Via ZDNet: Two-factor bank authentication proven vulnerable
Two-factor authentication systems using SMS messages can be exploited by criminals to steal money, according to security experts who demonstrated an attack in Sydney on Thursday.Australian security firms TrustDefender and Dragonfly Technologies, who specialise in endpoint security and two-factor authentication respectively, broke the security of a Commonwealth Bank account using a specially crafted piece of malware.
The demonstration showed how malware could be used to not only capture the login credentials of an online banking customer but also how, once the users’ system was infected with a trojan, an attacker could exploit weaknesses in the mobile phone-based authentication system to clean out a victims’ account.
I’m not familiar with the specifics of CBA’s system, but are their SMS codes are used on a transactional basis? If not, this would make it easier for a trojan to make its own transactions using the victim’s logged in session, of course. This type of attack has been around since 2004 at least, most famously in the E-Gold / Grams trojan.
