update Security firm TrustDefender has this morning withdrawn claims it made last Thursday that seemed to 'prove' that the SMS-based two-factor authentication system used by many online banking systems was vulnerable to attack.

In a statement e-mailed to ZDNet Australia this morning, the chief executive and co-founder of TrustDefender Ted Egan said: "TrustDefender openly and unreservedly withdraws the suggestion ... that the two-factor authentication system operated by the Commonwealth Bank of Australia is or was vulnerable in the manner suggested in those statements".

Egan goes on to apologise to the Commonwealth Bank and its customers for "causing any unnecessary concern".

The story began last Thursday when TrustDefender, in partnership with Dragonfly Technologies, held a 'live hacking session', which was supposed to demonstrate weaknesses in the security of online banking systems.

Below we have republished the original story and the full text of TrustDefender's retraction:

Two-factor bank authentication proven vulnerable
Munir Kotadia, ZDNet Australia
04 May 2007

Two-factor authentication systems using SMS messages can be exploited by criminals to steal money, according to security experts who demonstrated an attack in Sydney on Thursday.

Australian security firms TrustDefender and Dragonfly Technologies, which specialise in endpoint security and two-factor authentication respectively, broke the security of a Commonwealth Bank account using a specially crafted piece of malware.

The demonstration showed how malware could be used to not only capture the login credentials of an online banking customer but also how, once the users' system was infected with a Trojan, an attacker could exploit weaknesses in the mobile phone-based authentication system to clean out a victims' account.

TrustDefender's chief technical officer, Andreas Baumhof, told ZDNet Australia that the hacking demonstration does not mean Commonwealth Bank's systems are any less vulnerable than the other banks -- because he said the same attack would work on any online bank's systems.

"Two-factor authentication only forces the bad guys to work in real time. Commonwealth is no less secure than Westpac or any of the other banks.

"It is an industry-wide problem because the banks can only put in security on their end. If the home user's computer is compromised, the whole security chain is compromised -- regardless of any security put in place by the bank," added Baumhof.

However, the Commonwealth Bank's chief information security officer Sarv Girn was adamant that the bank's security had not been compromised.

"When vendors make these claims, they are only making them on the niche they are looking at. Banks have a wide range of controls, not just in that area. The passwords issued by SMS can only be used by that customer and cannot be used a second time.

"We also have a system called Hawkeye, which is a rules-based detection system that analyses all transactions and has proved effective in identifying fraudulent activity.

"A Trojan alone does not compromise all your security. We don't completely rely on clean PCs around the globe accessing our systems. The system is working as intended," said Girn.

The demonstration was performed on a Windows XP system with the latest updates, IE 7, and AVG Antivirus. AVG was unable to recognise the Trojan, which was created specifically for the purpose of the demo.

According to TrustDefender, the Trojan used in the demonstration did not present a threat to other users because it was designed to only function if it was executed on the computer used in the demonstration.

The Commonwealth Bank implemented an SMS-based authentication system just over one month ago. Shortly after, the company's e-commerce general manager Marcus Judge said he expected miscreants to try and convince unsuspecting users to download malware, which allows unauthorised access to a computer.

A video of the hacking demo will be published here shortly.

Below is the full text of TrustDefender's retraction:

"Symbiotic Technologies T/A TrustDefender (TrustDefender) openly and unreservedly withdraws the suggestion in statements it caused to be published in an article on www.zdnet.com.au, www.zdnet.co.uk and www.zdnetasia.com and other sites on 4 May 2007 entitled 'Two-factor authentication proven vulnerable' that the two-factor authentication system operated by the Commonwealth Bank of Australia is or was vulnerable in the manner suggested in those statements. TrustDefender accepts that no vulnerability was demonstrated in the article. TrustDefender apologises to the Commonwealth Bank of Australia and its customers for causing any unnecessary concern.