RSS Alerts

Related Links

  • Gartner
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

News

Two-factor authentication technology being compromised says Gartner

14 December 2009

Just when the UK banks have started issuing two-factor authentication devices to a growing number of account holders, a report from the Gartner group claims to show that fraudsters have started to raid user accounts by beating the same technology.

Gartner reported that trojan based, `man-in-the-middle' browser attacks are circumventing strong two-factor authentication.

The report also said that other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.

"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009", said Avivah Litan, vice president and analyst at Gartner.

"However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data."

The report revealed that, although the account holders are playing by the rules when accessing their account using two-factor authentication, the latest trojans sit in the background and, when the IP session is live into the bank computers, the hackers stage an online session in the background.

Even if a pro-active two-factor authentication security token is used, the piggy-back technique effectively negates any security being used.

According to the report, a layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats.

"Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions", the study noted.

The good news, however, is that Gartner said that more than one measure be used to achieve optimal fraud prevention results and outlined technologies that can be used, including:

  • Fraud detection that monitors user access behaviour.
  • Fraud detection that monitors suspect transaction values.
  • Out-of-band user transaction verification.

According to Gartner, fraudsters have definitely proven that strong two-factor authentication processes can be defeated.

"Organisations need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction", Gartner said.

 

This article is featured in:
Application Security Identity and Access Management Internet and Network Security

 

Comments

Greg Creaser says:

16 December 2009
"Organisations need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction", Gartner said.

Here at VeriSign we couldn't agree more. Criminals are always coming up with new high-tech ways to engage in fraudulent activities with your identity by stealing passwords and other vital information. A layered security approach is most effective to protect your information. You can read more about "Layered Security Strategy, the Key To Trust" at http://blogs.verisign.com/identity/

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water