New "Man in the Browser" Attack Bypasses Banks' Two-Factor Authentication SystemsS

The banking industry often employs two-step security measures—similar to Google Authenticator—as an added layer of protection against password theft and fraud. Unfortunately, those systems have just been rendered moot by a highly-advanced hack.

The attack, know as the Man in the Browser method, works like this. Malicious code is first introduced onto the victim's computer where it resides in the web browser. It will lay dormant until the victim visits a specific website—in this case, his bank's secure website. Once the user attempts to log in, the malware activates and runs between the victim and the actual website. Often the malware will request that the victim enter his password or other security pass into an unauthorized field, in order to "train a new security system." Once that happens, the attacker has full access to the account.

Luckily, the method is only a single-shot attack. That is, the attacker is only able to infiltrate the site once with the user-supplied pass code. But, once in, the attacker can hide records of money transfers, spoof balances and change payment details. "The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking," Daniel Brett, of malware testing lab S21sec, told the BBC.

Since this attack has shown that the two-factor system is no longer a viable defense, the banking industry may have to adopt more advanced fraud-detection methods similar to what secure credit cards. When compared to having your account silently drained, standing in line for the teller suddenly doesn't seem like that much of a hassle. [BBC News via Technology Review]

Image: jamdesign / Shutterstock