back to article Hackers may be able to 'outwit' online banking security devices

Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn. An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such …


This topic is closed for new posts.
  1. Usually Right or Wrong

    Nothing new

    If your computer is compromised with malware, someone else is calling the shots, so it doesn't matter what other security measures are in place if there are transactions that rely on the compromised computer for processing and transmission.

    Using two factor authentication with a one time code defeats the vast majority of attacks, most of which use stolen credentials. Even if the token is stolen, (assuming some numpty has not scribed the pin on the back) there is still one piece of information missing and the device locks out after a number of incorrect pins.

    One down side is that if the computer was compromised at token registrable time, the pin is also disclosed, but the attacker still has to target and get the token, which if missed, would, I presume be cancelled the same as a missing bank card.

    Compared to secret words, numbers and pick lists, using something you physically have, something you know and generating a one time code is a big step forward in security for on-line banking authentication.

    1. Slartybardfast


      Steve Gibson on the Security Now podcast spoke bout this type of attack quite some time ago. It's particularly bad if someone manages to combine it with DNS spoofing. If that happens it looks like you are really connected to your bank rather than a dodgy third party site.

      It is true however that the "something you have" authentication method is far superior to having just a password.

    2. MazzaMan

      Re: Nothing new

      There are ways to counter malware on your computer, even when it compomised already. You need to use an OS lockdown / secure session product like SafeCentral.

      Once you activate the agent the OS is locked down so that only a secure browser or comms channel will function, all malware is nullified and ceases to operate. You can go and do your banking or whatever, the malware cannot get at anything anymore.

      1. Anonymous Coward
        Anonymous Coward


        "all malware is nullified and ceases to operate" Really?

        You have swallowed the snake-oil my son.

        Do you know how a root-kit works? It can monitor everything going in/out of the OS (keyboard, mouse, video, network) and hide itself from detection pretty well by virtue of running first and emulating the PC (like a VM basically).

        Once infected, the only safe assumption is noting is safe. You therefore need a 2nd channel to detect the 1st being fiddled with, or a bootable CD, etc, that can be run before the OS (assuming the BIOS is not infected, of course...) and with steps to identify/protect against DNS poisoning should your router be compromised to DHCP bad DNS.

        Now try to explain that to Joe Public in terms they can understand.

  2. Paul Crawford Silver badge

    Fundamentally flawed

    Having both factors in the 2-factor system going through the SAME possibly compromised channel seems to be a basic flaw here.

    While not perfect, having a 2nd channel such as a mobile phone seems a better approach. Unfortunately the piss-poor security practice that a large proportion of the public has (mostly due to ignorance, and a misplaced faith in AV snake-oil salesmen) will no doubt extend to their smart phones' apps and to disclosing their phone details as well to the bad guys.

    1. Tom Wood


      uses telephone authenication. Basically they call you on one of your pre-selected phone numbers (home, mobile or work) and enter a PIN displayed on screen.

      Initially I thought this seemed like a poorer, cheaper solution than the card reader/pin sentry type devices, but having a second channel is probably a good idea really. Unless the fraudster can somehow nick my mobile or break into my home or office or somehow divert my calls at the same time as getting my online banking username/password, they're going to be pretty screwed.

      1. Paul Crawford Silver badge


        That is good.

        One problem is a lot of web sites allow the change of phone number, so there needs to be a bit of delay/double checking so you get informed of the change on the old phone first, and then again on the new phone, so if its a fake change you can report it.

        Another risk with "smart" phones is someone installing malware that can pre-screen the test messages, so compromising the 2nd channel as well.

        Still, there is no PERFECT solution, just ones that reduces the fraud to a level that is less costly than the various protection systems cost.

    2. Slartybardfast


      Some US banks send you a text when you try to log in. The texted number is valid for 15 mins and is then used as your second factor. This of course only works when you have a mobile and have coverage.

    3. Evil Auditor

      2nd channel

      That's what my bank also uses. During logon I get a code sent to my mobile which I need to enter on the login screen. When I enter an unusual transaction I receive again a text message containing the transaction details and a code to validate the transaction. So far, so secure.

