Marian Kogler is Managing Director of syret GmbH, an IT security company based in Halle an der Saale. Together with his team, he advises companies in various sectors, including banks, and public institutions in German-speaking countries on all IT security issues, conducts penetration tests (simulated attacks on systems carried out with the owner’s consent to find vulnerabilities) and investigates IT security incidents.
Mr. Kogler, what are the risks associated with online banking?
The greatest risk is always the unauthorized transfer, i.e. that an attacker succeeds in transferring money from your account to an account controlled by him. There is a veritable criminal industry around this concept, with one providing phishing campaigns to obtain account numbers and PINs, the next bank drops, i.e. accounts opened in false names to which the attacker can initiate the transfer, and the third malware to read TANs.
The money is then sent through the banking system via many different accounts in different countries by flash transfer until it can no longer be traced or even reversed.
But other attack scenarios are also conceivable. For example, an attacker could buy large quantities of an almost worthless share and then try to access the securities accounts of other bank customers. He then sells all the securities in the cracked portfolio and buys the previously selected share, which causes the price to shoot up and he can sell his own shares at a profit, which of course causes the price to fall again. The victims are then left with almost worthless shares.
What measures are being taken by the banks to counter this?
The most common measure, which is now mandatory for payments in most cases, is two-factor authentication, meaning that you not only have to enter a password or PIN, but also prove that you own a device or authenticate yourself with a fingerprint, for example.
Does two-factor authentication mean absolute security?
No, there is no such thing as absolute security anyway, but two-factor authentication is often implemented incorrectly. For example, it is becoming increasingly common for the smartphone to be used as a device for both initiating and confirming payments (mobile banking). However, it is now possible that the smartphone has been compromised and the attacker can manipulate both factors.
Smartphones being compromised is also not a theoretical possibility, but a reality. As became known a few months ago, the Chinese secret service managed to find a bug in iOS. It was then enough to visit a certain website with an iPhone or iPad and the device’s system software was infected – all app protection measures could be bypassed in this way. In the meantime, the code used is also public, so anyone can now build such a website.
So the two factors should be distributed across different devices?
Exactly, although it also depends on what the two factors are. This means that the mTAN or smsTAN procedure can be tricked quite easily. One option is to order a new SIM card in the victim’s name and then receive the SMS.
I tried this once with a mobile operator and a test cell phone, I only had to give my name and address and confirm my date of birth, I could even specify a different address to which the new SIM card should be sent, and the SIM card was in my mailbox within three days, as a normal letter, not a registered letter.
The other option is a little more complicated and requires access to the SS7 network, the network that connects all mobile network operators in the world. Then they claim to be a network operator somewhere in the world and that the victim is currently roaming, but they don’t check whether this is actually the case. The real network operator then sends all text messages on to the attacker.
Both options have already been used against bank customers in practice. Biometric security features such as fingerprints can also be easily defeated with the sensors commonly used in smartphones with a bit of tinkering or a 3D printer.
Allow us to finish with a personal question. Do you use online banking and if so, how?
Yes, I use online banking, because offline banking also has its risks – think of forged signatures. I use a separate smart card reader for two-factor authentication. Apart from the optical sensor for the flicker code, the interface to the smart card and the buttons, this has no external interfaces that an attacker could use to compromise the system. I also always make sure that the IBAN displayed on the chip card reader and the amount are correct before I authorize a transfer.
Mr. Kogler, thank you for the interview.
syret GmbH on the Internet: https://syret.de