Fraudsters Find a Flaw in Elite Authentication

Banks in the United Kingdom are battling fraudsters who have found a way to compromise out-of-band authentication — widely considered one of the strongest security formats.

Security experts say the technique, known as phone-jacking, is a growing threat. And though they say telecommunications infrastructure and banking processes in the United Kingdom make it easier to pull off the attacks, they suspect it has been used against a major U.S. financial company.

The basic technique involves hijacking the authentication calls or text messages that banks send to some customers' phones to authenticate transactions. These calls are known as out-of-band authentication because they involve a communication channel different from the one being used to initiate a transaction. By routing these calls to an attacker's phone, hackers can approve fraudulent transactions, experts say.

Typically, a fraudster uses social engineering techniques to convince a phone carrier's customer service representative to forward a victim's phone calls to a number controlled by the attacker.

The criminal can then use other stolen data to log in to the victim's bank account, confirm the out-of-band authentication requests or even affirm a suspect transaction if called directly by the bank.

Mark Bowerman, a spokesman for the Association for Payment Clearing Services, the U.K. payments association, confirmed that several major U.K. banks had been attacked with the phone-jacking technique. His association is working with British Telecom and wireless carriers to "tackle this issue," he said.

"Banks regularly review and update their front-end fraud controls and continue to monitor activity and engage with the telecoms industry to mitigate losses through this type of fraud," Bowerman said, though he was not aware of any specific rule change in the works by telecoms.

John Zurawski, a vice president of sales at the Chicago authentication technology vendor Authentify Inc., said the problem is more prevalent in the United Kingdom than in the United States, for several reasons. First, certain provisions of the Gramm-Leach-Bliley Act require that carriers get confirmation before changing key data, such as a contact phone number, on a consumer's account. This could make it harder for hackers to forward the out-of-band calls.

Also, U.S. authentication vendors can use a telecommunications format, the SS7 protocol, to identify when calls are being forwarded, and banks can choose to add this as a factor in risk scoring or simply disapprove transactions authenticated via forwarded calls.

Finally, the European payment system is closer to delivering real-time transaction updates than systems in the United States, so hackers abroad can move money out of accounts faster; by the time a U.K. bank's fraud system identifies a possible problem, the consumer's money is often already gone.

Out-of-band authentication vendors contend this attack technique is based on social engineering, that is, it depends on criminals' ability to manipulate people into turning over sensitive information.

As a result, technology is not entirely to blame for the new wave of attacks. "There's no technical defense you can put up that a social engineer isn't going to find a way around once or twice," said Steve Dispensa, the chief technology officer and co-founder of PhoneFactor Inc., an Overland Park, Kan., security vendor. "The good news about social engineering is, it's hard to do in bulk."

Authentify's Zurawski said the "approach was both unique and somewhat brazen. The way we've seen it in the past are situations that banks would refer to as 'friends and family' fraud." Authentify sells out-of-band applications to HSBC Holdings PLC, among other financial companies.

Out-of-band authentication using a mobile phone had been touted as one of the most reliable and convenient second forms of authentication for online banking. But this latest wave of attacks shows that everything is vulnerable, said Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a market research company in Stamford, Conn.

Some banks are adapting to the attacks by changing back-end fraud scoring engines to give less weight to out-of-band authentication, particularly when other risk factors are high, said Amir Orad, the chief marketing officer at Actimize Inc., a New York security vendor.

"At the end, by definition, it is all compromised — the phone, the computer, the password, the token," said Orad. "What you cannot really compromise is someone's history and their behavior."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER