Strong Authentication, Online Banking and Phishing

When my bank started with online banking a few years ago, the authentication they used was a client certificate protected by a password. From time to time one had to renew the certificate and change the password. Off course, this type of authentication is vulnerable to various phishing attacks.

Last year, they rolled out a digipass system to authenticate their users in a more secure way. This particular digipass works with a challenge response code. A challenge is displayed on the website. The response code, which authenticates the user, can be generated by the digipass. The digipass can generate the correct response only by inserting your smart bank card in the device and entering your pin code on the digipass. This makes the authentication strong and two-factored. It consists of something you have (your bank card/digipass) and something you know (your pin code). Furthermore the challenge/response changes every time so it cannot be reused.

However, this system is still vulnerable to phishing proxy attacks. In these attacks, the phisher lures the victim to his website. The attackers’ website merely acts as a man-in-the-middle reverse proxy to the real banking website. This way, the strong authentication gets passed on to the bank but the attacker has a way to modify the transactions.
Off course you might think that SSL would prevent these types of phishing and in a way it does. However, we are now seeing an emerging number of so called bank trojans. These trojans manipulate the data before it enters the SSL secured channel. They wait until the authentication is complete and when a transaction is made, they can add their own malicious transactions masqueraded from the user.
The major vulnerability which both of these attacks exploit is the integrity of the transaction. You have SSL securing the channel, Strong Authentication to add security to the authentication but no integrity of the data transferred in the transaction.

Last month, my bank upgraded the security of the online banking application to mitigate this vulnerability. As you can see in the screenshot below, the response to authorize a transaction is now the result of a cryptographic function which includes the total amount of money in the transactions.

This is explained to the user by highlighting the total value of the transactions in red so the user can make the connection and can check if it is valid or not.
For the Bank Trojans, this is bad news as the user will now notice when a hidden transaction is smuggled in the application because the red value would be different than the one the user would expect.

I can only applaud my bank for following up on the latest threats in phishing and online bank fraud.
The greatest threat to the current system I currently see is end-user awareness. If the user does not understand or see the importance of the ‘red’ numbers, the banking trojans still win.