Where Strong Authentication Fails and What You Can Do About It

Where Strong Authentication Fails and What You Can Do About It

Fraudsters have been raiding user accounts by beating strong two-factor authentication methods. A layered fraud prevention approach can mitigate these attacks.

Fraudsters are beating strong two-factor authentication and are proving that any authentication method that relies on browser communications can be defeated. A layered fraud prevention approach can thwart these attacks.

Key Findings

•    Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled by one-time password (OTP) tokens. Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.
•    Fraudsters have been raiding user bank accounts that seemingly were protected by strong two-factor authentication, but any sensitive Web application is similarly vulnerable.
•    In some cases, the malware copies the user's ID, password and OTP, and immediately uses them. Other times, the malware overwrites user transactions with the crook's transactions, unbeknownst to the user or service provider, e.g., the online bank.
•    Out-of-band authentication using voice telephony is also being circumvented by fraudsters using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication.

Recommendations

•    Recognize that any authentication method that communicates through a browser can be defeated if the browser can be attacked and compromised, so make sure you deploy additional security measures.
•    Use server-based fraud detection to monitor transactions for suspicious behavior.
•    Use out-of-band transaction verification to verify user transaction requests, and execute only the specific transaction verified or signed by the requesting user.
•    Use out-of-band communication protocols that can prevent calls from being forwarded to numbers that are not registered to a specific user account.
   
What You Need to Know

Criminals are successfully launching man-in-the-browser attacks that circumvent strong two-factor and other authentication that communicate through the user's browser. The fraudsters are also successfully having telecommunication carriers forward phone calls used to authenticate users and/or transactions to the fraudster's phone instead of the legitimate user's phone. These attacks were successfully and repeatedly executed against many banks and their customers across the globe in 2009. While bank accounts are the main immediate targets, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data within the next three years.

A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats.

Analysis

In the past several months, Gartner has spoken with many banks around the world whose authentication systems that rely on OTP tokens have been compromised by man-in-the-browser attacks on customer PCs. In addition, banks that rely on voice telephony for user transaction verification have seen those systems and processes compromised by thieves who persuade telecom carriers to forward legitimate user phone calls to the thief's cell phone. These targeted attacks have resulted in theft of money and/or information, if the bank has no other defenses sufficient to prevent unauthorized access to their applications and customer accounts.

Gartner clients who have fended off these attacks have done so with either automated fraud detection or manual review of high-risk transactions. In addition, enterprises that rely on telephone-based user authentication and transaction verification are considering, where possible, stopping a phone call from going to the user, if the phone calls and texts are being forwarded by the carrier to another phone number (see Note 1). These attacks have been typically launched against banks and their customers; however, in the future, they will certainly be used to attack other types of valuable assets and organizations.
   
How Do These Attacks Work?


•    Malware sits inside a user's browser and waits for the user to log into a bank. During login, the malware copies the user's ID, password and OTP, sends them to the attacker and stops the browser from sending the login request to the bank's website, telling the user that the service is "temporarily unavailable." The fraudster immediately uses the user ID, password and OTP to log in and drain the user's accounts.
•    Other malware overwrites transactions sent by a user to the online banking website with the criminal's own transactions. This overwrite happens behind the scenes so that the user does not see the revised transaction values. Similarly, many online banks will then communicate back to the user's browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.
•    Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user's phone calls to the fraudster's phone. The fraudster simply tells the carrier the original phone number is having difficulty and needs the calls forwarded, and the carrier does not sufficiently verify the requestor's identity before executing the fraudster's request.


Which Proven Measures Can Prevent These Attacks From Succeeding?

More than one of the following measures can and should be used to achieve optimal fraud prevention results.



Fraud Detection That Monitors User Access Behavior

This fraud detection method captures and analyzes all the user's Web application traffic (assuming the targeted application is Web-based), including login, navigation and transactions, and can spot abnormal access patterns that indicate an automated program is accessing the application, rather than a human being. This method worked well at one European bank where customers must use two event-based OTPs — one for login and one to execute a money transfer — that are generated by a dedicated token. Trojans in customer browsers stole two or three OTPs before the user noticed that the browser was frozen (by the Trojan). The criminal then started transacting in the user's account, causing a major difference in the online banking application's normal response time. The bank found that once inside the account, the Trojans generate transactions much faster than a legitimate human user does. For example, it takes a normal human user 10 to 20 seconds to enter a money transfer amount and press "okay" to confirm it, but the Trojan entered the same type of data and confirmation in under 1 second.

Fraud Detection That Monitors Suspect Transaction Values

This function looks at a particular transaction and compares it to a profile of what constitutes "normal" behavior for that user and/or group of users. The more structured the data (so that it can be analyzed more easily), and the more history available to put the transaction in context, the more able the fraud prevention system is to highlight suspect transactions.

Structured data is important to the effectiveness of many fraud prevention applications. For example, automated-clearinghouse (ACH) money transfer data is structured, and a fraud prevention application can determine the payment and payment beneficiary data in an ACH money transfer request so that it can spot that the amount or beneficiary is "unusual" and suspect. In contrast, wire transfer instructions are unstructured in part, and transfer instructions can be documented in textual comments. In order for a fraud prevention application to work in this case, it must be able to parse textual comments and isolate the important data.

This method has worked well for banks that have deployed it, for example, for U.K. banks that have had to implement real-time fraud detection for Faster Payments Service, a U.K. initiative that mandates immediate electronic payments be available to all U.K. bank customers.

Out-of-Band User Transaction Verification

This type of verification does not use the same primary communication channel (for example, the user's PC browser) and uses a different communication channel to verify a transaction request. It is a valuable fraud prevention tool — as long as only the specific transaction verified or signed by the requesting user is executed (as opposed to a transaction that a criminal has overwritten with his or her own values). Further, enterprises should not deluge users with transaction verification requests, and should keep them simple and confined to high-risk transactions, so that users are sure to pay detailed attention to them. Criminals have been known to successfully use social-engineering techniques to trick users into verifying the "wrong" illegitimate transactions.

Enterprises also need to use out-of-band communication providers that can prevent the enterprise's calls from being forwarded to phone numbers that the enterprise has not registered and vetted for a legitimate user account. Alternatively, the enterprise can simply terminate any calls that are being forwarded to another number (as a cautionary measure), and ask the user to call the bank instead. This means that the enterprise's telephony system or provider must be able to inspect the Signaling System 7 (SS7) telephony signaling protocols, which are used in most of the globe's public switched telephone network calls. SS7 is used to set up and disconnect phone calls, transmit Short Message Service (SMS) messages, manage call forwarding, and conduct many other services.

Summary

Fraudsters have definitely proved that strong two-factor authentication methods that communicate through user browsers can be defeated, and that the criminals can also figure out how to defeat out-of-band, telephony-based authentication and transaction verification using social-engineering techniques. 

While future attack types are unpredictable, one thing is very clear. Enterprises need to protect their users and accounts using a three-prong fraud prevention approach that employs authentication, fraud detection, and out-of-band transaction verification and signing for high-risk transactions.