Online and Digital Identification, Securing Web 2.0, PKI and Digital Certificates

Report: Two-factor authentication is vulnerable

Tuesday, December 15, 2009

Two-factor authentication isn’t always enough as fraudsters have found vulnerabilities in some of these system, according to a report from Gartner Inc.

Trojan-based, man-in-the-browser attacks have evaded strong two-factor authentication, enabled through one-time password tokens. Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, can also be defeated.

Some examples of attacks that have worked include:

  • Malware that overwrites transactions sent by a user to the online banking Web site. This happens behind the scenes, so that the user does not see the revised transaction values. Many online banks will then communicate back to the user’s browser the transaction details that need to be confirmed by the user with a token, but the malware will change the values seen by the user to what was originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.

  • Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone.

Avivah Litan, vice president and analyst at Gartner, recommended that more than one measure be used to achieve fraud prevention results and outlined some proven measures that can prevent attacks from succeeding:

  • Fraud detection that monitors user access behavior. This method captures and analyzes all of the user’s Web traffic, including login, navigation and transactions, and can spot abnormal access patterns that indicate that an automated program is accessing the application, rather than a human being.

  • Fraud detection that monitors suspect transaction values. This function looks at a particular transaction and compares it to a profile of what constitutes “normal” behavior for that user.

  • Out-of-band user transaction verification. This type of verification does not use the same primary communication channel–for example, the user’s browser–and uses a different communication channel to verify a transaction request.

“Fraudsters have definitely proven that strong two-factor authentication processes can be defeated” says Litan. “Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transaction.” [end] 

Related Articles
Gartner's 2012 Magic Quadrant features Equifax user authentication

Gartner Group’s 2012 Magic Quadrant for unique and innovative user authentication products features Equifax’s multifactor authentication product Anakam TFA Two Factor Authentication.

Gartner predicts that by 2017 more than 50% of enterprises will use cloud-based authentication services like Anakam, up from 10% today.

read more »
HP, Anakam offer cloud-based ID vetting and credentials

HP partnered with Anakam to offer a cloud-based system for identity vetting and credentials. Bryan Maybee, a solutions architect at HP, says the system can be used by the public or private sector for registering individuals to online services.

read more »
Yubico, CloudPassage partner for cloud server authentication

Online identity protection provider Yubico and cloud server security provider CloudPassage have teamed up to provide authentication services for administrative network access in the cloud.

read more »
Research forecasts voice biometrics a major player in payments

ValidSoft partnered with Opus Research and released a report titled “Voice Biometrics Authentication Best Practices: Overcoming Obstacles to Adoption” that predicts the technology will be deployed in payment authentication assuming the best practices it lays out are followed.

read more »
Yubico shows authentication suite ideal for education sector

With the implementation of its authentication security suite at Goldsworth Primary School, online identity protection provider Yubico has shown that its two-factor authentication and VPN connectivity are a viable solution in the education market.

read more »
Portugal's largest ISP opts for Yubico authentication

SAPO, Portugal’s largest Internet Service Provider and Web portal, has selected Yubico’s YubiKey two-factor authentication hardware to ensure login security for its employees and end users.

read more »

Copyright © 2012, AVISIAN, Inc. All rights reserved.