One-time passwords are vulnerable to new hacking techniques.
In mid-July, an account manager at Ferma, a construction firm in Mountain View, CA, logged in to the company’s bank account to pay bills, using a one-time password to make the transactions more secure.
Yet the manager’s computer had a hitchhiker. A forensic analysis performed later would reveal that an earlier visit to another website had allowed a malicious program to invade his computer. While the manager issued legitimate payments, the program initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s president.
The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.
Security experts say that banks and consumers alike need to adapt–that banks should offer their account holders more security and consumers should take more steps to stay secure, especially protecting the computers they use for financial transactions.
“We have to fundamentally rethink how customers interact with their banks online,” says Joe Stewart, director of malware research for security firm SecureWorks, in Atlanta, GA. “Putting all the issues with the technology aside, if [attackers] can run their code on your system, they can do anything you can do on your computer. They can become you.”
Bedford, MA-based security company RSA, which manufactures a one-time password device known as SecurID, argues that neither companies nor consumers should rely on any single factor to secure their transactions. Sam Curry, vice president of product marketing for the firm, which is now a division of EMC, says that one-time password technology and other additional security measures can raise the bar against attackers but will not keep them out forever. “Companies should be very leery of both prophecies of doom, like the death of a technology, [and] rosy visions of security,” Curry says. “Everything is breakable.”
Security measures may not eliminate a threat, but they can make it more costly for criminals to use a particular type of attack, Curry adds. The issue is to find the best combination of cost, usability, and security for the consumer.