1

I have read this question and answer but still uncertain how it actually works and how a user could then be hacked. I'm asking because my brother supposedly was hacked and his bank uses exactly this kind of security.

So my question how could this be done without a huge effort/expense from the hacker? Only way i see is a MITM attack. Spoof DNS, pretend to be banking site and then use the sent login data. But then the attack can still only happen exactly at the same time when you are logged in. In this case he certainly wasn't (family event I was there, so was he...). What are other possible scenarios to achieve this?

beginner_
  • 255
  • 1
  • 2
  • 4
  • Skimming, some banks use a one-factor authorization by only using the PIN code and the chip on the banking card, generating an random access code, you won't see this alot in europe though, because of laws, but i have no idea for other western-world countries – Lighty Oct 17 '14 at 07:24
  • oh, and if there are any "fraud" or "maliscious" actions when he was hacked, contact the bank ASAP. – Lighty Oct 17 '14 at 07:25
  • Yeah, bank is contacted and account locked. But for potential legal action this might become important. (Sum was high enough to consider legal action if the bank will not resolve it). EDIT: I also have a suspicion that it could be an IT issue (eg. programming bug) simply because they recently updated the whole platform/ web page. – beginner_ Oct 17 '14 at 11:00

1 Answers1

1

MITM is going to be unlikely - the bank should have a SSL connection with a signed cert from a CA, which would alert you with a big red screen and scare you away. It is also possible that you were re-directed to a non-secured version of the site (and a fake/look-a-like site exists), and proceeded to enter your info there, but this should quickly raise red flags with the bank (and while it may not being up the red screen, there should still be some signs, like the missing padlock, to alert you).

What is more likely is some sort of virus on your end that can either install it's own bogus CA and then proceed as above, or hijack the session by stealing the authentication cookies or similar.

It's also possible that the bank itself had another vulnerability elsewhere - this would probably affect multiple accounts, but you may be oblivious to the fact that others had similar issues (but hopefully the bank becomes aware).

You also assume that a MITM attack could only happen when he was logged on - but this may be a false assumption - would a MITM attacker pass on the "logoff" request? I don't see why they would - what if they extended the banking session each time (going to a new page/etc.) instead of allowing it to time out? - unless the bank at some point asks for the password/code again (unlikely from a UI perspective), then chances are you could be unaware that you are still "logged in" (although the bank should have logs as far as when you logged in/out and can check for this kind of stuff).

user2813274
  • 2,051
  • 2
  • 13
  • 18