      Good luck to those who use their smart phones for both online banking and receiving validation codes...

    4. AVee

      Not fundamentally flawed.

      Adding the cellular network as a second channel does raise the bar, but cellular networks should also be considered possibly compromised. The list of effective attacks against GSM is getting longer. On top of that you have to trust the users smartphone and there is lots of logging/monitoring going on in the mobile networks which might be compromised as well.

      I'm not sure how stuff works in the UK, but my Dutch bank uses a challenge/response system where users need to type numbers (along with their PIN) into there the card reader. For large transactions the challenge includes the grand total of the transactions being send and for even larger transactions it also includes the account number the money is being send to. This effectively beats MITM attacks (provided users are paying attention) because an intercepted response is only useful for the transaction the user actually requested and modifications to the challenge will be noticed.

      In the end a system which is immune to MITM attacks will always be better than using multiple channels.

  3. Forget It

    As a Firefox user on Win7 with a dozen addin - each which warn caution during installation - I am worried if they might constitute the Man In the Browser.

  4. BristolBachelor Gold badge

    Barclays PinSentry

    I am quite impressed with the Barclays PinSentry. It is not connected to the computer, and cannot have it's firmware "updated" to include a virus/trojan.

    If you want to make a payment to someone new, you need to authorise it using the pinsentry. To authorise it, you must type into the pinsentry: your PIN, the account number of the recipiant and the amount of the transfer. The pinsentry will then give you the code to type into the website.

    So for this to work, the man-in-the-browser has to convince someone to press "Authorise" and then enter their PIN, an account number and an amount of money, and then type that number back into the website. Compared to an alternative scheme with a bank I know who give you a card with a list of 200 numbers that you may be asked to type in for any number of reasons, it should be reasonably clear that you are authorising a payment. I think that this is unlikely except for vulnerable people.

    I suppose that it may be possible to convince a mark to make a small payment to a company which they authorise with pinsentry, and then for a trojan to try to make a much larger transfer later. In this case I don't know what the bank does; if someone authorises a payment for £5 and then tries to make a payment for £5000, do you ask them to authorise again?

    1. GettinSadda

      Wrong idea

      No, they don't try and capture the details with a payment and then duplicate - they wait for you to log into your bank account and redirect your browser to a "copy" of the bank's website and at the same time they internally visit your website. When you type your Pin Sentry code into the fake website they use this to log into the real website; now it is them logged in not you. They may present you with a "this page is down for maintenance for the next 30 minutes" message or something else, but meanwhile they are using their validated log-in to empty your account.

      1. Ian Yates


        Actually, this is where the Barclay's system works and the HSBC system doesn't

        With the HSBC system, the device gives you a completely random number that you type in to yet another box during login - at EVERY login.

        But the Barclay's system means that the device generates a number based on a sequence you also repeat on the website (account number, etc.). So, unlike the HSBC method, the MitB attack would need to somehow trick you in to entering an account number and amount that you otherwise wouldn't. Plus, this is only for new recipients, so users should notice if this happens at an unusual moment.

        The weakest link in this approach is obviously still the user understanding what the device they have is for, but the HSBC system is definitely far from secure (and bloody annoying).

        Lloyds/HBOS provide a unique code (again, only on new recipients or large transfer amounts) on screen that you must then enter in to your phone when the automated system calls you. I can see how a MitB attack could trick someone to do that, but the user would have to ignore the voice reading out the account number and transfer amount.

        1. Andy Moreton

          The HSBC system works in a similar way. When adding a new payment recipient into HSBC IB you have to enter your PIN and part of the recipients account number into the security device. It then generates a 6 digit security code which you enter on to the website. I had to do this a couple of days ago. It may do a similar thing for large payments, I wouldn't know since I haven't made any recently.

      2. Jediben

        If they do that, they only have a PINSentry authorisation to make a payment to an account the target has set up, not to their own target. Without the same PINSentry device, they cannot generate a working one time code that would be produced to transfer money to the account THEY want.

        Sure they can be in your account, but they can't move money to any account that the target hasn't keyed in.

        PinSentry is thus - login to account with PINSentry + card. Transfer of money requires ADDITIONAL number generated by the PINSentry from account number + PIN + Card + £value.

