When it comes to protecting online accounts, multi-factor authentication—especially the use of tokens—has been considered the strongest protection against password theft and account takeover. A recent article from the NY Times, How Hackers Snatch Real-Time Security ID Numbers, explains the lengths that online criminals will go to in order to steal personal information and takeover accounts.

In the article, they explain a scenario involving an infection called the Clampi trojan, but the success of an account theft or takeover isn’t dependent on any specific trojan. All it takes is some method of infecting a computer in order to provide real time data from that computer back to the online criminal. The NY Times article details the way a trojan spreads and watches for ideal account targets.

“When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.”

The way the attack works is that any time a user logs into their online bank from an infected computer, the trojan recognizes this and sends account information, including one-time passwords, back to the criminal in real time. The criminal can then use this information to log into the stolen account from his own computer or from a remote session on the infected computer. As unlikely as this sounds, we know of confirmed incidents of this attack.

Does this mean that multi-factor authentication is a waste of time? Not at all. Using tokens is still a best practice for account protection and is far more secure than a simple account ID and password combination. Primarily, the use of these trojans simply highlights the increasing sophistication of criminals in collecting and using personal data for their own financial gains. We have highlighted that online crime is far beyond curious kids and is now big business. Criminals are coordinating their efforts, working together, sharing tools and targeting the personal and account data that they need to be successful.

All this should be a reminder that, when it comes to security, companies should be working together—sharing techniques and information, and diversifying their defenses to meet this serious threat. Going it alone online is a losing proposition long term.

Tags: Clampi Trojan, hackers, infected computer, multi-factor authentication, online security

This entry was posted on Thursday, September 3rd, 2009 at 8:32 am and is filed under Financial Services, Online Communities, Online Gambling, Online Gaming, Online Retail. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.