tmro

Hello,

This blog came to life because of my frustration: I pay for a service that does not give me any value…

ASB netcode has been unavailable for some time now for the Telecom customers in New Zealand. What this means is that if you are a Telecom customer you cannot receive Netcode messages on your mobile phone when ASB sends them to you…

If you do not know what Netcode is then you can have a look on www.asb.co.nz or you can just believe me when I tell you that it is ASB's Two Factor authentication solution. To give you an example, ASB customers who try to make a payment over $800 (NZD) are sent an SMS with a code that is required to complete the transaction.

But why did ASB introduce Netcode for their Fastnet Internet Banking Service? Did they try to prevent man-in-the-middle attacks? Netcode does not solve this problem… (read on and you will understand why not) Did they want to prevent phishing? Phishing cannot be stopped by a TXT message… I know you find it hard to believe but bear with me for a moment here.

I think it is great that ASB are using a TXT based solution rather than a hardware token. I would hate to have to carry another thingy with me simply because I want to make a n internet payment. At the end of the day the hardware token is not much more useful anyway… It is all perception, unless you can prove me wrong.

So here is my argument:
I will show you how the bad guy (Bill) is going to be the-man-in-the-middle and transfer money to his account from a vicitim's account.

Let's begin:
Marry – naive girl who clicks on any link that has her bank's name in it…
Bill – the bad guy: he has set up a phishing site that looks just like the site that belongs to Marry's bank
ASB – the bank that Marry uses and that has a two factor solution in place (pin based or no pin based, Bill doesn't care)

So Bill sends an email to Marry that has a link to a fake ASB site….
Marry clicks the link and then she sees the login page… she puts her credentials and submits the page…
Bill gets the credentials and goes to the real ASB Fastnet internet banking site and uses them to actually login… this is a typical case of phishing…
Bill wants to transfer money from Marry's account to his own but wait, he can't because he is going to be asked for a Netcode… so he waits until…
Marry clicks on a function in the fake ASB internet banking site to, say, do a funds transfer….
Bill's site now displays a field for a Netcode and Bill goes to the real site and requests the Netcode
ASB sends the Netcode to Marry's phone and…
Marry types the netcode in Bill's site
Bill now takes the Netcode and puts it in the real site and bum! the transfer is complete!!!

Ooops, does this sound difficult? Well it is not easy to do but it can be done. I do hope that I am wrong and that this scenario does not actually puts me at risk but what does the bank security expert have to say?

This is not a tutorial on how to hack a bank but a call to make the banks come up with better two factor authentication solutions, I know a few ways to do that and I might just put them in writing in another blog… Oh they are cheaper and faster too…

Should any of you dear readers work for a bank please tell me if this article does more harm than good. I just want people to think about this problem. At the moment I am afraid the this kind of two factor authentication solutions just create a perception of security and they do not add too much real value to us as customers… not to mention that we have to pay for a service that does not really protects us…

Cheers…

By Nick | 27. Jan 2007 | Rant | No Comments »