German hackers successfully bypass two-factor authentication

Senior superintendent of the Federal Office of Criminal Police of Germany Mirko Manske has stated that the system of two-factor authentication widespread in Germany to ensure the security of online banking operations , is not able to protect client accounts from cyber-criminals.
iTan code serves as an additional security boundary in transferring of funds via the Internet. The first protection level the user passes when you connect to the system, then he is proposed to enter one-time combination of characters for the confirmation of the specific transaction. The right combination is delivered to the client via the alternative communication channel and allows the confirmation of userâ€™s identity in the case when his identity data are in the hands of criminals.
The widespread hacker strategy called â€œman in the middleâ€ provides a violator an opportunity of modification of data transmitted between the compromised computer and bank server. Quite popular is also another type of attack â€œman in the browserâ€, in which, special â€œTrojanâ€ application is responsible for the modification of data transaction.
Manske, whose presentation has been censored because of the presence of confidential information, make an example of two quite real incidents in which hackers had managed to take advantage of the defects in iTan system and to steal money from clientsâ€™ accounts. In one of the scenarios a potential victim was offered to enter the code to confirm the cash transference in the amount of 500 Euro. In reality, hacker has modified the data of this transaction to send 5'000 Euro to his own account. Another incident leads to the conclusion that the technical â€œadvancementâ€ of malicious software developers. One of the major German banks had spent considerable resources for the introduction of a system that requires the input of â€œCaptchaâ€ (artificially twisted image of random combination of letters and figures which allow to distinguish the living user from a computer program) to confirm the transaction.
Designed by a talented hacker component could generate an exact copy of â€œCaptchaâ€ generated by banking system and offer it to clientâ€™s attention.
By introducing the proposed set of characters, the potential victims didnâ€™t even suspect that they transfer money to the account of fraudster, pcworld.com writes.