breaches, I’d guess it’s the latter. And mi2g point out that it’s not just banks that have been attacked: The Federal Bureau of Investigation (FBI) to eCommerce/information portals and their associated payment systems have all been hit. Mi2g counts 90 unique attacks on eBay.

Mi2g say such attacks are getting more, rather than less, successful: “Phishing scams’ success rate has risen from 0.1% on average to 0.5% in the last six months as the techniques have become more sophisticated,” it says.  This would mean thousands of victims and big headaches for banks: “In some instances the genuine web site has to be made inoperable for several hours or even days whilst the targeted bank investigates the extent of the financial fraud and related losses,” says mi2g. 
Claims by mi2g have not always been taken seriously, particularly their estimates of damage. In this case, mi2g reckon that “worldwide economic damage for 2003 from phishing scams is estimated to have been between US $13.5 billion and $16.4 billion… The damage for 2004 has already crossed $8.9 billion in the first two months of the year. ” I know they have some sort of formula for this, but as others have pointed out, these estimates seem to be more designed for grabbing headlines than serious analysis.

That said, phishing is a problem, and I would agree that online banking is going to have to add layers of security to avoid more breaches. But will customers accept that? If online banking gets too fiddly, will folk just give up? Or switch to something else?