Attacks: Scenarios and Threats

User authentication provided by the financial institute is required for both electronic banking and payment trans­ac­tions. In order to authorize a payment, the customer needs to either enter a PIN (card payment at point of sale, cash withdrawal at ATM) or an iTAN, mTAN (account transfer in online banking). During day-to-day usage, e.g. at public cashiers in a retail store, manipulations of the card reader by unau­tho­rized persons cannot be ruled out. The weakness lies in the impossible act for both the customer and the bank to fully verify the integrity of the security in­fra­struc­ture.

Similar to payments at the cashier all banking so­lu­tions like online banking, HBCI, HBCI plus, EBICS, BCS suffer from the same vulnerability as neither the bank nor the customer can fully ensure that no ma­nip­u­lation of the infrastructure has taken place. As a consequence, many of the methods currently in use do not provide an efficient and adequate protection level for secure banking transactions.

Phishing, Pharming, Trojans

In some cases simple Phishing attacks are sufficient to efficiently circumvent the classical TAN method. Improved mechanisms like iTAN and several TAN generators based on tokens can successfully be circumvented with Pharming attacks and Trojans. Even for mechanisms based on smart cards which are postulated to be secure and the mTAN, such focussed Trojans do already exist.

Skimming, Hardware Manipulation

The techniques to mount attacks at the hardware-level depend on the affected security mechanisms. The hard­ware is manipulated in such a way that relevant customer data will be eavesdropped while the cus­tom­er's transaction takes place and then transferred to the attacker.

Talk to our experts about possible protection mech­a­nisms and their integration into your processes. We guarantee to quickly and efficiently reduce the po­ten­tial damage through appropriate measures and to achieve long term security for your systems.