Lets go straight to the point on the techniques hackers use to steal money directly from bank accounts. Most people assume 2FA is infallible. They can’t imagine how it could possibly be defeated. It dramatically improves your security but it’s just another hurdle for cybercriminals and there is a variety of techniques. Here is one called a Man-in-the-Browser. We all click web hotlinks. Browsers are designed for this and to run JavaScript. It’s legitimate code and bad code is undetectable. Symantec published that a MitB, on average, is there 10-months before the hacker stings their victim. They get to know everything, including bank login details and so are only one step away from tricking you to reveal, or use, your 2FA. Being programmers, they also automate their system so it can be replicated to 100,000 machines. The next time you login to your bank to pay the bills the JavaScript simply changes the destination bank account numbers behind your screen, and moves the decimal point. What you see and what’s behind the screen are completely different. You authorize the transaction with your FOB, SMS text,j Google Authenticate or Biometrics. One-time-pass-codes are issued once but can be used many times in the next 35 seconds. Your money is gone, and you now have to prove to the bank that you’re not defrauding them. These investigations take a really long time. Your cash flow stopped instantly and the two most precious assets on any balance sheet are (i) Cash at Bank, and (ii) Reputation. Both are gone in 24 hours. If you are a Trustee you’re personally liable within 24 hours. Our governments shut down your business at 48 hours. Well done to the Queensland Law Society for publishing this. #2FA #cyberheist #accounttakeover #ATO #banksecurity #FOB #MitM #JavaScript #BankVault |