First confirmed in Japan in December of 2016, the DreamBot Trojan infected computers and tricked victims into giving up their credentials and one-time passcode, which a criminal group used to siphon off funds.
By the time Japan’s Metropolitan Police Department announced, on October 5, 2017, that it had exposed the criminals, the group had pilfered a staggering 240 million yen (approximately US$2.1 million) from consumer accounts. DreamBot exposed the need for banks to move away from one-time passcodes (OTPs) as their only two-factor authentication for access and embrace a strong form of transaction verification.
Strong Authentication for Access
DreamBot was a man in-the-browser attack, facilitated by malware installed on a Windows machine. Traditional OTP has never been the right security measure to protect against man-in-the-middle or man-in-the-browser attacks. Given the growing scale of data breaches, banks, in particular, have an obligation to implement stronger security measures to protect sensitive consumer accounts. Banks need to leverage a multifactor authentication (MFA) solution that provides a secure out-of-band authentication method for both account logon as well as transaction verification. Whether the action is a password reset or a wire transfer, banks need to require two-factor authentication on any risky actions to confirm their legitimacy.
Contextual Authentication for Transactions
The DreamBot attack could have been mitigated had unsuspecting users received a push notification asking them to confirm the (malicious) account activity. While human error cannot be completely eliminated, the vast majority of transfers would have been stopped when users recognized the malicious activity and denied the unauthorized request.
If the transaction details match what you were submitting—for example, “Transfer $100 to my friend’s account”—then a simple Accept on your smartphone will let the transaction proceed. If the details have changed—for example, “Transfer $10,000 to an unknown account”—then a Deny will stop it dead in its tracks. Assurance is provided through the user response from a unique, secure device, answered by the intended human that previously linked this device to the account. The attacker cannot compromise both communication channels (web and mobile) without significant effort.
Choosing the Right Authentication Solution
When selecting a strong, out-of-band authentication software method, look for security vendors with proprietary technology, which is unique and cannot be cloned. When implementing a soft authenticator solution, ensure your authentication vendor leverages the Trusted Execution Environment (TEE). We believe a TEE-protected soft authenticator approach is more secure than a dedicated hardware approach because it resides in a full-stack computing platform that enables secure updates, such as secret rotation, which can quickly mitigate possible threats.
Banks also need to consider vendors that offer complementary security services. DreamBot took advantage of compromised Windows machines—it is as critical to protect user devices as it is to protect user credentials. Consider authentication vendors who can provide malware detection for all user devices. Soft authenticators are oftentimes hosted on mobile devices so choose a vendor that can check for mobile risk factors and ensure good device hygiene. Mobile device risk factors include outdated operating systems, jail-broken or rooted phones, and debuggers or other development tools.
Last, banks should ensure any security solution easily fits with their consumer-facing applications. Look for a scalable solution that delivers strong, out-of-band authentication and device protection using supporting APIs and advanced business logic. By building these capabilities into their applications, banks can preserve the user experience while promoting their brand.
By leveraging all the above-mentioned security capabilities for access control and transaction verification, banks can greatly decrease the attack surface and protect themselves and their consumers from future criminal activity.