back to article Online bank punters tricked into approving theft of their OWN CASH

Security researchers have discovered a malware-based attack against the chipTAN system used by bank customers in Germany to authorise transactions online. The chipTAN system involves the use of a card reader into which a chip-n-PIN bank card is inserted, which generates a transaction authentication number (TAN) used to green- …

COMMENTS

This topic is closed for new posts.
  1. Silverburn
    Holmes

    C'mon, name and shame...which bank???

  2. Gabor Laszlo
    Facepalm

    Stupidity is a luxury

    and luxury must be paid for.

    My bank (HVB) sends TANS by SMS with the transaction details, which then have to be entered into the webform. I'd like to see someone circumvent that :D

    1. Silverburn

      Re: Stupidity is a luxury

      No probs: what's your logon details?

      Lets hope I can't edit your destination SMS number without an mTAN...

      1. Remy Redert

        Re: Stupidity is a luxury

        If it's anything like the TAN SMS system used by my bank, changing the phone number requires either going to the bank in person, with the bank card and ID or going through a lengthy process involving snail mail and verification from the old phone.

    2. Scott Wheeler
      Headmaster

      Re: Stupidity is a luxury

      SMS is a reasonably secure transport, but it relies on the handset being trustworthy. In the past two important phones (Nokia 6210i and Ericsson T610, I think) had Bluetooth bugs such that it was possible to pair with them without authentication, then read and delete an SMS without the user's knowledge. These days there may be other vulnerabilities introduced by Smartphones with malware installed, which could allow receiving and manipulating SMS from a distance.

      I don't want to give the impression that SMS authentication is a bad method: it isn't, particularly if it is part of two-factor authentication. However as with most methods, it cannot be seen as a silver bullet.

      1. Gabor Laszlo

        Re: Stupidity is a luxury

        I make sure to use a very dumb phone for this, and for a BT attack one would need if not access at least proximity.

    3. SImon Hobson Silver badge
      FAIL

      Re: Stupidity is a luxury

      >> My bank sends TANS by SMS .... I'd like to see someone circumvent that :D

      Already been demonstrated, so you can wipe that smug expression off your face.

      http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/

  3. Anonymous Coward
    Anonymous Coward

    Injecting Code

    Banks should randomise HTML div names etc when generating the web pages.

    This would make is a lot more difficult for malware to inject code in the right places..

  4. Anonymous Coward
    Linux

    Malware attack against the chipTAN

    Any idea as to what Operating System this malware runs on?

    1. Ken Hagan Gold badge

      Re: Malware attack against the chipTAN

      Well it's a German bank, so I imagine it is Linux.

      1. Lars Silver badge
        Happy

        Re: Malware attack against the chipTAN

        Sad to say it, but it's hardly Linux. You do find Linux on POS systems like Wincor Nixdorf. Or are you perhaps sarcastic Ken. Nixdorf used to deliver banking terminals but that was a long time ago.

        Perhaps somebody has more up to date information.

        1. Anonymous Coward
          Thumb Down

          Re: Malware attack against the chipTAN

          It is the users machines that are affected, not the banks. Quote "...by fooling users of malware-infected machines..." unquote.

This topic is closed for new posts.