FBI / FSISAC / IC3 Warn of New Wave of Attacks Against FI's.
Out-of-Band Authentication recommended as a defense, but not all out of band form factors are equal.
On Monday the 17th of September, the IC3 web site www.ic3.org and the FBI issued warnings against a new wave of attacks against U.S. financial institutions. Of particular concern, the attacks are preceded by phishing and malware exploits targeted at bank employees. Armed with an employee's logon credentials, the criminals are able to target high value accounts and initiate funds transfers. Complicating the attack, the criminals launch DDoS (Distributed Denial of Service) attacks against the institution distracting the IT and security staff allowing more time to cover their tracks and for illicit transactions to clear. You can view the text of the alert here.
Among the recommendations in the alert, "Strongly consider implementing an out of band authorization prior to allowing wire transfers to execute". While the Authentify team is happy to see out-of-band authentication being recognized for its effectiveness, it's important to also recognize that not all form factors of out-of-band authentication offer the same security strength. An SMS OTP string delivered by phone, but then typed into the computer screen may be handing the authorization string to a man-in-the-middle (MITM), a man-in-the-browser (MITB) or a keystroke logger. A voice call, like those recommended by Authentify, that require an interactive exchange FROM the screen INTO the phone is an effective way to beat these attacks because the most broad-based attacks capture information from the browser/internet stream – they typically do not have access to the end user's phone. Since the backend server is waiting for a message to be received via the phone channel – the transaction fails.
These attacks also point to another link in the security chain that is becoming critical – a customer's address and telephone information. The Gramm Leach Bliley Act or Financial Services Modernization Act, included prohibitions against making unauthenticated changes to an account holder's personal information. As the proliferation of mobile devices continues and the mobile device becomes more central to customer's "digital identity", greater care and protection must be afforded to telephone numbers along with user ID's and account numbers. Something to think about.