Could my bank's two-factor authentication be hacked?
You are right in that one of the ways an attacker could intercept the code is to hack your phone. An attacker could also:
- Clone your phone's sim, and request a banking code to be sent to your phone's number. they could also possibly clone a non-sim phone as well
- Steal your phone. Once they have your phone they could perform transactions
- Perform a man in the middle attack when you use your banking site. This has been done already, an attacker uses malware installed on your computer (a man in the browser attack) to direct your banking traffic to a site set up to mimic your bank's page. Or an attacker may subvert a system to act as a proxy. Either way When you type in the code the attacker gets it, then uses the code to perform a transaction
- Social engineer your bank to change your mobile phone details to a phone they control. If an attacker knows enough about you, and your bank's procedures aren't tight enough, then the attacker could call your bank pretending to be you and get them to change the mobile number
So what can you do?
- Keep control of your mobile phone.
- Make sure your computer is kept up to date with patches and anti-malware software
- Do all your banking on a virtual machine, and never save its state. If your virtual machine gets hacked and you save the state then the malware will remain in the virtual machine, however if you never save its state the malware won't be able to remain on the virtual machine
- Many banks use some sort of authentication code to verify the identity of people calling. Write these down but do not put them onto your computer or phone, that way there's still something an attacker does not know, even if they have full access to your computer and your online identity.
It's not all doom and gloom, most of the time banks can reverse transactions if caught quickly, if you suspect that a fraudulent transaction has taken place get onto your bank ASAP and get their investigators on it. How well this may go depends on what the local laws are and how good your bank is.
The whole idea about a second factor/step for authentication is to provide two independent layers of security. Vulnerabilities in one layer should not affect the security of the other.
Second factor authentication was designed and used properly in the past but lately it has been weakened by companies who care more about profit than security. SMS messages cannot recreate the security level of carefully designed RSA tokens and smart cards.
Attacks on SMS as second factor are no longer theoretical but multi-million dollar crimes. Compromising the phone is the most strait forward approach and was used at least in this 47 million dollar heist.
Cloning the SIM card can be much easier when social engineering enters the picture. Cloning is still hard and cannot scale like SMS interception can. And you don't need to build your own cracking system, you can buy it in big or small packs.
And just when you think the second factor is secure and you can rely on it, consider the man-in-the-browser type of attack.
An old method is called SIM card partitioning and is a side-channel attack method that pulls key data from SIM cards by monitoring side channels such as power consumption and electromagnetic emanations. The technique requires some physical proximity and can extract secret cryptographic keys in minutes. Previously an attacker would need access to a SIM card for at least eight hours to carry out a successful attack.
In the past, attackers used information from phone company insiders to clone SIMs and then commit banking fraud. Currently, there is a wave of SIM swap fraud in South Africa where attackers trick the phone company into giving them a new SIM card.
Protect against these by first educating yourself about threats and good security practices. A checklist of things to do can protect against common pitfalls, but having a security mindset will get you further.
It's been done when using two factor entered into computers (and directly at ATMs; see link at very bottom for the ATM 2-factor SMS problems).
KrebsOnSecurity.com blog lists many banking eheists, including this one:
https://krebsonsecurity.com/category/smallbizvictims/page/4/
"The year before the cyber theft, Comerica had switched from using digital certificates to requiring commercial customers to enter a one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied. Within the span of a few hours, the attackers made 97 wire transfers from EMI’s account to bank accounts in China, Estonia, Finland, Russia and Scotland."
Krebs keeps up on this and has a special category for banking eheists:
https://krebsonsecurity.com/category/smallbizvictims/
Brutal!!
The most important points I've gleaned from his blog:
banks do NOT reimburse for cyber fraud against business accounts! (unlike consumer accounts).
two factor or any number of computer-only verification is risky if the accounting departments' PCs have been taken over by hackers. (One Krebs story described another eheist from a company that required an employee and manager to separately confirm in their browsers transfers over X; but the hackers had "owned" both PCs and stole both sets of credentials.)
Some "out of band" verification is best, e.g., a phone call to one or two employees/managers for transfers would have thwarted nearly all or all of the eheists Kreb's reported.
Windows PCs are a gargantuan risk for commercial online banking.
For commercial online banking on a Windows PC, temporarily boot from a free LiveCD Ubuntu Linus DVD, which loads Firefox and allows clean online banking because viruses can't write to the DVD and any viruses on the Windows PC will be dormant until the PC reboots into Windows.
(Several of my business clients boot from LiveCD on their Windows PCs when they need to use commercial online banking.)
For the full horror, read through a few years worth of Krebs small business banking heist stories. They sent shivers through my IT small business clients.
=========
Regarding thieves beating 2-factor at ATM machines, it's been done in Europe. Viruses infected PCs AND phones and victims suffered account withdrawals that the banks didn't believe were fraudulent until they mounted:
http://dkmatai.tumblr.com/post/37277877990/sophisticated-smartphone-hacking-36-million-euros