First published: 30th April 2007
Four ABN Amro customers have been compensated by the bank for fraudulent withdrawals from their accounts. Criminals sent the victims forged emails, supposedly from the bank, with a trojan attached. The trojan redirected the victims to a fake bank website that requested their login details, including the temporary password from their security token. The information was used to concurrently login into the real bank website, and perform a withdrawal to the criminals’ benefit.
However, the incident can be viewed differently:
- This isn't a failure of two factor authentication, like all phishing scams, it is a failure of the Bank to authenticate itself to the customer.
- PKI can deal with the man-in-the-middle. Essentially, the attacker is changing the message in transit, so a digitally–signed message would make modifications obvious.
- A general-purpose computer is unsuitable for secure transactions. We should build secure devices (PDA size) that are *only* used for signing. Download the document to be signed to the device (via USB, Bluetooth, etc...), read the document on the integral screen, plug your token/smartcard holding your private key into the device, sign and upload. Any attempt to modify the device (hardware or software) breaks it.
But the bottom line is that criminals are highly motivated when stealing, and banks have a tendency to evaluate security solutions more on short-term costs and "user friendliness" than actually security.