Two-factor authentication. New challenges

    Instead of a prologue: in this article we will talk about stealing money from user accounts of payment systems, various client banks, etc.

    image


    It is no secret that payment and other financial services have high security requirements. In this regard, comprehensive measures are being taken to protect both the system itself and user accounts. In order to prevent the possibility of hacking and disabling the system, various means are used such as:

    • all kinds of firewalls, WAF (Web Application Firewall) is very popular now,
    • duplication of key elements of the system,
    • data replication tokenization of various stages of the system,
    • hardware encryption using HSM (Hardware Security Modules).

    From the point of view of protecting the user's account and its operations, both ordinary password protection and other means are used:

    • access restriction by IP address,
    • code cards, payment passwords, PINs,
    • biometrics,
    • check user environment.

    And of course, two-factor authentication tools, EDS (Electronic Digital Signature) and contactless tokens - OTP (One-Time Password) generators.

    I always thought that two-factor authentication is a panacea, almost from all possible vulnerabilities in the process of user authentication. Following the latest security trends, as we thought at that time, we recommended to our users for authentication in our payment system the use of hardware tokens (TOTP, it is called the “token in time”) of the world's leading providers or software Authenticator from Google. To confirm payment operations (transactions), the tokens mentioned above were used, and for those who did not have them, we required the entry of a one-time password from SMS. Such protection seemed to us absolutely reliable, but if this were true, then this article would not have been ...

    I won’t go around the bush for a long time, I’ll get down to business. Once, an application from an angry user came to the support saying that his account was “reset”, in other words, all funds were withdrawn. After the initial investigation, we saw from the history of operations that all funds in the normal mode for several transactions were withdrawn to different accounts by the user himself. Prior to this, there was no connection (operation) between the user and these accounts. After a more detailed review and analysis of all the data, it turned out that this user was the victim of “Avtozaliva” and “Replacer.”

    A bit of theory gathered on the Internet:

    Autobay- an injection with an administrative panel that performs automated and coordinated actions in the victim’s account based on the situation / situation in the account. This malicious program collects account data, looks at what accounts are in the account and sends data to the admin panel. The panel contains a table of drops and their status, notes, account data where to transfer funds, and to what extent to circumvent limits and not cause suspicion. The panel, based on automatic rules or through manual coordination, selects a drop and issues it to the inject. Further several alternative options:

    option 1)The injection displays a window to the user with a text similar to “Wait while data is being verified”, and he secretly performs actions leading to pouring money into drops by “clicking” on the necessary links inside the account and filling out the forms requested by the system. In the event that a TAN / OTP / PIN code is requested and so on to complete the transfer, the auto-flood issues a fake page to the holder requesting this code itself, but under its pretext (divorce). The holder enters the data into the fake, the auto-gulf uses this data to continue / end the gulf.

    option 2) the injection waits when the user wants to perform a legal transaction for which the TAN / OTP / PIN code will be requested, but this code will confirm the illegal transaction - filling money for drop.

    After which the holder is allowed into the account on which the replicer is already working.

    Replayer is a program code aimed at hiding the data of a transfer made by an auto-fill. In other words, the substitution of balance is the concealment of a translation from the history of transfers and other manipulations aimed at preventing the holder from noticing the transfer. In our case, the holder sees a fake balance and a fake legal transaction.

    In our system, there are various means of multilevel checks, for example, reconciliation of the balance and the amount of user transactions, as well as reconciliations of balances in our system and external, and some others. All this did not help in this case, because the transaction did not take "out of thin air" and looked like quite ordinary.

    Of course, we heard about various types of attacks and in practice we often encounter all kinds of fraud, but here we were surprised to say the least. Although the funds were “poured” from the user’s account, in order to avoid reputational consequences, the company's management compensated part of the losses to the victim. This was also due to the fact that he was a bona fide customer with good turnover, and most importantly, he had all the protective equipment available at that time from our arsenal.

    After some searches, we found that a similar bypass of two-factor authentication is already well known, and many advanced providers offer similar solutions to combat this vulnerability, they are called differently (data signature, CWYS(Confirm What You See), but have a similar implementation. The main point is that a one-time password is generated not only on the basis of a secret key, time or counter, but using all the key data of the transaction, such as amount, currency, recipient. Even if an attacker intercepts a password, he will not be able to use it for his malicious needs. Everything is described in detail here. To implement this feature, we contacted several providers and made our choice.

    So, while we breathed a sigh of relief ... We are waiting for new challenges.

    Also popular now: