The “Man in the Browser” attack

Gizmodo reports:

New “Man in the Browser” Attack Bypasses Banks’ Two-Factor Authentication Systems

Except there is nothing new about this attack. OWASP documented it in 2007 and it was widely known that malware writers used it to bypass 2-factor authentication.

More from Gizmodo:

Since this attack has shown that the two-factor system is no longer a viable defense, the banking industry may have to adopt more advanced fraud-detection methods

Given that this has been going on for more than 5 years, it’s obvious that banks already have adopted more advanced fraud detection methods.

So why are they forcing you to carry around tokens and one-time passwords that make it awkward and uncomfortable to use your own money as you wish?

Because with only few exceptions, banks’ security guys are not interested in making your life comfortable. The more you suffer, the more you think they are secure.

Maybe it’s time to ask for accountability? Which of their so-called security features is really for security, and which is for CYA or ‘make-the-regulator-happy’?