        Even if they redirect you to a hoax site, how do they make you to input THEIR account number into the PINSentry you have in your hand, unless they have even more fake websites tempting you with whatever it is you are paying for.... And then it's not the PINSentry at fault!


      3. Andydude


        Except for Barclays (at least) to make a payment/transfer into a new account you have to re-authenticate and put both your pin, the account number, and transfer amount into your pin sentry *after* you've logged in. So all a man in the middle hacker will see is how much money I spend on disreputable websites.

        1. NomNomNom

          surely they look up your address info and call up the bank saying that for some weird reason they've been locked out. By the way while we are on the subject they'd like an address change and a new pin device posted.

          1. Daf L


            The pin device isn't important.

            In fact you can use the pin pad from any other bank, they're an open standard. You could even use your Dutch friend's Pin Device from their Dutch Bank with your Barclays card/account (or Nationwide, or any other)

      4. MojoJojo

        Missed the key point

        On Barclay's, they may be able to log in to your account, but they won't be able to withdraw any money, unless they somehow trick the user into entering account number/amount and PIN into the PIN sentry device.

        You need to authorise a log in, AND authorise a payment to someone you haven't paid before.

        They'll still be able to see your account activity/statements, which they could probably use in combination with the other information they have to do something bad.

        They could also make a nuisance of themselves transferring money to people you've made transfers to in the past.

    2. Joefish

      But Barclays isn't two-factor.

      The payment authorisation is admirable, but for the basic login it's not a two-factor system. There is no personal password, only the validation code generated by PINSentry from your card and PIN. That means that anyone in posession of those and any old PINSentry device can do anything with your account without any other form of identification being requested.

      I also find it rather shallow that the in-branch 'advisors' hand you a PINSentry in order to access your account. Seems more of an attempt at dumping responsibility onto the customer than anything else.

      1. Vitani


        "There is no personal password" - There is, it's your PIN.

        "in-branch 'advisors' hand you a PINSentry in order to access your account" - this is rather than taking your signature, which is written on your card, and easy to copy with a little practice.

        OK, you could say that if someone knows your PIN then they can do anything, but that's nothing new, anyone with your card & PIN could walk up to a cash machine and take money out without any problem!

        1. This post has been deleted by its author

      2. Jediben

        There is a unique online banking ID number that you also need before PINSentry is even involved in the login process. This, in conjunction with surname, is another barrier. The reason they only pass you the sentry device in branch is that they already have you online number (as they supplied it).

        Any external purchase would require THAT to be supplied by the user as well.

        1. This post has been deleted by its author

          1. Jediben

            If they've physically got the card AND the email address you have attached to said online account, AND the password for the email address, AND they have intercepted the POSTAL MAIL that they supply your online membership number via (no email for that, not secure enough) then yes, it's not much of a barrier... but then neither would your front door be after that.

            1. Anonymous Coward
              Anonymous Coward

              @jediben - none of that applies to the Barclays PINSentry system.

      3. Daf L

        @Joefish - two-factor

        Two-factor, in this case is something you have and something you know>

        You have your bank card, you know your PIN. Therefore two-factor.

        "That means that anyone in posession of those" - they must steal both your bank card and 'torture' you for your PIN - not your everyday purse snatcher or phisher? By then they have tied you up and been around the cash points for a few days nicking your money and buying high value goods.

        1. Joefish

          OK, I appreciate that Card+PIN counts as 'two factors',

          but they're pretty poor factors, and basically go hand-in-hand with each other. I can come up with a more secure password than four numeric digits that I have to enter in full view of whoever is behind me in pretty much every queue I find myself in nowadays, and who also gets to see which pocket my wallet goes into. As for my 'unique ID', anyone can get that emailed to them so it's hardly a security feature either. Anyone who's seen me enter my PIN and can then pick-pocket me for my card gets access now not just to a cashpoint (with is protected by daily withdrawal limits) but has full access to take out a loan in my name and transfer the money to a complete stranger. I would like to see a second secure factor involved that actually means something in security terms.

      4. John 48

        Barclays *is* two factor...

