TrustDefender u-turns on bank security claims

update Security firm TrustDefender has this morning withdrawn claims it made last Thursday that seemed to 'prove' that the SMS-based two-factor authentication system used by many online banking systems was vulnerable to attack.

In a statement e-mailed to ZDNet Australia this morning, the chief executive and co-founder of TrustDefender Ted Egan said: "TrustDefender openly and unreservedly withdraws the suggestion ... that the two-factor authentication system operated by the Commonwealth Bank of Australia is or was vulnerable in the manner suggested in those statements".

Egan goes on to apologise to the Commonwealth Bank and its customers for "causing any unnecessary concern".

The story began last Thursday when TrustDefender, in partnership with Dragonfly Technologies, held a 'live hacking session', which was supposed to demonstrate weaknesses in the security of online banking systems.

Below we have republished the original story and the full text of TrustDefender's retraction:

Two-factor bank authentication proven vulnerable
Munir Kotadia, ZDNet Australia
04 May 2007

Two-factor authentication systems using SMS messages can be exploited by criminals to steal money, according to security experts who demonstrated an attack in Sydney on Thursday.

Australian security firms TrustDefender and Dragonfly Technologies, which specialise in endpoint security and two-factor authentication respectively, broke the security of a Commonwealth Bank account using a specially crafted piece of malware.

The demonstration showed how malware could be used to not only capture the login credentials of an online banking customer but also how, once the users' system was infected with a Trojan, an attacker could exploit weaknesses in the mobile phone-based authentication system to clean out a victims' account.

TrustDefender's chief technical officer, Andreas Baumhof, told ZDNet Australia that the hacking demonstration does not mean Commonwealth Bank's systems are any less vulnerable than the other banks -- because he said the same attack would work on any online bank's systems.

"Two-factor authentication only forces the bad guys to work in real time. Commonwealth is no less secure than Westpac or any of the other banks.

"It is an industry-wide problem because the banks can only put in security on their end. If the home user's computer is compromised, the whole security chain is compromised -- regardless of any security put in place by the bank," added Baumhof.

However, the Commonwealth Bank's chief information security officer Sarv Girn was adamant that the bank's security had not been compromised.

"When vendors make these claims, they are only making them on the niche they are looking at. Banks have a wide range of controls, not just in that area. The passwords issued by SMS can only be used by that customer and cannot be used a second time.

"We also have a system called Hawkeye, which is a rules-based detection system that analyses all transactions and has proved effective in identifying fraudulent activity.

"A Trojan alone does not compromise all your security. We don't completely rely on clean PCs around the globe accessing our systems. The system is working as intended," said Girn.

The demonstration was performed on a Windows XP system with the latest updates, IE 7, and AVG Antivirus. AVG was unable to recognise the Trojan, which was created specifically for the purpose of the demo.

According to TrustDefender, the Trojan used in the demonstration did not present a threat to other users because it was designed to only function if it was executed on the computer used in the demonstration.

The Commonwealth Bank implemented an SMS-based authentication system just over one month ago. Shortly after, the company's e-commerce general manager Marcus Judge said he expected miscreants to try and convince unsuspecting users to download malware, which allows unauthorised access to a computer.

A video of the hacking demo will be published here shortly.

Below is the full text of TrustDefender's retraction:

"Symbiotic Technologies T/A TrustDefender (TrustDefender) openly and unreservedly withdraws the suggestion in statements it caused to be published in an article on www.zdnet.com.au, www.zdnet.co.uk and www.zdnetasia.com and other sites on 4 May 2007 entitled 'Two-factor authentication proven vulnerable' that the two-factor authentication system operated by the Commonwealth Bank of Australia is or was vulnerable in the manner suggested in those statements. TrustDefender accepts that no vulnerability was demonstrated in the article. TrustDefender apologises to the Commonwealth Bank of Australia and its customers for causing any unnecessary concern.

• Related stories

• Alerts

Add your opinion

Why don't the banks implement TrustDefender? Anonymous -- 04/05/07

Seeing such security gaps makes me wonder why the banks then not close these gaps by implementing available security software?

I tried the software from TrustDefender, the guys who demonstrated the gap and - no wonder - their software is brings together the security of your PC with the bank and build a locked secure channel. No more chance for malware or trojans.

Doesn't seem to be rocket-science, there is even a free trial available at http://www.trustdefender.com

• Reply to comment
• Reply to story
• Report offensive content

Unless you have a mac... Paul Wilkinson -- 04/05/07 (in reply to #320078863)

or Linux, or Windows Vista, or want to access the bank website from work (Where policy prevents you from installing software) or an Internet Cafe (where you can't install software)

• Reply to comment
• Report offensive content

Are you sure Paul - Trustdefender does work .... Anonymous -- 04/05/07 (in reply to #320078863)

As a far as I know the TrustDefender application can be loaded on to a locked down computers e.g. in the office or internet cafe or business centres in airline terminals. In fact I have downloaded TrustDefender in an internet cafe that had a lock down service - and it worked.
So what was the problem that Paul mentions in his commentary? I think you are wrong Paul to make this claim? If they haven't already, then I would guess the TrustDefender guys are already on to rolling out a Vista / Mac / Linus version - now that the cat is out of the bag!

• Reply to comment
• Report offensive content

How does this work? Anonymous -- 07/05/07 (in reply to #320078863)

Does TrustDefender protect against the user's PC itself getting highjacked?

For a simplistic example, imagine the hacker installs VNC on the PC and inserts their own mouse/keystrokes to initiate transactions once the user has logged in to their bank. More realistically, they could install a tweaked web browser or similar so the user can't see anything going on.

