Skip to main content
SpringerLink
Log in

How to Attack Two-Factor Authentication Internet Banking

  • Conference paper
Financial Cryptography and Data Security (FC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7859))

Included in the following conference series:

Abstract

Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black-hat hackers and conclude that automation is starting to take place. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we developed three browser rootkits which perform the automated attack on the client’s computer. Also, in some banks attempt to be regarded as user-friendly, security has been downgraded, making them vulnerable to exploitation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adham, M.: Barclays, NatWest and Halifax Internet Banking Security, with a Simulation of Browser Exploit, MSc Thesis, University College London (2011)

    Google Scholar 

  2. Azodi, A.: Simulation of an Attack on HSBC’s Two-factor Authentication with Transaction Verification Online Banking System, MSc Thesis, University College London (2011)

    Google Scholar 

  3. Karaolis, I.: Automating the Hacking of Internet Banking: Simulation of an Attack for ...5 Internet Banking, MSc Thesis, University College London (2011)

    Google Scholar 

  4. Mozilla Developer Centre. Extensions, https://developer.mozilla.org/en-US/docs

  5. Chechik, D.: Malware Analysis Trojan Banker URLZone/Bebloh (September 2009), http://goo.gl/z7YSV

  6. Chou, D.: Strong User Authentication on the Web (August 2008), http://goo.gl/6xbky

  7. Estehghari, S., Desmedt, Y.: Exploiting the client vulnerabilities in internet E-voting systems: hacking Helios 2.0 as an example. In: Proceedings of the 2010 International Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE 2010, pp. 1–9 (2010)

    Google Scholar 

  8. PistonHeads Web Forum. Barclays PINsentry, what a dumb POS (2008), http://goo.gl/wRoJV

  9. Greenlee, F.M.B.: Requirements for key management protocols in the wholesale financial services industry. IEEE Communications Magazine 23(9), 22–28 (1985)

    Article  Google Scholar 

  10. Jakobsson, M.: Modeling and Preventing Phishing Attacks. In: S. Patrick, A., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, p. 89. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  11. Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution Against Untrusted Computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  12. Adham, M., Azodi, A., Desmedt, Y., Karaolis, I.: How To Attack Two-Factor Authentication Internet Banking (2013), http://goo.gl/YsA6j

  13. Microsoft Safety & Security Centre. Watch out for fake virus alerts, http://goo.gl/YEZMT

  14. Mills, E.: Banking Trojan steals money from under your nose (September 2009), http://goo.gl/tuDfJ

  15. moneysavingexpert Web Forum. Stupid Barclays PINsentry Thingymajic. Can I Log Into My Online Account Without It? (2010), http://goo.gl/eqaey

  16. RSA White Paper. Making Sense of Man-in-the-browser Attacks: Threat Analysis and Mitigation for Financial Institutions (2010), http://goo.gl/NRcez

  17. Ragan, S.: Overview: Inside the Zeus Trojan’s source code (May 2011), http://goo.gl/nsvpG

  18. RiskAnalytics LLC: $70 Million Stolen From U.S. Banks With Zeus Trojan (October 2010), http://goo.gl/XkSgq

  19. Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Schneier, B.: Two-Factor Authentication: Too Little, Too Late. Commun. ACM 48(4), 136 (2005)

    Article  Google Scholar 

  21. Symantec. Banking in Silence (June 2009), http://goo.gl/aj61F

  22. Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible Web Browser Security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  23. VASCO. DIGIPASS GO 3 (August 2012), http://goo.gl/EmLFy

  24. Marcus, D., Sherstobitoff, R.: Dissecting Operation High Roller (2012), http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf

Download references

Author information

Authors and Affiliations

  1. University College London, UK

    Manal Adham, Amir Azodi, Yvo Desmedt & Ioannis Karaolis

  2. The University of Texas at Dallas, USA

    Yvo Desmedt

  3. Hasso Plattner Institute, Germany

    Amir Azodi

Authors
  1. Manal Adham
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amir Azodi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yvo Desmedt
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ioannis Karaolis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technische Universität Darmstadt, Germany

    Ahmad-Reza Sadeghi

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Adham, M., Azodi, A., Desmedt, Y., Karaolis, I. (2013). How to Attack Two-Factor Authentication Internet Banking. In: Sadeghi, AR. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7859. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39884-1_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39884-1_27

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39883-4

  • Online ISBN: 978-3-642-39884-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation