Two Factor Authentication
with One Time Passwords Defeated
Operation Emmental 7/24/2014
As of mid 2014 this attack is targeting users in Austria, Switzerland, Sweden, and Japan defeating their Two Factor Authentication with One Time Passwords.
TrendMicro maintains a research group called The Forward-Looking Threat Research Team who published A Trend Micro Research Paper | Finding Holes | Operation Emmental (20 page PDF)
Two Factor Authentication (TFA) is proposed as an improved security measure. There are several ways to implement TFA but the core concept is that the access attempt has to pass security via two different avenues.
For example: a consumer uses a web browser and surfs to their banking web site and “logs in”. At that point they are sent a One Time Password (OTP) via some avenue other than the internet, perhaps text message. The user then uses that OTP to pass the second log in screen and access their account. This is generally improved security, but more complex, more time consuming and not always working. (see breaking the traditional inverse relationship between increased security and ease of use)
Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.
This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.
Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.
But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions. [ highlighting ours -ed ]
More information and some clear explanatory graphics at the source
We detected a variety of rogue DNS servers involved in the attack. We were able to investigate one of them for a few days before it stopped working. Further investigation revealed that every time users of infected machines would try to access six bank domains in Austria, seven in Sweden, 16 in Switzerland, and five in Japan, they would be directed to a malicious server instead. In essence, accessing any of the 34 banking sites using an infected computer leads users to communicate with a phishing server instead of their bank’s server. [ highlighting ours -ed ]
from the research paper (20 page PDF)
A less technical explanation in English and different one in German
