Skip to main content

Avivah Litan on Two-factor authentication

(0 comments)

Gartner analyst Avivah Litan has released a new report on how attackers are circumventing the protections provided by two-factor authentication systems for online banking. I have not purchased nor read the document, just the summaries that have been released.

 

In my Sector presentation I covered a many of these same issues.  The malware owns the browser and you cannot trust anything that comes from the browser.  Moreover, whatever mechanism you use to validate the transactions will become the next attack target.  So, as banks have started to use SMS as a low-cost method of validating transactions, attackers have followed, leading to fraudsters bidding up re-programmable phones to intercept SMS messages and other attacks.  As I pointed out at Sector, if you use dial-back system, then the attackers will target the user's phone system (remember, Zeus is currently focused on corporate accounts for large dollar amounts).  Phone systems are often unpatched or not considered a security threat. 

Litan recommends:

Use out-of-band communication protocols that can prevent calls being forwarded to numbers that are not registered for a specific user account.

I'm not really sure how you can do that.  She also recommends:

Use out-of-band transaction verification to verify user transaction requests and only execute the specific transaction verified or signed by the requesting user.

I believe it is only a matter of time before digital signing on a second device is required for online transactions.  Why? Because the problem that banks face is not malware or social engineering.  The problem is a determined, motivated attacker that will not stop until it is practically impossible to get any money from their efforts. 

To be clear, WiKID does not do digital signing at this time.  However, it is capable of providing some type of digital signing since we use public keys. 

You can find my Sector Slides here: Towards a More Secure Online Banking Experience.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom