Operation High Roller, as it is now known, is a sophisticated attack on the customer accounts of 60+ banks, via internet banking, that has netted the bad guys between £46 million and £1.6 billon, depending on which article you read.
As you might have read yesterday, Operation High Roller relies on malware on a victim's PC that alters the way an internet banking site of a bank looks and reacts. The malware obtains legitimate logon and validation details from a user by tricking the user into thinking that they are responding to the banks website.
Once in possession of the details, the attacker is then able to use those details to transfer money out of the victim's bank account all while displaying an error, or 'please wait' screen to the user. Furthermore, to cover the bad guys' tracks, the malware will also remove evidence of the fraudulent transfers from the internet banking transaction list and block access to downloadable statements so it can't be traced or recovered.
Many banks utilise a two-factor authentication (2FA) system that combines something you know with something you have. Solutions banks use range from clumsy card reader devices to SMS/text messaging, each with their own merits and pitfalls. These systems aim to prove that you are who you say you are, and not to prove that you are doing what you mean to do.
With the High Roller attack, the bad guy gets around 2FA systems by getting the user to enter the valid 2FA information/one-time password (OTP) into their browser. The malware is then able to give this information to the fraudster to use in an attack either directly from the user's machine, or from a remote server – all while showing the user a fake page. Once the fraudster has a valid and unused OTP they can then use it to process their own fraudulent transaction as if they were the legitimate user.
While cleaning out the malware is certainly a good start, it's only a matter of time until there is another variant. One needs to look beyond all the fiendishly clever technology and methodology of what makes the High Roller attack successful and focus on the fundamental weakness the attack exploits.
The main weakness is that the actual transaction is not being validated. Instead, the user is being validated at the point of the transaction – two very different things. What is needed is a validation system that can validate the user and the transaction at the same time in a single step.
By doing so there is no room for the bad guy to get valid OTP information before the transaction or to change the transaction information after the user has entered a valid OTP code. Furthermore, the user and transaction elements must be inseparable to the web browser so there is no foothold for malware in the process.
We launched PINgrid that makes use of Matrix Pattern Authentication technology that only requires a user to remember a pattern – a sequence of squares in a grid. The trick to the user validation process is that the pattern is never transmitted during the login process. PINgrid creates an OTP by placing seemingly random numbers in a matrix and the user identifies their memorised squares by entering the numbers contained in them.
The security in this process lies in the fact that the bank's server can make use of the known 2FA hardware ID and the account number when validating the transaction code at the same time. As such, if malware were to modify the transaction information on route to the bank, the transaction code would fail and the bank would not send the money.
In addition, any OTP derived without the account number, e.g. during initial logon, would not be able to validate the transaction and again the bank would not send the money.
Steven Hope is technical director at Winfrasoft