We all know online security is of extreme importance these days, and more so when it comes to money related issues such as online banking. Today the Portuguese Supreme Court has condemned BPI (a portuguese bank) in a phishing case that ended up with one of their customers losing €13,000 and ultimately being forced out of business due to being blacklisted.
The customer, a small company, used the online banking system regularly, and was a victim of "pharming" - a kind of phishing attack that infects the computer (or router) and redirects users to fake sites. So, when you enter your bank url and think you're login in in the real site, you're in fact doing it in a fake site that is collecting your data and acting as a middle-man (the so called "man in the middle" attack) between you and your bank.
That means that when you logoff and think you're done for the day, the attackers will still be logged in and able to perform all kind of transactions as if it were you. Currently, most money transfer operations require you to enter a security code from a card or a SMS sent to the registered phone number; but I don't know if that was the case back then - when the attackers were able to transfer €13,000 from that account.
For the bank, this kind of attack is indistinguishable from a real user doing those operations - but the court stated that if they offer online banking services is up to them to ensure they're secure enough not to put their customers at risk. The only thing I imagine that to be possible is if any and all operation were to be validated via SMS confirmation codes - but even then, there have been attacks where accomplices in the telecommunication operators clone SIM cards that allow attackers to receive the security codes intended for the real customer, so... even that wouldn't be enough to be 100% sure someone is who they say they are.
No comments:
Post a Comment