In the article "Real-Time Hackers Foil Two-Factor Security", Robert Lemos, a science and technology journalist sheds light on a serious security issue. The article points out, how sophisticated cybercriminals are becoming. In fact, a new term, crimeware is used to describe their exploits.Crimeware
Crimeware is a class of automated malware designed to steal money, as explained by Wikipedia:
"Crimeware (as distinct from spyware, adware, and malware) is designed (through social engineering or technical stealth) to perpetrate identity theft in order to access a computer user's on-line accounts at financial companies and on-line retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the crimeware."Half a million dollars
I would like to step through the events that led to 447,000 dollars being stolen from Ferma, a California construction company. To avoid confusion, I first want to mention that after the crime, forensic analysis determined a computer used by Ferma was infected with undisclosed crimeware. Apparently, the infection occurred when visiting a certain Web site. Here's what happened after the infection:
- A Ferma employee logs into their bank's on-line financial Web portal.
- The portal requests a second authentication factor in the form of a 6-digit, one-use number.
- After authentication was confirmed, the employee begins making legitimate payments.
- At the same time, the crimeware program managed to initiate 27 fund transfers totaling 447,000 dollars to various bank accounts.
It appears the crimeware in this case was not detected. I do not doubt that. Especially if the malcode is sophisticated enough to determine the account has a draw limit of 447,000 dollars and automatically make transactions up to that amount.Multi-factor authentication
Some are reporting that this is a failure of multi-factor authentication. I don't see that. Having multi-factor authentication in place forced the cybercriminals to go to extraordinary lengths to gain account access. Therein lays the problem. Once again the bad guys have figured out a work-around.Solutions
Experts are coming up with various solutions to beef up the current system. Here are some examples:
- Setup a dedicated terminal that is only used to access the banking Web portal.
- Confirm each transaction with a one-time password from the same device used to log in to the banking Web portal.
- Make the user enter a reCAPTCHA for every transfer that leaves the bank.
The above solutions and others that I have seen are missing the point. The computer was exploited, most likely through some known vulnerability. Without that, the crime could not have happened. We are back to the same old problem, trying to stay ahead of the bad guys. Well, maybe more like trying to catch up to them.My solution
For on-line credit transactions I use a credit card that offers a one-time number for each purchase. Still, not knowing how capable this new crimeware is, my approach could be problematic.
My bank does not use true multi-factor authentication. The bank considers security questions to be a second factor, but they are not. I'm also asked to approve the transactions, but not with a one-time password. So my authentication process is less secure than Ferma's bank.
I plan on using a LiveCD from now on when I am doing any kind on-line banking or retail transaction. That way, I know the operating system is not compromised. It's going to be a pain, but I do not see any other recourse at this time.Final thoughts
It comes down to trusting the computer to be free of malware. I'm not willing to take that chance. If you have a better solution, I would love to learn about it.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.