2009年9月24日星期四

Banking Trojan Defeats 2-Factor Authentication

A report in MIT's Technology Review details how a bank account was compromised even though it required 2 factor authentication. The story is instructive.

The conventional malware threat to banking is to steal the username and password. This information is used then by the malicious third party (or whomever they sold it to) in order to steal the money of out it. But various different security systems can thwart this approach: They take note of unusual transactions from unusual locations and they can require a second factor of authentication, like a one-time password device.

Bank-heist trojans are an attractive proposition for thieves: This report claims that a gang in Ukraine bilked $6 million using the Zeus trojan, which may have been the specific malware used in the MIT article.

In the case in the MIT article, the user was using 2 factor authentication but it didn't matter. The trojan was running on the same system the user was on, so when the user authenticated then so did the trojan. It was able to perform transactions on that same system without having to know any credentials.

ZDNet's Dancho Danchev digs further into this phenomenon, citing studies on the growth of Zeus and its resistance to anti-virus. Security guru Bruce Schneier took the opportunity to restate his argument that "...two-factor authentication doesn't solve anything." This is an overstatement—it surely doesn't solve everything, but it does solve a number of problems.

没有评论:

发表评论