German Police: Two-Factor Authentication Failing

A two-factor authentication system widely used in Germany is failing to stop cybercriminals from draining bank accounts, a top German law enforcement official said Tuesday.

By Jeremy Kirk
Tue, March 24, 2009

IDG News Service — A two-factor authentication system widely used in Germany is failing to stop cybercriminals from draining bank accounts, a top German law enforcement official said Tuesday.

As of last year, about 95 percent of German online banking patrons were using "iTan" codes, random secret numbers that are requested of a bank customer during an online transaction, said Mirko Manske, detective chief superintendent for Germany's Federal Criminal Police Office.

The iTan code is used as an additional measure of authentication besides the customer's login information. The iTan code can only be used once and is intended to thwart online banking attacks where an attacker has all the other customer information.

But "it does not work," said Manske during a presentation at the E-crime Congress in London. "We are still losing money."

The problem is that hackers have figured out ways to execute transactions in real time, utilizing the iTan code and making the security control essentially useless.

The style of attack is called man in the middle, where an attacker is able to modify data exchanged between the hacked PC and a bank server. Another version is called man in the browser, where a Trojan horse program modifies the transaction.

Manske, whose presentation was partially censored since it contained sensitive information, showed two scenarios under which iTan codes are used during money transfers.

In one of the scenarios, the victim gets a confirmation that they are sending €500 (US$677). In fact, a hacker has modified the information and transferred €5,000 to another account, Manske said.

Another incident showed just how technically advanced malware programmers have become. One major German bank spent a significant amount of money implementing a system where a photo of jumbled letters, called a CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart), would be displayed with transaction details, Manske said.

CAPTCHAs are often used to try and stop automated bots from registering, for example, too many e-mail accounts, since computers are not as good at humans at descrambling jumbles of characters. In the bank's case, the CAPTCHA was used to provide another level of transaction verification.

In another surprising example of cybercrime innovation, Manske said, the attackers developed a special component that could render a perfect copy of the CAPTCHA to be used for a man-in-the-middle attack. That copy would be displayed along with seemingly correct transaction details during an attack.

"There are some very talented programmers out there," Manske said.

Our Commenting Policies