Skip to main content

validating-online-transactions-with-two-factor

There has been much discussion recently about session hijacking attacks. Briefly, a trojan sits on your machine and when you go to an online banking URL, the trojan kicks in and makes a fraudulent transaction inside your SSL-encrypted sesssion. Pretty strong strong stuff, seemingly.

Bruce Schneier points to this as evidence that strong authentication is "too little, too late". Unfortunately, Mr. Schneier is authenticating the wrong thing (or just not enough). If you used strong authentication for the transaction as well as the session, you have successfully thwarted the hijacker.

Picture it this way: you log in with your useraname and one-time password. You can see balances, etc. The trojans kicks in and writes out a check to a fraudulent account. However, before the transaction is completed, the online bank asks for another one-time password before it will process the transaction. The trojan can't provide it and it fail. In the meantime, the user selects some bills to pay, enters their one-time passcode and is done.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom