Blog dedicado al estudio de la Seguridad de la Información - Privacidad - Seguridad Informatica - Auditoria informática.
(Recopilación de principales noticias, eventos, politicas de seguridad, guías de buenas practicas, normas, estándares, herramientas, otros)
lunes, 5 de marzo de 2012
New "Man in the Browser" Attack Bypasses Banks’ Two-Factor Authentication Systems
The banking industry often employs two-step security measures—similar
to Google Authenticator—as an added layer of protection against
password theft and fraud. Unfortunately, those systems have just been
rendered moot by a highly-advanced hack.
The attack, know as the Man in the Browser method, works like this.
Malicious code is first introduced onto the victim's computer where it
resides in the web browser. It will lay dormant until the victim visits a
specific website—in this case, his bank's secure website. Once the user
attempts to log in, the malware activates and runs between the victim
and the actual website. Often the malware will request that the victim
enter his password or other security pass into an unauthorized field, in
order to "train a new security system." Once that happens, the attacker
has full access to the account.
Luckily, the method is only a single-shot attack. That is, the
attacker is only able to infiltrate the site once with the user-supplied
pass code. But, once in, the attacker can hide records of money
transfers, spoof balances and change payment details. "The man in the
browser attack is a very focused, very specific, advanced threat,
specifically focused against banking," Daniel Brett, of malware testing
lab S21sec, told the BBC.
Since this attack has shown that the two-factor system is no longer a
viable defense, the banking industry may have to adopt more advanced
fraud-detection methods similar to what secure credit cards. When
compared to having your account silently drained, standing in line for
the teller suddenly doesn't seem like that much of a hassle. [BBC News via Technology Review]