Analyst Names And Shames Two-Factor Security Failings

Strong two-factor authentication is falling short, and businesses need to take notice, according to a report from Gartner.

In a new report, “Where Strong Authentication Fails and What You Can Do About It,” Gartner analyst Avivah Litan contends that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication and proving that any authentication method that relies on browser communications can be defeated. This includes chip cards and biometric technologies.

“Fraudsters have been raiding user bank accounts that seemingly were protected by strong two-factor authentication, but any sensitive Web application is similarly vulnerable,” she wrote. “In some cases, the malware copies the user’s ID, password and OTP, and immediately uses them. Other times, the malware overwrites user transactions with the crook’s transactions, unbeknownst to the user or service provider, e.g., the online bank.”

Two-factor authentication based on telephony is also being beaten as well using call forwarding, which ensures that the fraudster – and not the legitimate customer – is called by the service provider performing the authentication, she noted.

“These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009,” said Litan in a press release. “However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data.”

The answer to all this is, she contends, is a mix of fraud detection that monitors user access behavior and monitors suspect transaction values. In an e-mail, she told eWEEK: “The fraud prevention market has done OK in 2009 despite severe budget cuts in the financial services sector. It hasn’t grown much but it hasn’t shrunk, either.”

Enterprises should also consider out-of-band verification that does not use the same primary communication channel as the user in order to verify a transaction request. Key to this, she notes in the report, is for enterprises to use out-of-band communications that can prevent their calls from being forwarded to phone numbers they have not registered and vetted for a legitimate user account, she writes in the report.

“A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats… Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction,” Litan said in the press release.