Attacks: Scenarios and Threats
User authentication provided by the financial institute is required for both electronic banking and payment transactions. In order to authorize a payment, the customer needs to either enter a PIN (card payment at point of sale, cash withdrawal at ATM) or an iTAN, mTAN (account transfer in online banking). During day-to-day usage, e.g. at public cashiers in a retail store, manipulations of the card reader by unauthorized persons cannot be ruled out. The weakness lies in the impossible act for both the customer and the bank to fully verify the integrity of the security infrastructure.
Similar to payments at the cashier all banking solutions like online banking, HBCI, HBCI plus, EBICS, BCS suffer from the same vulnerability as neither the bank nor the customer can fully ensure that no manipulation of the infrastructure has taken place. As a consequence, many of the methods currently in use do not provide an efficient and adequate protection level for secure banking transactions.
Phishing, Pharming, Trojans
In some cases simple Phishing attacks are sufficient to efficiently circumvent the classical TAN method. Improved mechanisms like iTAN and several TAN generators based on tokens can successfully be circumvented with Pharming attacks and Trojans. Even for mechanisms based on smart cards which are postulated to be secure and the mTAN, such focussed Trojans do already exist.
Skimming, Hardware Manipulation
The techniques to mount attacks at the hardware-level depend on the affected security mechanisms. The hardware is manipulated in such a way that relevant customer data will be eavesdropped while the customer's transaction takes place and then transferred to the attacker.
Talk to our experts about possible protection mechanisms and their integration into your processes. We guarantee to quickly and efficiently reduce the potential damage through appropriate measures and to achieve long term security for your systems.