Strong two-factor authentication is falling short, and businesses need to take notice, according to a report from Gartner.
In a new report, “Where Strong Authentication Fails and What You Can Do About It,” Gartner analyst Avivah Litan contends that Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication and proving that any authentication method that relies on browser communications can be defeated. This includes chip cards and biometric technologies.
“Fraudsters have been raiding user bank accounts that seemingly were protected by strong two-factor authentication, but any sensitive Web application is similarly vulnerable,” she wrote. “In some cases, the malware copies the user’s ID, password and OTP, and immediately uses them. Other times, the malware overwrites user transactions with the crook’s transactions, unbeknownst to the user or service provider, e.g., the online bank.”
Two-factor authentication based on telephony is also being beaten as well using call forwarding, which ensures that the fraudster – and not the legitimate customer – is called by the service provider performing the authentication, she noted.
“These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009,” said Litan in a press release. “However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data.”
The answer to all this is, she contends, is a mix of fraud detection that monitors user access behavior and monitors suspect transaction values. In an e-mail, she told eWEEK: “The fraud prevention market has done OK in 2009 despite severe budget cuts in the financial services sector. It hasn’t grown much but it hasn’t shrunk, either.”
Enterprises should also consider out-of-band verification that does not use the same primary communication channel as the user in order to verify a transaction request. Key to this, she notes in the report, is for enterprises to use out-of-band communications that can prevent their calls from being forwarded to phone numbers they have not registered and vetted for a legitimate user account, she writes in the report.
“A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers has been proven to mitigate these threats… Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction,” Litan said in the press release.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…