Finding Holes in Banking 2FA: Operation Emmental

Like Swiss Emmental cheese, your online banking protections might be full of holes. Banks have been trying to prevent crooks from accessing
your online accounts for ages. They have invented all sorts of methods to protect the user’s ability to do online banking safely. This research paper describes an ongoing attack that targets a number of countries worldwide. The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users via Short Message Service (SMS) on their mobile device. Users are expected to enter a session token to activate banking sessions so they could authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure.

Some of the banks we looked into do not exclusively use this system. They usually complement it with other ways to ensure the security of their customers’ banking sessions such as PhotoTAN or issuing a physical card reader. However, the fact remains that banks let most of their customers use session tokens with the aid of SMS and leave more secure methods for premium clients or as an alternative option, possibly due to increased operating costs and ease of use. The attackers in this case set up a system that could defeat session token protection. This particular attack actively targeted users in Austria, Switzerland, Sweden, and Japan.

videoicon
Print Friendly, PDF & Email
David Sancho

David Sancho

Senior antivirus researcher at Trend Micro
David Sancho

@dsancho66

Malware buster, always trying to stay ahead in the IT security industry. Senior Malware Researcher with Trend Micro
RT @cabel: Pro MacBook Pro Tip: have a Touch Bar with Touch ID? If you edit /etc/pam.d/sudo and add the following line to the top… auth su… - 10 hours ago
David Sancho
David Sancho

Latest posts by David Sancho (see all)