One of the biggest banks in Sweden, Nordea, has recently become the victim of a large-scale phishing attack. The attackers managed to get around $1M USD, and this has been labeled as the biggest internet based bank heist to this date.
So, why was Nordea targeted? Could it perhaps be for their use of one-time-pad numbers, which are only used by Nordea? They work by having the bank send you a sheet full of numbers, and for each time you log into the bank, you scrape out a new one-time number to enter – much like a lottery ticket.
Other banks in Sweden are using hardware tokens such as the ActivIdentity, which has a keypad and PIN number and works by letting the bank send you a challenge. You then have to first unlock your hardware token by entering a PIN, and then enter the challenge numbers. The response is sent back to the bank, and you are given access if the response was correct.
The problem with using the “lottery tickets” for authentication is that they are not session based. A user could potentially enter a number of these one-time numbers on a phishing website. The attackers can then just use those without caring about a challenge from the server.
I am not saying that solutions such as ActivCard is a perfect protection against identity theft, just that they are more secure than simply using one-time-password.
The phishing attack was executed using a trojan horse on the victims computers. The main problem here is that Nordea first of all are using these scratch-cards, but they are also not authenticating the transaction once the user has logged in and wants to perform said transaction. Using products such as ActivIdentity makes it possible to actually authenticate the transaction itself, and not just the login-sequence.
Another Swedish bank does exactly this. You login with your Swedish social security number equivalent, and enter the response of the challenge presented by the server. You then go about your business in the bank and when it is time to execute a transaction, you will see the pending transactions as well as a challenge. It is then necessary to respond to that challenge using the ActiveIdentity, thus authenticating the transaction itself.
Users might of course still become victims of these kinds of attacks if they are not trained properly. An online man-in-the-middle attack is quite possible to execute, even with security measures such as hardware tokens, but it requires the user to proceed even when the web-browser presents a warning about a false certificate. The possibility also exist that a user has clicked on a link to a fraudulent website mimicking the original.
This is why education is the most important thing to have when designing a secure system. Users need to know that they should not click on links on various websites or emails, but instead just type the address themselves. They should also never trust any kind of communication which seems to originate from the bank. All notices should instead be readable from within the banking application after logging in. There could of course be a notice sent out by the bank, telling the customer that a message is waiting.
Should mandatory education perhaps be a necessary part of the enrollment for online banking?