Monday, January 4, 2010

Hackers Conquer "Some" Two-Factor Authentication



Before you read this story, allow me to clarify.  Not all two factor authentication is being defeated.  That is why I place the "some" word in the title.  Two factor authentication is "loosely" defined as something you HAVE and something you KNOW.  Does that mean that "having" a username and knowing a "password" constitutes 2FA?   Does "having" a social security number" and knowing what town you were born in constitute 2FA?   I don't consider either of those two examples true 2FA.  Yet some do.  Anyway, I think you get my point.  



Genuine Two-Factor-Authentication is used at ATM machines and is trusted to dispense cash in real-time.  What you "have" is the bank issued card and what you know is the bank issued PIN.  Nothing is typed.  The card is inserted into the ATM, it reads the data on the magnetic stripe including the Track 2 Data and the PVKI and PVV.  Then it asks you to enter in your PIN for the second factor of authentication.  As long as the ATM is not equipped with a skimming device, the magnetic stripe data is not exposed as it travels via the bank's existing rails.  And as long as there is not a hidden camera designed to capture your PIN entry, your transaction is safe.  Neither of those threats exist if an online banking customer was to swipe (insert) their card (what they have) and enter their PIN (what they know)  Therefore, genuine 2FA is still alive an well.  It's the weaker (albeit they call it strong) 2FA systems that are being "conquered."  What's that old line?  I came...I SAW...I conquered?  There's nothing to "SEE" when a HomeATM device is used, because it's instantly encrypted at the maghead.  No see...no conquer.






BY Mel Duvall, Chief Content Officer at CIOZone



Cybercriminals are increasingly gaining access to bank accounts and user credentials by beating strong two-factor authentication security, warns research firm Gartner.



Fraudsters are raiding bank accounts by using Trojans that steal passwords and credentials.



Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, are similarly being defeated.



“These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009,” said Avivah Litan, an analyst and vice president with Stamford, Conn.-based Gartner. “However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data.”



Examples of new attacks that are emerging in the “wild” include:



• Malware on the users’ computer overwrites transactions sent to an online banking Web site. This happens behind the scenes, so that the user does not see the revised transaction values. Many online banks will then communicate the transaction details back to the user’s browser for confirmation, but the malware changes the values seen by the user to reflect the values originally entered. In so doing, neither the user nor the bank realizes that the data has been altered.



• Authentication used in voice telephony applications is being circumvented by a simple technique whereby the cybercriminal asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone.



In respect to the telephony fraud attacks, Litan says server-based fraud detection and security policies which prevent forwarding calls have proven effective.



“Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions,” she added.



The FBI’s Internet Crime Complaint Center recently reported that as of October cybercriminals had attempted to steal approximately $100 million from U.S. banks using stolen passwords and credentials.



In many cases the cybercriminals have been successful in planting keystroke logging Trojan horse programs on the computers used by employees to conduct online banking on behalf of their companies.



Gartner says that cybercriminals are becoming more sophisticated in their attacks and that it may be necessary for banks and users to introduce more sophisticated security layers.



Litan noted the following technologies may prove to be effective:



• Fraud detection that monitors user access behavior. This method captures and analyzes all of the user’s Web traffic (assuming the targeted application is Web-based), including log-in, navigation and transactions. It can spot abnormal access patterns that indicate that an automated program is accessing the application, rather than a human.



• Fraud detection that monitors suspect transaction values. This technology looks at a particular transaction and compares it to a profile of what constitutes “normal” behavior for a user or a group of users.



• Out-of-band user transaction verification. This system employs a type of verification other than the same primary communication channel (such as a user’s PC browser).



“Fraudsters have definitely proven that strong two-factor authentication processes can be defeated,” said Litan.



“Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high-risk transaction.”

*   *   *



Mel Duvall is a Contributing Editor to CIOZone. He is a veteran journalist, having written and edited for daily newspapers, magazines and trade publications for more than 20 years. He is a former senior editor of Baseline magazine and was a senior editor for Inter@ctive Week. Mel has won several awards at the national level, including a Jesse H. Neal journalism award and American Society of Business Publication Editors awards.

CIOZone.com is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.  The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com









Disqus for ePayment News