Hackers Find Way to Outwit Tough Security at Banking Sites

Researchers uncovered what they say is a sophisticated, multistage attack by cybercriminals determined to bypass the so-called two-factor authentication systems at banks in Austria, Japan, Sweden and Switzerland, according to a report to be released Tuesday.

Most sites ask for a single password. But two-factor authentication systems require customers to enter a second, one-time password that has been emailed or texted to their phones. The hope is that a second identifying factor eliminates the risk that criminals can break into customers’ accounts simply by stealing an online password.

But hackers were able to bypass the two-factor authentication systems at the European and Japanese banks through an attack that begins — as most do — with a phishing email.

The email, which purports to be from popular retailers, includes malicious attachments disguised as receipts. By opening the attachments, victims download malicious software onto their machines. In turn, when someone tries to reach a real bank site, that software redirects the victim to a site managed by criminals.

The criminals would also prod victims to download a mobile application, available in Google’s Android store.

The app was posing as something that would improve security. But once downloaded, it allowed criminals to gain full access to their victims’ bank accounts. It was able to intercept the second password that legitimate banks send their customers so that they can log into their bank accounts remotely.