Skip to main content

validating-online-transactions-with-two-factor

(0 comments)

There has been much discussion recently about session hijacking attacks. Briefly, a trojan sits on your machine and when you go to an online banking URL, the trojan kicks in and makes a fraudulent transaction inside your SSL-encrypted sesssion. Pretty strong strong stuff, seemingly.

Bruce Schneier points to this as evidence that strong authentication is "too little, too late". Unfortunately, Mr. Schneier is authenticating the wrong thing (or just not enough). If you used strong authentication for the transaction as well as the session, you have successfully thwarted the hijacker.

Picture it this way: you log in with your useraname and one-time password. You can see balances, etc. The trojans kicks in and writes out a check to a fraudulent account. However, before the transaction is completed, the online bank asks for another one-time password before it will process the transaction. The trojan can't provide it and it fail. In the meantime, the user selects some bills to pay, enters their one-time passcode and is done.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom