Flaws have been found in the security devices used to
authenticate online bank users.
Researchers at Cambridge University found weaknesses when they
reverse engineered card readers from Barclays and NatWest.
Bank customers use the card readers in conjunction with a bank
card to produce a one-time password. Banks introduced the readers
to reduce losses from phishing scams and keylogger attacks.
Researchers Saar Drimer, Steven J Murdoch and Ross Anderson
presented their paper,
Optimised
to Fail: Card readers for online banking, at the Financial
Cryptography 2009 conference yesterday. "We found numerous
weaknesses that are due to design errors such as reusing
authentication tokens, overloading data semantics, and failing to
ensure freshness of responses. The overall strategic error was
excessive optimisation," said the researchers.
They said that one-time passwords were vulnerable to real-time
man-in-the middle attacks.
"Here, the malware or phishing website initiates a fraudulent
transaction with the customer's bank at the same time as it prompts
the customer for their password or one-time code," said the
researchers. This process may be triggered when the customer
attempts a transaction, rather than prompting them to do one.
The Association of Payments and Clearing Services (Apacs) said
banks must consider factors such as usability when designing
security systems.
"What the research does not take into consideration is the
banking industry has to balance usability with fraud prevention,"
said an Apacs spokesman. "The banks that are most actively involved
in these programmes have reported falls in the amount of
fraud."
According to Apacs, 21 million people use online banking systems
in the UK in the first six months of 2008. For the same period last
year the organisation reported £21.4m in online banking losses to
fraud. This compared to £7.5m in 2007 but is lower than the £22.4m
losses in 2006.
The Apacs spokesman said that the specific weaknesses that have
been identified by the researchers have never been used to commit
fraud.
Barclays said in July that no online customer using its
two-factor authentication security device has been hit by
fraud.