Finding Holes in Banking 2FA: Operation Emmental
Like Swiss Emmental cheese, your online banking protections might be full of holes. Banks have been trying to prevent crooks from accessing
your online accounts for ages. They have invented all sorts of methods to protect the user’s ability to do online banking safely. This research paper describes an ongoing attack that targets a number of countries worldwide. The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users via Short Message Service (SMS) on their mobile device. Users are expected to enter a session token to activate banking sessions so they could authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure.
Some of the banks we looked into do not exclusively use this system. They usually complement it with other ways to ensure the security of their customers’ banking sessions such as PhotoTAN or issuing a physical card reader. However, the fact remains that banks let most of their customers use session tokens with the aid of SMS and leave more secure methods for premium clients or as an alternative option, possibly due to increased operating costs and ease of use. The attackers in this case set up a system that could defeat session token protection. This particular attack actively targeted users in Austria, Switzerland, Sweden, and Japan.