        The Barclays implementation requires something that you know: i.e. your PIN and your personal customer number (not the same as your account number), plus something that you have - i.e. your debit card.

    3. Craig 12

      I was more impressed when I had online banking for nigh on a decade without ever having a problem, or needing to carry a physical device with me everywhere just to log in to banking (HSBC). I rarely can be bothered to log in anymore, it's more of a hassle.

      While i'm ranting, HSBC also cocked up numerous things while I was abroad recently. If Natwest or Santander had a "we'll match every mortgage/loan/savings product of HSBC", I'd move today.

  5. Willington

    About 2 years ago, Blizzard made a statement to the effect that under certain circumstances a WoW authenticator could be compromised. The attack that they outlined was identical to this one, not surprising as the hardware is effectively the same. Last year my bank sent me an authenticator (about 2 years after I got the one from Blizzard) and must have been aware of the security issues but failed to mention them (I hope that's the case, the other alternative is that they were unaware which is worse by several factors). Why is it that Blizzard seem to care more about my security than my bank does?

  6. Tit for hat...

    The answer is obvious...

    The problem is the software and protocols used for the transactions.

    Highly secure software should be used to communicate with the banks, using secure communications protocols (perhaps even NEW protocols devised specifically for banking) NOT - repeat NOT - a browser.... banks have taken the cheap approach to allowing access to their systems and the resultant issues are predictable.

    1. Anonymous Coward
      Anonymous Coward

      re. The answer is obvious...

      "Highly secure software"

      > Written for which platforms? Windows, Mac, Linux, iOS, Android? And now I need admin rights on a computer to use if for banking; this just makes it easier to get malware on the machine.

      "using secure communications protocols"

      > We've already got loads of those (HTTPS etc.)

      "NOT - repeat NOT - a browser"

      > If you read the article, then it should be obvious that the "man in the browser" attack can also be the "man in the banking software" attack. All they need to do is replicate the user experience of the software and the user will treat it as if it is the the genuine article and hand over all the necessary credentials when it asks for them.

      1. Ian McNee

        re. re. The answer is obvious...

        Quite right - and going on from that the most secure protocols are those that are open and used billions of times every day as then the inevitable flaws will be found and fixed.

        The alternative is a bit of closed source code knocked-up by your bank who have a vested interest in claiming that it is secure and will use expensive lawyers against anyone who claims (or even demonstrates) otherwise. See Bagged and tagged's post above and the link to the truly excellent Light Blue Touchpaper security blog.

        Give me a secure open source OS and a secure open source browser every time.

        1. Anonymous Coward
          Anonymous Coward

          Open... and shut

          "Give me a secure open source OS and a secure open source browser every time."

          Yes, the keyword of course being SECURE. You would have to exclusively use security conscious distros and software, and preferably even review the code yourself. There's really no way to make absolutely sure that no malicious code is checked in with code contributions.

          Of course OS code gets reviewed. But with the amount of code being contributed to large active projects, if someone with malicious intent would gain enough trust, it would take a long time before anyone would notice something amiss.

  7. Anonymous Coward



    That's probably because the bank is interested in their security rather than your security

    Have a read of the story of Eve Russell at Ross Andersons website

    The security devices and PIN allow banks to claim wrongdoing or carelessness by the customer and deny failings in the bank system and/or fraud by bank employees.

    1. Anonymous Coward
      Anonymous Coward

      No they don't...

      It's written into law that the burden of proof is on the bank, PIN auth'd or not, they have to prove that that customer was there and involved in a fraud.

      Ross Anderson et al continually wheel this out with nothing other than "we've got some letters from some people" as proof.

  8. Anonymous Coward
    Anonymous Coward

    IronKey have an interesting approach

    Build a secure VM - there's a demo here including the attack listed above where 2-factor is useless (as you log in and THEN have your secure channel compromised)

    1. Anonymous Coward
      Anonymous Coward

      But is it bootable on the PC before you run the potentially compromised OS?

      If not, they still have access to the keyboard/mouse/video via a rootkit, and if the VM lacks steps to detect poisoned DNS, can still be directed to a fake site.

