If so, then potentially it could be done via, say, session hijacking (accessing the account after authentication). Alternatively, malware might have stolen enough information to make a social engineering attack possible, and the funds were transferred via telephone banking or even in-person in a branch.
I'd have the bank do an investigation to find out how the funds were transferred. FWIW we have a lot of these tokens issued (in the hundreds of thousands), and whilst I don't work in the area, I'm not aware of any vulnerability that allows such a bypass (e.g. token collision). Don't take my word as gospel, but I suspect if there was a vulnerability as you described earlier, a lot of organisations would be scrambling. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of James Hill Sent: Thursday, 26 September 2013 5:38 PM To: [email protected] Subject: [NTSysADM] RE: Bank funds stolen without access to rsa token, anyone heard of that? No I'm not. The suspicion is malicious software on the computer that was normally used. James. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Thursday, 26 September 2013 5:32 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Bank funds stolen without access to rsa token, anyone heard of that? Are you 100% sure this was done via the internet banking site? Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Hill Sent: Thursday, 26 September 2013 5:24 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Bank funds stolen without access to rsa token, anyone heard of that? I've recently been in discussion with someone who has had money stolen from their bank account. I have seen examples of this in the past when the only authentication in place was a password. But in this case they had two factor authentication. A password and an RSA token. They had funds transferred to an overseas bank account. For this to occur it would normally require logging on to the internet banking system with the password and token code. Then enter the external transfer area, enter the details then enter in the current token code. Has anyone ever heard of this occurring? James.
