They not only elegantly exploit current Internet browsers’ weaknesses, they also trick the user – in which case it should be just as easy to protect oneself against them.
Basically, the fact that the SMS authentication procedure is unsafe is not news. The latest attacks that are mentioned in the media and documented by MELANI (Melde- und Analysestelle Informationssicherung des Bundes), the Swiss Confederation’s reporting and analysis centre for information assurance, show the specific weaknesses of the SMS log-in method, not to mention the costs that the bank incurs.
It is rather simple and nothing new: the customer receives a malware-infected e-mail, which infects the device being used merely by opening the e-mail, or when the user complies with the request to click on a link. After logging on to online banking, the customer is now asked to provide details about the smartphone and the number, all in the name of the customer’s bank. The customer receives an SMS which doesn’t install a certificate as claimed, but the malware.
If a virus has lodged in the standard browser during these attacks, many of the usual security procedures no longer function, because the user can simply be tricked. Would it therefore not be better to have a security solution that can protect the user (and thus his online banking) against such attacks? Crealogix at least believes this and builds proprietary security solutions which take this approach – the user should have secure access to online banking at all times and also be able to execute payments in the secure environment of OCEAN’s security solutions.
The attacks on the browser and the SMS login procedure as described not only undermine safe login to online banking, but also SMS payment confirmation, which can now be hacked. It would be simple to replace the procedure.
Sentinel and SentinelDisplay – both audited solutions in use with several banks – provide complete protection against these and other attacks and do not require any special behaviour on the part of the user.
Another example is CLX.FotoTAN, which ensure authentication and also payment confirmation, and in the process saves the expense of sending the SMS: the e-banking server generates a code which is displayed as an encrypted, two-dimensional (QR) code on the computer screen. Using FotoTAN from OCEAN, when photographed with a smartphone this code can be deciphered and thus in turn entered on the computer screen. The security concept behind this and other Crealogix security solutions is scalable and thus represents a balance between a bank’s business objectives, optimum security and a good user experience; in the process the solutions make the hacker’s life harder and defend against large-scale attacks.