ABN Amro’s Two-Factor Authentication System Vulnerable to Phishing Attacks

Phishers compromised the two-way authentication system of Dutch bank ABN Amro and stole money from four accounts of its customers.

As the online customers opened a phishing e-mail attachment pretending to appear from ABN Amro, it downloaded malicious program on their PCs thus fructifying the phishing attack. The malware led the users to a phony ABN Amro site letting the attackers gain full control of the 'two factor' authentication mechanism.

This mechanism usually applies to online banking involving passwords and tokens ensuring security of identity.

The security industry has pushed in tokens to prevent hacking for users transacting online with corporate and banking services. Despite that users can still succumb to phishing attacks, warned experts. The phishing attacks take the victims to fraudulent sites where phishers collect the latter's security details.

ABN Amro has refunded the lost money to the four customers who transacted through the two-factor authentication. Meanwhile, the bank has advised customers not to click on attachments coming from unknown senders.

'Two factor' authentication isn't immune to 'man in the middle' attacks, warn security experts.

An ABN Amro spokesman said the bank was serious about the incident and everything associated with it. He also said that the bank will adopt measures to enhance technological security to thwart hackers' ploys from occurring again. Software published this in news on April 20, 2007.

At London's E-Crime Congress, held in March 2007, many experts discussed the constraints of the two-factor authentication system. Even after all banks adopt the system, hacking attack will not stop, said Mikko Hypponen, chief research officer of security firm F-Secure during the session. Similarly, Ross Anderson - professor in Cambridge University - spoke about the deficiencies of the two-factor authentication at the Congress. Anderson said the system was too expensive and also not effective. That is why most banks are reluctant to introduce it. Some that would do will soon find the system broken and forget it, Anderson added. Zdnetasia published this in news, April 23, 2007.

Barclays Bank said on April 18, 2007 that it would provide 500,000 PIN and chip tools to customers that would help secure their online banking.

Related article: ABN Amro Bank Phishing E-mails Target Dutch and Belgian Users

» SPAMfighter News - 5/1/2007