At the beginning of this year 2007, there was a major phishing operation directed at the customers of the inter-Scandinavian Nordea bank. The thieves got away with a sum equivalent to about 1 million US dollars. Because of the attack vector used (and of course to save face and for damage control purposes), Nordea was quick to claim that the attack was possible due to social engineering and that their security was not at fault. This is a false claim, and I shall explain why.

The attack vector which was used was an email containing a trojan horse program. The malicious program asked the user for various codes used for the online bank access and after that it was trivial for the attackers to steal money. The victims were all users of the Swedish side of Nordea, and there are some interesting reasons why this was the case.

Nordea is a major bank in Finland also, so why did that attack not succeed in Finland? There is a simple answer: the authentication methods of the online bank differ slightly (but crucially) depending on whether you use the Swedish or the Finnish version of the bank. For the authentication method used in Finland, that trojan could simply not work.

In Finland, to enter the bank one needs a customer number, and a one-use code which is looked up from a paper slip given to you by the bank. When these are correct, access to the bank is granted. When attempting to do operations such as transferring money, one needs to enter a new code, chosen at random from a pool of multiple-use codes (4 digits, denoted by letters from A to U), also located in the slip of paper sent to you by the bank. The code to enter is identified by an uppercase letter which is printed next to the code.

In Sweden, one needs a person-number and a personal code. These are always static, they never change. In addition, to enter the bank, one needs a one-use number taken from a card sent to you by the bank. The card is plastic, the size of a credit card, looks very neat and has a scratch-off surface similar to some lottery tickets. The idea is that you scratch the number to make it visible and then use it once. The problem is that at this point, once you have entered the bank with the codes, you can do anything without further codes or numbers. That’s right, once you’re in, you can do everything! This is something which would surely make Bruce Schneier cry, should he ever find out. So, let us next proceed to the phishing itself.

All it takes for the attacker is to 1. show a fake login screen a few times, 2. lure the prey to input the entry codes. To lessen any suspicions, perhaps the attacker will conclude the phishing by showing some plausible error such as “We are undergoing maintenance, try again later”. After obtaining the codes, the attacker logs in with them and does a money transfer.

In the Finnish side of Nordea, in practice, such an attack would not work. After login, the attacker would have to fake more than just the entry page of the online bank (including coming up with plausible account information, as such information is visible), to attempt to obtain a big enough amount of multiple-use codes used for account transfer. This alone would probably be enough to destroy the illusion of safety desired by the phishing attack. The further one would proceed to view one’s own account data, the more apparent the swindle would become. For example, the attacker would not know your exact balance or your previous transactions. Also, since there are many multiple-use codes, the faked query for the codes would have to be done many times to enhance the attacker’s chances of success, and this would raise suspicions even further.

Nordea’s claim that the fault was in social engineering is not completely accurate. The major source of fault was Nordea’s own security, or more precisely their lack of security in the Swedish side of the bank. Nordea is surely taking some corrective actions to prevent similar attacks from happening in the future, but it is worthwhile to think why an authentication method with such an obvious hole had been deployed to the customers in the first place.

PS. There is a simple fix that Nordea bank could make for its Swedish customers to remedy the situation, if they are intent in not using the Finnish system. The fix would also not require much re-education of customers. However, I shall not diverge into that discussion unless Nordea pays me money to consult them… :-)