      OK, the sort of person who runs a VM for security is also likely the sort to check SSL certificates are valid, but given the recent spate of massive failures in the certificate chain model, that is not impossible to fake as well.

      1. Anonymous Coward
        Anonymous Coward

        In case you ask, I didn't view the demo as they asked for my contact details first...

  9. Anonymous Coward
    Anonymous Coward

    Some people are missing the point

    2-factor helps ensure that the person logging on or authorising a transaction is who they are. Separate channels for delivery, etc, all good points made above.

    However in this attack the malware is activated while the victim is logged in to their bank. It intercepts the visuals and modifies them. So for example if a user wants to transfer 50 quid to another account, the malware will intercept the info going to the bank and make that 10 grand to the criminal's account. The malware will rejig the pages so the victim sees the expected figures, but the bank sees the criminal's figures.

    It is a very specific, targeted attack obviously tailored to specific sites with a lot of attention to detail.

    The user then authorises the transfer and the criminal is sorted. Meanwhile the malware presents the updated figures to reflect what the victim thought they were doing. 2-factor means nothing here - it's like having a bad guy sat in your chair in your bank account, calling you over when he needs something authorising, but in this case totally hidden from view.

    1. Ocular Sinister

      On Nationwide's 2-factory system, you have to enter the sum into the calculator thing. If the criminal changed the sum, the generated code would not be valid. They could change the target account - but they may be encapsulated in the code that you have to supply to the calculator.

    2. Anonymous Coward
      Anonymous Coward

      Wont work with HSBC

      If I want to transfer £10k (or even £10) to another account I have to add that account to my list of payees. To do this I enter the the last 4 digits from the account code into the secure key and it then generates a 6 digit code to use. Without this I can not transfer money to another account. The six digit code is time dependant.

      If somebody gains access to my account via any means the only thing they can do is transfer money to one of the payees I have already set up. They can not transfer money to their own account without me setting the account up in the first place.

      1. Anonymous Coward
        Anonymous Coward

        The malware would hold the transaction and modify the page to say "We are sorry, your authentication failed, please enter these digits to validate your token and confirm the code here" and display the last 4 digits of the dodgy account. The victim enters them and confirms the code, and it then says "Thankyou, your token has been re-validated".

        Meanwhile they've actually authorised the fraudulent transaction on the real, invisible site behind what they are seeing. With the malware talking to the bank and the user being manipulated via a normal looking, https, Tusteer-enabled site, for example, they would have no reason to suspect there was anything wrong going on.

        Only a cynical, suspicious user might question the chain of events and abort, but the point is that the user's behaviour might save them but the technology per se hasn't.

        1. NomNomNom

          if someone had that much control over people's machine they would be better off just bringing up a popup saying "DANGEROUS VIRUSESES DETECTED ON YOUR MACHINE. YOU NEED TO BUY WINDOW ANTI VIRUS11!!! CLICK TO SEND THE MONIES!!11"

    3. Anomalous Cowherd Silver badge

      Point about two channels still stands

      All the bank needs to do is send you a text saying "You've asked to send £10k to Russian Brides Inc, a/c number 1234-12312312. To confirm enter the code 23123 in browser".

      The point about using two distinct channels is that they can't (yes, yes, insert caveat here) both be compromised, so you use one to verify the other. Two channels is distinct from two factor in this case, and I think it's an important distinction.

  10. Anonymous Coward
    Anonymous Coward

    I have an HSBC Account

    I am not sure what would happen if I was getting the code number from the 2nd Factor gadget, and something interrupted the process. There seems to be no way to synchronise the bank's number generator with mine, if the two get out of sync. What happens if, the 20th time I log in, I am supplying the 21st number from the gadget?

    1. Kevin Johnston

      Out of sync?

      It doesn't seem to be an issue as I suspect it 'catches up' in background. I had a few instances where I was slow/distracted and the number vanished of the dongle before I could enter it so I pushed the button again and got a new one which worked fine. I would hope that they have figured that possibility in and as long as the number you enter comes after the last one you used ( and is not too far out of sequence) it will let you pass.

    2. Anonymous Coward
      Anonymous Coward

      It doesn't have a list of numbers it works its way through.