Can TrustDefender protect against this kind of thing?

• Reply to comment
• Report offensive content

I do not work for Trustdefender anonymous -- 07/05/07 (in reply to #320078863)

Geez reading some of the comments here you would swear they are written by Trustdefender employees trying to drum up sales......

It seems to me that token and SMS are not perfect - perhaps if the SMS confirmed the amount and destination, as well as the code, you could check it before typing in the code. If the code generated could only be used for a transaction of that amount to that account wouldnt that solve the problem?

• Reply to comment
• Report offensive content

Unless name resolution is secured... Anonymous -- 05/05/07

There never will be security unless the entire name resolution path can be proven secure. The local hosts file and the DNS servers (ISP, etc) must be secure.

The best that can be done is to rely upon the banks' DNS servers. If they're compromised then it's game over anyway.

• Reply to comment
• Reply to story
• Report offensive content

check ASICs EFT code respondents supporting this .... Professor William J Caelli Anonymous -- 05/05/07

He comments:"The two factor schemes being discussed have been seen as already being OBSOLETE in regard to threats such as rootkit, “zombie”, “directed / specific Trojans” and allied attacks. The main problem, today, with extended use of “broadband” connections to the Internet is simply “session capture”, even when a token based structure is used. In this situation the actual PC being used is totally “captured” by the third party and any activity to/from that machine can be monitored and fraudulent transactions can be inserted at will, while the user is on-line to their bank, for instance"....the banks are behind the eightball it seems again...even with all their other intell solutions...

• Reply to comment
• Reply to story
• Report offensive content

I'm with the bank on this one. vendor skeptic -- 07/05/07

Suppose the baddies could intercept all my data, and suppose they also had a key logger to give them all my keystrokes, they still couldn't steal my money!

They'd have my username & password (factors 1 & 2). They couldn't spoof my outgoing packets because of the secure socket connection. With my login details they could login& transfer money between my accounts (boo hoo), but not out of the bank. This is because of the SMS 3rd factor. Unless they've also stolen my phone, they can't generate the use-once SMS code that is required to get money out of my bank accounts.

Some of the other commenters on this thread seem totally sold on the vendor's claims though, despite the lack of detail provided. I'm sure the opinions are objective, just like those McDonalds kids. I suspect some astroturf is being laid down here (fake grass-roots support).

• Reply to comment
• Reply to story
• Report offensive content

sms and trust defender jeff mcgeorge -- 07/05/07

the SMS payment code system can be compromised on smartphones, as its part of the smartphone's OS, and therefore vulnerable to rootkit controlled malware controlling the smartphone's browser and keystroke functions, therefore compromising the trust defender approach, and the SMS payment code system. Microsoft has repeatedly ad nauseum warned the world, that their Operating systems cannot be secured against rootkit intrusion

• Reply to comment
• Reply to story
• Report offensive content

Dynamically inserted rootkits Jeff McGeorge -- 07/05/07

Dynamic Malware insertion onto a PC can be carried out unobtrusively, simply by a user visiting a website that has a malware payload, hidden (and controlled by a rootkit) from the user's security software and browser checks, this is an attack that cannot be stopped. If this happens to a smartphone that is being used for internet banking in conjunction with sms payment code authorization to the same handset, the hacker can control and use the sms codes to fraudulently withdraw funds from a users account. One of the most malicious dynamic attacks is one that is currently happening, emulating a microsoft windows upgrade request, only giving the game away by asking for credit card details, if the user is not forthcoming with the details, the OS is shutdown by the malware. Nasty stuff

• Reply to comment
• Reply to story
• Report offensive content

CBA and 2 Factor Anonymous -- 08/05/07

Fascinating to watch the press get all excited about CBA's efforts on security when there are other banks out there (St George, ANZ) keeping their heads well below the firing line because they know they haven't yet done a ruddy thing about online authentication. Why not do a story on how cybercrooks will be targeting these banks that are the easiest?

As for the clowns at TrustDefender I think they should be renaming themselves to Hoaxdefender.

• Reply to comment
• Reply to story
• Report offensive content

Video Christian Heinrich -- 08/05/07

@Munir

Can u pls give an ETA on when the video will be published?

If it has already (I've checked the Video section) - can u pls provide its URL?

• Reply to comment
• Reply to story
• Report offensive content

real story Anonymous -- 08/05/07

this looks more like the real story here: http://australianit.news.com.au/articles/0,7204,21675098%5E15841%5E%5Enbv%5E,00.html

• Reply to comment
• Reply to story
• Report offensive content

Hmm, interesting retraction Anonymous -- 10/05/07

Very interesting retraction, I am sure the product is a good one, maybe going after a big name bank wasn't the smartest way to promote it, or maybe it was, it's got everyone talking

• Reply to comment
• Reply to story
• Report offensive content

trust defender software does not solve compromised OS Jeff McGeorge -- 11/05/07 (in reply to #320079174)

I think a lot of people do not understand, that there is no silver bullet software solution for rootkit controlled malware, or indeed unknown malware attacks, that compromise OS and the browser in particular. Who cares if solutions such as trustdefender assure the bank that the trransaction is going to be generated on a certain PC? If that PC is being controlled by malware, disguised by a rootkit, that means a successful man in the middle attack can be carried out at will. Other claims such as being able to track IP addresses for security purposes for example, are a waste of time and resources, as once a machine is "owned", whether a home PC or a webserver, any IP address can be generated by the bad guys. As long as third party access to OS exists, so too will undetectable malware.

• Reply to comment
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials