Security Watch

Phishing Attack Targets One-Time Passwords

Swedish bank Nordea's customers are scammed by phishers targeting the bank's online authentication method.

According to anti-virus company F-Secure, customers of Scandinavia's largest bank, Sweden's Nordea, have been the target of a phishing attack. More interestingly, Nordea uses a one-time password method to afford their online banking customers increased security.

Nordea issues a list of one-time passwords to each of their customers. The customer is requested to provide the next password in order, and Nordea keeps track of which password to expect. In this way, it believes it is assuring the system is receiving the communication from customers. Should a password be used by the customer, but for some reason it's not seen or accepted by Nordea, the customer simply goes to the next password in order. Nordea compensates for these lost passwords and increments the index for that customer.

This phishing attempt was fully aware of Nordea’s mechanisms. Victims were prompted to provide their next password, and possibly the password after that. This made the attack considerably more sophisticated than the standard bank phishing attempt.

Unlike other password collection schemes, this one would afford the attacker little time to make use of the password gleaned from the user. Whatever password the attacker received would only be valid until the victim returned to the actual Nordea site and authorized themselves, at which point Nordea would skip the passwords given to the phishing site and make them invalid. So whoever was behind this attack, their objective must have been to get in as quickly as possible and take the money and run.

While not infallible, the Nordea list of one-time passwords is better than only using user name and passwords. It's also a lot cheaper than giving them electronic tokens. The mechanism is not used at ATMs; only for online banking, telephone and any other form of remote banking. Nordea has been using this mechanism since before 1999.

One thing is for sure: Phishers are paying more and more attention to the individual entity that they're targeting.

Kaspersky Anti-Virus CAB File Buffer Overflow Vulnerability: This product contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. Kaspersky allows other vendors to license the cab.ppl library, so products from other vendors could be vulnerable. Patches are unavailable, but Kaspersky did release signatures to detect exploits. This shows that our industry should not forget that security programs are not immune to attack and are getting attention from people who want to pick at them.

Denial of Service
Intellishield ID 9785: Linux Kernel sys_set_mempolicy Denial of Service Vulnerability: Versions and prior contain a vulnerability in the kernel implementation of the set_mempolicy(2) function. The vulnerability could allow a local attacker to cause a Denial of Service (DoS) condition. The vulnerability has been corrected in the version 2.6.13 kernel.

Malicious Code
Not at all surprisingly, Web sites are the "fastest growing attack vector" for malcode, according to the Websense Security Trends Report 2005.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

What exactly does it mean to be the "fastest growing attack vector" anyway? And how would one accurately measure such a thing? More and more Web sites are coming online, whether it's in the traditional form or blog sites. In any event, it's certainly no surprise that more of them are here now, and therefore it should be of no surprise that many are insecure and subject to having malware placed on them. Given that Web site coders seem not to have learned anything from past attacks, more and more are being put up without any method of vetting the content being posted by their users.

California has once again led the way in making laws related to Internet attacks. In this case, a bill was signed into law making Internet phishing scams punishable by law, as a civil violation, allowing victims to recover actual damages or $500,000 for each violation.

By making this a civil violation, victims should find it easier to obtain subpoenas in trying to determine the actual originator of a phishing scam. On the downside, customers may find themselves mired by such subpoenas should their sites be compromised by an attacker and used to launch such phishing attacks.

European Union officials are pressing the U.S. to hand over control of the Internet to the United Nations. The debate is escalating ahead of November's World Summit on the Information Society (WSIS), due to be held in Tunisia between Nov. 16 and 18, where the topic of Internet management is on the agenda.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular