Every time the fob was used, for a login, it generated a different number, rather than having the number valid for any number of logins until expiry.

Duh!

Although this man-in-the-middle attack succeeded in obtaining some funds, it wasn't all that successful. Only a very small number of customers were stupid enough to click on the e-mail attachment (which claimed to be an "SSL 3 Update"), and most customers were unaffected.

This is not the first time that Dutch banking customers have been affected: The Postbank uses TAN lists, generated password lists, and thieves have been known to break into letterboxes in blocks of flats to steal these lists and use them to access the accounts.

The fact is that two-factor authentication is much safer than just the passwords used by most UK and US banks. Simple password authentication allows any old keylogger to record your details and give an attacker access to your bank, and keyloggers can be installed from anywhere. Two-factor authentication requires much more sophisticated attacks, and is much harder work for attackers to implement. It's not impossible, but it increases the skill levels needed. It can also only be done while the customer is accessing their bank account, unlike password attacks, which allow unfettered access once passwords have been revealed. In addition, this man-in-the-middle attack required active user intervention to install the trojan, relying on the stupidity^H^H^H^H^H^H^H^H^H naivety of users to install the software on their computers.

Two-factor authentication is not perfect, it's just several thousand times better than what UK bank customers are being provided.

Why don't the banks' systems limit the fob-generated number to come from only one IP address, or are the hackers faking that as well?

My bank here in Sweden (SEB) also uses a token to deliver a time/date/tokenID hash generated from an 8 digit challenge.

The big difference here is that not only do I have to generate a hash to log in, any transactions that I subsequently enter that transfer money out of my accounts must also be authorised by another hash. It is much harder (although not impossible) for the hackers to synchronise their fake site to log in, enter the fraudulent transactions and then get another valid hash without arousing suspicion.

The article plays fast and loose with the details of ABN AMRO's token scheme. Authentication is required for each subsequent transaction, which makes me think that the man in the middle attack in fact changes financial information on the fly.

I challenge the security critics to provide a water-tight authentication scheme that works even when the home computer is compromised. Intuitively it seems impossible. How can you trust the information you see when the display device has been compromised?

Overall the article does a disservice to token authentication, it is a lot more secure than just using passwords. The main problem naturally is in its delivery - compromised computers cannot be trusted! The easiest solution is to not use Windows.

My 2 cents

Surely the easy answer is for banks to quit sending emails to clients and use SMS or voice messaging instead to advise clients of updates/changes and to visit the website.

I mean who would visit a website called www.hotsexysnatch.com/halifaxbank that was written clearly in text or spoken on the phone, as opposed to hidden in dodgy links in emails, and enter their bank details? If anyone did then damn it they deserve to be robbed!

Not as convenient as email but would save them and their clients a shitload of money.

Or is that too easy?

Limiting the token to only a single IP is ridiculous, to say the least. What's the point of e-banking if you can only use it from one IP address? Anyone on DHCP, anyone travelling, and anyone using public wifi will not be able to use ebanking? Silly.

I prefer the system used by Encentuate. They use a cryptographic module in a USB token, combined with a single password and digital certificates (PKI infrastructure) to use 2FA.

The numbers generated by the fobs are valid for a short time (about a minute) to give 10-thumbed people a chance to type the number into their PC. The trick with this scam was to intercept the number and quickly copy it across to the real bank system.

You can't restrict the token to one IP address because most people don't have a fixed IP address; they get a new one each time they connect to the ISP; this is even true for Broadband.

If only one IP address was allowed, then this seriously reduces the benefits of internet banking.

There may also be technical problems, like how do you log in to change the IP address that you want to log in from.

What happens if your ISP assigns you a new IP every time you dial up (dynamic IP).

Also, (a quick google search later) apparently IP spoofing is a pretty basic camoflage technique and certainly not beyond these people.

Ed

If the session-code generator also had buttons for say, "Login", "New Transfer", "Change Details" etc, and encoded this in the hash, then the miscrents would be able to login to the phisee's account, but wouldn't be able to create a new transfer to spirit away the victim's money.

