Expert: Bank Transactions Can Be Manipulated Even If OTP Devices Are Used

A video demonstrates that online banking systems are still vulnerable

By on January 18th, 2012 12:58 GMT

Security experts show that a virus can take full control over an Internet Explorer browser and manipulate bank transactions in real-time even if the bank’s customer that’s about to perform the task relies on an OTP (one time password) device.

Yash K.S., chief technology officer at Red Force Labs, released a proof of concept video to show how a cleverly designed virus can be used in a Man-in-the-Browser (MitB) attack that targets HSBC Bank transactions.

The point of the video is not to encourage illegal activities, so no code or details of the virus are released, instead the aim is to raise awareness on the security issues that affect online banking systems, even if sophisticated anti-fraud mechanisms are utilized.

“We believe, that unless you know how to ethically hack, you cannot defend yourself completely from malicious attacks,” reads the video’s disclaimer.

In the clip, the expert shows how an unsuspecting user logs in to his HSBC online banking account using an account password and a one-time password provided by the OTP device.

While the user enters the details of the destination account and the amount of money he wishes to transfer, the cybercriminal that controls the virus works in the background and alters the transaction’s details to his own liking.

The victim confirms the transaction, again with the OTP device, and completes it, but when he checks to see if the money arrived to its destination, he finds that not only the amount transferred is considerably higher, but also that the destination is a Citibank account, other than the one he chose.

In his demonstration Yash utilized a Windows 7 operating system, an Internet Explorer browser and an up-to-date Kaspersky anti-virus.

Screenshot from the POC video
   Screenshot from the POC video
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

8 Comments