Monday, December 21, 2009

Cyberhackers vs. Banks





Cyberhackers vs. banks



By Jim Kim

The Financial Times has weighed in with a wide-angle view of the current state of the hackers vs. banks war. It concludes that the thieves may be winning. One experts estimates criminals took about $40 million directly from bank accounts this year, "primarily targeting the small and mid-sized businesses that are themselves customers of small and mid-sized banks."



We've noted that small banks and their customers appear to be sadly fertile targets, given that their security efforts tend to lag the really big institutions. It's surprising how many small business fall prey to the same phishing techniques that bedevil consumers. The costs of entry into this illicit business may be declining unfortunately. Cisco says that one of the main programs that thieves use can be had for just $700. This is troubling. Small banks and businesses have enough to worry about. It looks now like 2-factor authentication is not faring well against the bad guys.  For more: - here's the article



Editor's Note:  It's time to define 2FA.  Generally speaking it is what you have, and what you know



Therefore, one could make a case that "having a username: and "knowing a password" is two factor authentication.  Since username and password is proven inadequate, 2FA must be useless. 



Then there's the One-Time-Passcodes" (OTP's) whereby something you have (hardware device) generates a one-time-PIN.   In a recent report from Gartner, they concluded that OTP's are no longer enough to protect online banking transactions.  So 2FA using OTP's is useless.  But that DOESN'T mean all two factor authentication is useless.  Just 2FA using a web browser.  Because, as Gartner also recently reported, nothing that uses a browser for authentication can be trusted. 









So, what DOES work?
  




Hint:  Go to an ATM and try and pull out $100.  What do you have to do in order to accomplish that task?   Well there are three variables involved. 

You have to use a hardware device (ATM) to "insert your card" (what you have) and Enter your PIN (what you know).  That process has been used and trusted by banks and bank customers for decades.  We replicate that process for online banking authentication.  

The HomeATM PCI 2.x Certified PIN Entry Device allows you to "insert your card" and "Enter your PIN."  The only difference is we eliminate the threats induced by skimming devices and hidden camera's designed to capture your PIN as you enter it.  



Add to the equation that we also eliminate phishing.  (nothing to phish phor) and it seems obvious that the stage is "SET" (Swipe Encrypt, Transmit) positioning our low cost SLIM PED as an online banking savior.   













For more on HomeATM's 2FA online banking authentication, check out the related article below:

 

Reblog this post [with Zemanta]

Disqus for ePayment News