Abstract
Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black-hat hackers and conclude that automation is starting to take place. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we developed three browser rootkits which perform the automated attack on the client’s computer. Also, in some banks attempt to be regarded as user-friendly, security has been downgraded, making them vulnerable to exploitation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adham, M.: Barclays, NatWest and Halifax Internet Banking Security, with a Simulation of Browser Exploit, MSc Thesis, University College London (2011)
Azodi, A.: Simulation of an Attack on HSBC’s Two-factor Authentication with Transaction Verification Online Banking System, MSc Thesis, University College London (2011)
Karaolis, I.: Automating the Hacking of Internet Banking: Simulation of an Attack for ...5 Internet Banking, MSc Thesis, University College London (2011)
Mozilla Developer Centre. Extensions, https://developer.mozilla.org/en-US/docs
Chechik, D.: Malware Analysis Trojan Banker URLZone/Bebloh (September 2009), http://goo.gl/z7YSV
Chou, D.: Strong User Authentication on the Web (August 2008), http://goo.gl/6xbky
Estehghari, S., Desmedt, Y.: Exploiting the client vulnerabilities in internet E-voting systems: hacking Helios 2.0 as an example. In: Proceedings of the 2010 International Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE 2010, pp. 1–9 (2010)
PistonHeads Web Forum. Barclays PINsentry, what a dumb POS (2008), http://goo.gl/wRoJV
Greenlee, F.M.B.: Requirements for key management protocols in the wholesale financial services industry. IEEE Communications Magazine 23(9), 22–28 (1985)
Jakobsson, M.: Modeling and Preventing Phishing Attacks. In: S. Patrick, A., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, p. 89. Springer, Heidelberg (2005)
Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution Against Untrusted Computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012)
Adham, M., Azodi, A., Desmedt, Y., Karaolis, I.: How To Attack Two-Factor Authentication Internet Banking (2013), http://goo.gl/YsA6j
Microsoft Safety & Security Centre. Watch out for fake virus alerts, http://goo.gl/YEZMT
Mills, E.: Banking Trojan steals money from under your nose (September 2009), http://goo.gl/tuDfJ
moneysavingexpert Web Forum. Stupid Barclays PINsentry Thingymajic. Can I Log Into My Online Account Without It? (2010), http://goo.gl/eqaey
RSA White Paper. Making Sense of Man-in-the-browser Attacks: Threat Analysis and Mitigation for Financial Institutions (2010), http://goo.gl/NRcez
Ragan, S.: Overview: Inside the Zeus Trojan’s source code (May 2011), http://goo.gl/nsvpG
RiskAnalytics LLC: $70 Million Stolen From U.S. Banks With Zeus Trojan (October 2010), http://goo.gl/XkSgq
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
Schneier, B.: Two-Factor Authentication: Too Little, Too Late. Commun. ACMÂ 48(4), 136 (2005)
Symantec. Banking in Silence (June 2009), http://goo.gl/aj61F
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)
VASCO. DIGIPASS GO 3 (August 2012), http://goo.gl/EmLFy
Marcus, D., Sherstobitoff, R.: Dissecting Operation High Roller (2012), http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Adham, M., Azodi, A., Desmedt, Y., Karaolis, I. (2013). How to Attack Two-Factor Authentication Internet Banking. In: Sadeghi, AR. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7859. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39884-1_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-39884-1_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39883-4
Online ISBN: 978-3-642-39884-1
eBook Packages: Computer ScienceComputer Science (R0)