Gartner reported that trojan based, `man-in-the-middle' browser attacks are circumventing strong two-factor authentication.
The report also said that other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.
"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009", said Avivah Litan, vice president and analyst at Gartner.
"However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data."
The report revealed that, although the account holders are playing by the rules when accessing their account using two-factor authentication, the latest trojans sit in the background and, when the IP session is live into the bank computers, the hackers stage an online session in the background.
Even if a pro-active two-factor authentication security token is used, the piggy-back technique effectively negates any security being used.
According to the report, a layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats.
"Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions", the study noted.
The good news, however, is that Gartner said that more than one measure be used to achieve optimal fraud prevention results and outlined technologies that can be used, including:
- Fraud detection that monitors user access behaviour.
- Fraud detection that monitors suspect transaction values.
- Out-of-band user transaction verification.
According to Gartner, fraudsters have definitely proven that strong two-factor authentication processes can be defeated.
"Organisations need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction", Gartner said.
Comments
Greg Creaser says:
16 December 2009
"Organisations need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction", Gartner said.
Here at VeriSign we couldn't agree more. Criminals are always coming up with new high-tech ways to engage in fraudulent activities with your identity by stealing passwords and other vital information. A layered security approach is most effective to protect your information. You can read more about "Layered Security Strategy, the Key To Trust" at http://blogs.verisign.com/identity/
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.