Home » Features » Security and risk management » Gartner: Hackers are defeating tough authentication

Gartner: Hackers are defeating tough authentication

Tags:

Gartner one-time passwords online banking fraud online banking security

By Jaikumar Vijayan | Dec 18, 2009

For instance, a request to transfer a certain amount of money from one account to another could be modified so that the request the bank gets would be different from the request sent by the user.

However, when the bank asks the customer to confirm the transaction, the details of the transaction would appear to the user to be the same as the one he had requested, Litan said. "The malware is changing what the user sees. So even if you put in a one-time password, you are confirming the wrong transaction," she said.

In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Litan said.

"Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled by one-time password tokens," Litan wrote in her report. "Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated," she said.

Dealing with the threat will require additional layers of security around online transactions, Litan said. Because any authentication method that relies on a browser can be attacked and defeated, banks need to start using server-based fraud detection to monitor transactions for suspicious behavior, she said.

The goal should be to monitor login, navigation and transaction activity to spot any abnormalities that might suggest an automated program is accessing an application rather than a human being, she said. One European bank using such monitoring technology discovered that once a Trojan breaks into an account, it generates transactions at much higher speeds than a human does, - one second to enter a money transfer amount and press 'OK' compared with 20 to 30 seconds for a human.

Fraud monitoring tools also need to be used to verify that any transactions being initiated by a user fit previous usage patterns and are not significantly different from that user's profile, she said.

Computerworld (US)

Comments

Please leave us your valuable comments
Login or Sign Up (free)

Similar

Related Articles

Recent popular content

knowledge_central_tab

Knowledge Central

Computerworld Hong Kong User Guide: Next-Generation Data Centers

Things you need to know for building a dynamic, green, and virtual infrastructure.

Delivering the business benefits of cloud with IP VPN

The role of IP VPN is a key enabler of cloud.

China Merchants Bank leads the credit card industry with SAS

China Merchants Bank (CMB), a pioneer of China’s credit card market, issues the largest volume of standard international credit cards in China. At the beginning of 2007, the CMB Credit Card Center began using SAS software to manage risks for its growing business.

Octopus Maximizes Business Opportunities

SAS enabled Octopus to increase its business by gathering intelligence from its data and then utilizing that intelligence to work for its retail customers.

Gartner: Hackers are defeating tough authentication