      It has an internal clock and a unique key. It uses the time and the key to generate the pin number you type in on the website. In the bank they know the unique key of the device you use so they can calculate what the pin should be.

      1. mike cupcake

        Barclays doesn't use the current time in that way, you can make yourself a long list of login codes and then as long as you use them in order they'll work for months into the future.

  11. Jinxter

    Defence in Depth

    No security is infallible and there always has to be a focus on defence in depth.

    While a dual-authentication system is very robust (which still remains the case) the man in the middle attack may be implemented if a user does not take the appropriate precautions to ensure their system (i.e. desktop) is appropriately protected with updated malware\virus protection. The main reason this is not a 'popular' attack is that it has a very small attack time window and requires regular monitoring; the result being that it has very low value to an attacker in comparison to other attacks.

    It should be noted that certain banks do offer free browser addins that will provide additional protection that are particularly designed to protect against these attacks.

    While it is interesting that the BBC has done a report on this; as indicated by the comments above this is not a new attack and should not be considered your primary point of concern if you decide to use online banking or a chip-and-pin card in general.

  12. h3

    Like hell you would put the pin for the secure key into a website.

    This is a total non issue.

  13. Anonymous Coward

    Repost: In The Land Of The Cold Steel, Efficient Teutons

    ..I get an SMS onto my mobile phone which will display the amount of the transaction, the destination bank account number and a transaction ID. I then have to enter the transaction ID into the bank web page to complete the money transfer.

    The mobile phone number can only be changed by displaying my ID card at the bank and filling out some paperwork.

    Before that scheme, we had TAN (transaction authentication number) lists to confirm transactions. Each money transfer would consume one TAN.

  14. NomNomNom

    The real con men just create a bank

    1. BristolBachelor Gold badge

      Please; a little warning before you say things like that!

      <- My keyboard

  15. -tim
    Black Helicopters

    Too much security too often?

    Most of my online banking consists of checking the balance and sending money to exactly the same set of people. I expect 99% of online banking is about the same. In those cases, a hacker can't do anything other than over pay a bill. I don't want or need two factor for most operations even if it would be annoying to have someone else go through my records. What I need two factor for is when I'm adding a new account. Part of the reason PINs are needed for some low value transactions is that every time a PIN is entered, there is a risk its observed. What we need is different passwords and PINs for high value transactions but I don't think the general public will put up with that.

    1. Mark Morgan

      Re: Too much security too often?

      "Most of my online banking consists of checking the balance and sending money to exactly the same set of people."

      That certainly used to be the case but with cheques being phased out everybody you used to pay by cheque - builders, plumbers, electricians, etc - now need you to use the Fast Payment System (FPS - BACS on steroids) to transfer money to their account. But the banks now have you jumping through hoops just to add a payee making your life difficult.

      I initially though my Natwest card reader device was a neat idea but they then stopped me using it for both my business account and personal accounts and before long I've ended up with five of the beeldin' readers in the drawer, a special transaction card just to use for my business and no idea which is the right reader for what. I'd have to say that the Halifax Intelligent Finance way of doing it by giving you half a code online then texting you the other half is a lot easier.

  16. Nun of Thee Above


    "Hackers MAY be able..." "Isolated incidents of this type of fraud ['man-in-the-browser' attack] have cropped up..."

    I am constantly amazed that so few techies understand how 'man-in-the-browser' attacks work. Chris 68 gets it. He mentions that "in this attack the malware is activated while the victim is logged in to their bank. It intercepts the visuals and modifies them." Condiment doesn't, if he thinks that "the only thing they can do is transfer money to one of the payees I have already set up." I hope that he reads Chris 68's subsequent reply noting that "The malware would hold the transaction and modify the page..."

    As for "isolated"... Not! Read for a while, and scan some of the 80 or so articles he's written detailing count after count of this type of crime. Dunno about GB, but in the US commercial account holders are not reimbursed for losses due to fraud. Instead of fixing the problem, banks throw money at lawyers to make it more difficult for customers to sue their banker. For several years malware has circumvented all known types of 2-factor auth, including redirecting cell phone numbers to the bot-master's phones.

