into their on-line
systems. After all, change control, correctness and quality are
an important part of a bank’s IT ethos.
The criminals have no such constraints – and they do not
especially care if it is their first, tenth or one hundredth trojan
of any new sort which succeeds. The cost of 99 programmatic
failures is inconsequential to them; the bank, on the other
hand, must succeed at the first attempt.
Q. The malware you describe above relies on capturing
information which can be re-used later. Doesn’t the hand-held
authenticator, or token, make that impossible?
A. No. Or, more accurately, not entirely. What tokens are
intended to do is to introduce an unpredictable variable value
into the authentication process, instead of a conventional
password. This means that any password captured by a trojan
cannot be re-used, because each password is designed to be
used once, and only once.
This does, indeed, render a lot of current malware impotent.
Under some circumstances, however, a trojan can still benefit
from capturing a one-time password, for example if it can
capture the password before it is used. This may be possible
using what is called a man-in-the-middle attack. A handy
pictorial summary of a range of such attacks can be found
in [14].
Q. Can you give a quick description of how such an attack
works?
A. Imagine that you have to play chess against two
Grandmasters. (This assumes that you are not a top chess
player yourself.) There is a way in which you can guarantee
not to get thrashed by both players, provided that you play
them
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24