Posted by:
admin
14 years, 11 months ago
Gartner analyst Avivah Litan has released a new report on how attackers are circumventing the protections provided by two-factor authentication systems for online banking. I have not purchased nor read the document, just the summaries that have been released.
In my Sector presentation I covered a many of these same issues. The malware owns the browser and you cannot trust anything that comes from the browser. Moreover, whatever mechanism you use to validate the transactions will become the next attack target. So, as banks have started to use SMS as a low-cost method of validating transactions, attackers have followed, leading to fraudsters bidding up re-programmable phones to intercept SMS messages and other attacks. As I pointed out at Sector, if you use dial-back system, then the attackers will target the user's phone system (remember, Zeus is currently focused on corporate accounts for large dollar amounts). Phone systems are often unpatched or not considered a security threat.
Litan recommends:
Use out-of-band communication protocols that can prevent calls being forwarded to numbers that are not registered for a specific user account.
I'm not really sure how you can do that. She also recommends:
Use out-of-band transaction verification to verify user transaction requests and only execute the specific transaction verified or signed by the requesting user.
I believe it is only a matter of time before digital signing on a second device is required for online transactions. Why? Because the problem that banks face is not malware or social engineering. The problem is a determined, motivated attacker that will not stop until it is practically impossible to get any money from their efforts.
To be clear, WiKID does not do digital signing at this time. However, it is capable of providing some type of digital signing since we use public keys.
You can find my Sector Slides here: Towards a More Secure Online Banking Experience.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)