    Krebs convinced me with his first article in 2009 that booting Linux from a Live CD or Live USB is arguably the best possible protection from all of this. But, of course, it's inconvenient so no one will bother. After using this for a bit, I love the convenience... It's the ultimate portable app, with all of your account and app settings, along with encrypted data, available from the same USB stick booted using any PC or Mac with 1.5 Gig of RAM and a USB port.


    1. Anonymous Coward
      Anonymous Coward

      Wow 2

      Not sure you get it actually.

      If you know what the PIN security device does for decent accounts then it doesn't matter if you are logged in you could let the criminal sit down at you PC while you go to the toilet. To transfer money to a new account you have to type the amount in to your device and the account number to get a code to authorise the transfer.

      At this point you're going to think, why is my bank asking me to authorise a transaction to an unknown account for 100k?

      If you have no clue at all then the site could tell you "pick up your authenticator and type these numbers in to it as we're just checking xyz" but you're also then the person who would fall for a 419 as well.

      As for Bot Masters are hacking into the mobile phone networks to redirect phone calls and texts? Really? You'll need to provide some evidence of that one.

      1. DragonLord


        What they're actually doing is another MITM attack to change your contact number from the one you supplied to one of theirs. They then phone you from their phone with the altered details

  17. Anonymous Coward
    Anonymous Coward

    Safe online Banking

    > A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.

    Boot from a CD and then do your online banking ..

  18. Dick Emery

    Burden of prof should not be needed

    Most banking systems follow your spending habits rather closely and if anything odd occurs should get flagged. I once had suspicious activity on my CC and had a letter sent asking if I had made them to which the answer was no. If you get scammed it should be rather straightforward to prove you did not make the transaction if it does not fall within your spending habits. Not foolproof of course but it is another thing you can use to dispute any discrepencies.

  19. OSlater


    NatWest customers are vulnerable to this paticular for of attack, as the site employs a challenge-response method, in which you generate a response code based on a 8 digit code onscreen. For a hacker to initially compromise the main login, then serve the 8 digit code on ther screen would be the implimentation of such an attack.

    I'm intriqued to read the methods other banks have implemented such as code generation based upon transaction details and phone verification, which sadly NatWest do not use, perhaps it's something in the works.

    In addition, the NatWest pin-thingy doesn't allow account number entry etc, so I'm assuming cannot be used for other banks.

    1. Anonymous Coward
      Anonymous Coward

      Nat west pin thingy

      I can use my partner's Smile (Co-op) PIN thing for my RBS (same as NatWest) account. Also I can use her Nationwide (or some other building society, I can't quite remember) pin thing for my Coop account.

      The key is the chip on the card, the PIN thing is a dumb box with a keyboard.

  20. MikeLordi

    A constant battle

    It really is amazing how quickly hackers are able to find exploits in the newest security technology. It’s a constant battle to consistently stay ahead in order to further protect customer data. We see it all the time in distributed denial of service attacks - and unfortunately, even the smallest attack could have terrible results.

    Case in point is the latest report by Radware’s Emergency Response Team. (You can read more from the report here:

    They found that most DDoS attacks actually use less bandwidth than originally thought. While the belief is using less bandwidth means it’s a less harmful attack, the truth is that it all depends on where the hacker has decided to infiltrate the network. If they’re using the application layer, then it could potentially be a much more harmful break-in. This just goes to show the need to protect the network from attacks of all sizes.

    Mike Lordi, Radware

  21. Zog The Undeniable

    The readers I've used

    don't have a time-dependent code either. The device uses the chip and PIN of your card to create a hash of the amount and destination account number for any outgoing payments, which the server is able to check. The code could be re-used, but only to send the same amount to the same destination.

  22. monstercookie

    Quite a few posters on this thread - good to see such lively discussion. I'm always curious to know how many people/ customers have actually lost money due to online banking fraud e.g. phishing, mitb etc

    I gather in many cases that if there is any doubt about culpability, the banks themselves are taking the hit, and not passing on to customers. There have been some cases that I'm aware of, published in the press, where the customer has done something silly and the bank holds them liable but this is quite rare, or is it?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022