Wednesday, January 20, 2010

Gartner: Online Banking Transactions Not Secure



The Ecommerce Journal published a story regarding Gartner's recent report that One-Time Passwords (OTP's) do not provide adequate protection against the bad guys.  In fact, if a banking Trojan, designed to steal online banking credentials, were to receive the OTP at the same time the consumer did, they can carry out a transaction about 20 to 30 times faster than the online banking customer.  Since it's a "one-time" password, whomever enters it first, is the one who is able to use it.   End result?  OTP's work better for the bad guys than they do for the good ones.  Here's the story:



Transactions are still not secure with online 


banking, what else should be done?



The simple answer:  Log on to online banking with the same trusted method used to access cash from an ATM.  Insert your card into a card reader and enter your PIN into a PCI 2.x certified PIN Entry Device...



Gartner Inc. warns that the measures taken by the financial institutions to protect online transactions are lame and are no longer enough to protect online banking systems against fraud.



Sophisticated tools used by the cybercriminals make them successful in hacking security systems so as to steal customers' log-in credentials and pillage their bank accounts, says Gartner analyst Avivah Litan.



Trojan horses steal credentials or intercept transactions and other measures like a phone-based, "out of band" authentication system, makes no good either. Perpetrators use call forwarding so that the fraudster, not the legitimate customer, gets the call from the financial institution, Litan said.



A Trojan completes transactions much faster than a human would; a Trojan can take as little as one second to enter a money transfer amount and press OK, whereas a human would take 20 to 30 seconds.  Editor Translation:  If both of them receive the generated One-Time-Password at the same time,  the online banking customer doesn't stand a chance against a Trojan.







Disqus for ePayment News