Hopefully nobody would be daft enough to generate a "New Transfer" code when they weren't trying to create a transfer. However, the depths of human stupidy never ceases to amaze me.

Reading of this I can't help but think - what are banks in UK waiting for? Why is it that major global banks like HSBC still have medieval online security?

At least the Dutch are trying! In fact even most of Eastern Europe is ahead of UK in this area - two years ago I was issued with a keyfob by Latvian bank. It generates a unique number every time it's turned on, this number expires in less than a minute. In addition to that the number must be generated and used for each transaction. This makes is possible to use Wi-Fi or any internet cafe, because the codes themselves are useless without the fob (unless you've been duped into using a fake website).

Even if it still might be susceptible to a "man in the middle" attack, it's years ahead of current security employed by HSBC. Two static numbers - one of them a DoB (a big no-no) and a numeric code? Hello, hello, anybody home? Think, McFly, think!

Has anyone else seen GrIDsure? They have a means of generating a one-time pass-code, without hardware, that can also be used as a means of reverse authentication.

Single IP - as in from the customer's initial login, using the fob-generated number. Any further bank transactions are used against this IP, if the IP changes then it could be due to the session being hi-jacked. Once the session expires, or customer logs out - they can then re-access from any other computer/IP address. Think.

For security experts everywhere -please note CASQUE does not suffer from replay attacks. CASQUE is a two factor authentication product using challenge-response with active tokens. It has a version certified by CESG under their CAPS scheme

"if the IP changes then it could be due to the session being hi-jacked" - the problem here is that in a man-in-the-middle attack, the session is hi-jacked from the beginning. The software installed on the user's machine redirects them to the hackers' website, so they never connect directly to the bank's. This means that the only IP the bank ever sees belongs to the hackers, and is consistent throughout the session. i.e. from the bank's point of view, the IP doesn't change, so this technique is useless against this form of attack. "Think".

If a phising site was pepetrating a man-in-the-middle attack, then there'd be a lot of disparate users all making transfers from a single IP address (the phising site). Shouldn't that make the bank suspicious? It doesn't need to kill the connection, just throttle it. And that would raise the bar, a little bit more; forcing the fraudsters to have a zombie net at their disposal.

Just send out emails in PLAIN TEXT. No html, no MIME, no clickable links. That way the idiots (users) need to actively put the URL into the browser. Maybe they will see that it isn't legit! Wishful thinking, but not a bad idea!

I don't get it.

I have online banking.

I have to call my bank to set up payments to accounts other than those in my own name. It takes less than 2 minutes to do this because they have a vested interest in security, and so they keep the phone lines well manned for this very reason.

In order to do this I have to verify with a human being and answer questions that only I would know the answer to...and even then if someone had gone to the trouble of tapping my phone line and waiting for me to make a call like that...I don't think someone from China or whatever is going to be able to do a very convicing Limerick accent :)

So even if someone gets my details or is able to intercept the information going from my pc to the bank's sever, the worst they can do is pay off my credit card.

None of this two factor stuff. All of these authentication methods have flaws or ways around them. I'm reading a lot of "its totally secure unless..." in the above posts...you can be sure that the thieves are very very well aware of the "unless" clauses, whereas your average user is not. Even the fobs that generate unique IDs...they can be stolen, and a minute is plenty of time to hijack and redirect with a man in the middle scenario.

eh, anyway, I have nothing worth stealing...:(

Bookmark the https address of the real site and only use the bookmark and you won't get phished.

<quote>

Single IP - as in from the customer's initial login, using the fob-generated number. Any further bank transactions are used against this IP, if the IP changes then it could be due to the session being hi-jacked. Once the session expires, or customer logs out - they can then re-access from any other computer/IP address. Think.

</quote>

Now now put down the handbag, a quick google search will tell you that IP spoofing isn't the most difficult thing to do, so single IP wouldn't be much help. Read. ;)