Below is a media alert from Trusteer’s CTO on a new Tatanga attack against chipTAN systems used by banks in Germany to generate unique transaction authentication numbers (TAN).
Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount and initiates the transfer.
Trusteer has discovered a new Tatanga attack against chipTAN systems used by banks in Germany to generate unique transaction authentication numbers (TAN). chipTAN requires that the bank card for the account be inserted in the device to generate a TAN that is specific to the current transaction.
The attack bypasses chipTAN systems in the following way:
Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.
Next, it initiates the transfer.
At this point Tatanga uses a Web Inject to fool the user into believing that the bank is performing a chipTan test. The user is requested to generate a Tan for the “test” transaction and enter the TAN.
These are the instructions in German:
1. Stecken Sie Ihre Chipkarte in den TAN-Generator und drücken "F".
2. Halten Sie den TAN-Generator vor die animierte Grafik. Dabei müssen die Markierungen (Dreiecke) von der Grafik mit denen auf Ihrem TAN-Generator übereinstimmen.
3. Prüfen Sie die Anzeige auf dem Leserdisplay und drücken "OK".
4. Prüfen Sie die Hinweise (Empfänger-Kontonummer (ohne führende Nullen), Bankleitzahl des Empfängers und Betrag) auf dem Leserdisplay und bestätigen diese dann jeweils mit "OK" auf Ihrem TAN-Generator.
Hinweis: Uberprufen Sie die Anzeige des TAN-Generators immer anhand der Original-Transaktions-Daten - z.B. einer Rechnung
Tatanga then captures the TAN number entered by the user at the bank site, and proceeds to make a fraudulent transaction. Meanwhile, it replaces the user transaction history/balance details to hide the fraudulent transfer from the victim.
“chipTAN systems are considered fairly secure, because the generated TAN takes into account both transaction details and the bank issued chip and pin card”, said Trusteer’s CTO Amit Klein. “However, this attack demonstrates that by using man-in-the-browser social engineering techniques financial malware can circumvent chipTAN security. Implementing endpoint protection against advanced malware like Tatanga, Zeus, and others, is the only way to make sure that the integrity of second factor security measures like chipTAN are not compromised.