Other issues in this category (7)
Tuesday, June 21, 2016
Today, banks and other organisations that provide services online use two-factor authentication (2FA) to improve security.
Authentication is the process of verifying the identity of a person trying to use an online service.
When using two-factor authentication, users need more than a login and a password (it’s assumed that only you know it, but often that’s not the case). Something else is needed, something that only a legitimate user would have, for example, the mobile phone number associated with their account.
One-time passwords sent with SMS to the phone number associated with a bank account are used in two-factor authentication. It is believed that this ensures transaction security and protects users from cybercriminal activity.
However, this hasn't been the case for a long time! Cybercriminals learnt how to circumvent this security measure.
A possible scenario for bypassing one-time password protection
- A banking Trojan infects a machine. It can inject arbitrary content into loaded web pages.
- When a user goes to a bank's site or opens a remote banking page, the Trojan replaces the page's contents. Now the user is notified that in order to continue using remote banking, they need to install a special banking application onto their smart phone. The site’s look and feel as well as its URL in the address bar will remain the same and won't rouse any suspicions.
- The user installs the downloaded application, which in fact is a banking Trojan for mobile devices.
- The Trojan intercepts short messages containing passwords from a remote banking system and relays them to criminals, while the Trojan on the PC uses the passwords to steal money from the account.
The Anti-virus Times recommends
Indeed, two-factor authentication involving one-time passwords significantly improves remote banking security. However, how safely it is used depends entirely on users and not on the companies that have adopted 2FA. So, if you value your money and information:
- To receive SMS confirmations, use a different phone (not a smartphone) on which no applications of this kind can be installed.
- Do not visit suspicious sites from which a Trojan can stealthily sneak into your system—to avoid them, follow Dr.Web SpIDer Gate's recommendations; do not disable this web anti-virus. You are not a security expert and won't be able to tell for sure whether a site is malicious.
- Do not open URLs found in suspicious short messages or emails, and, of course, do use the Dr.Web anti-spam which filters out such messages.
- If you download a crack patch or an illegal copy of an application (after disabling the anti-virus because it was blocking the file you needed), be aware that at this point you are entering a high-risk zone and you will only have yourself to blame for whatever goes wrong. Dr.Web logs whenever you disable protection, so an expert examination will be able to use the time of infection to prove that the anti-virus is not to blame for the fact that you lost money. If you decide to sue your bank, it will use Dr.Web log information as a defence argument because customers are required to use (and never disable) an anti-virus on any device used in remote banking.