Report: Problems with some two-factor authentication
22 April, 2010
category: Corporate, Digital ID, Financial, Library
Most agree that using two-factor authentication for access to secure networks is better than simple user names and passwords, but a report from Gartner Research states that hackers have found ways to compromise these more advanced systems as well.
Trojan-based, man-in-the-browser attacks have found vulnerabilities to one-time password tokens and could also be used against biometric and smart card technology, says Avivah Litan, vice president and analyst at Gartner Research. A layered security approach can help protect individuals from these kinds of attacks.
The attack occurs when a user unknowingly downloads a malware program. The application sits in a user’s browser until they log into a banking Web site. At that point the user name, password and one-time password information is transmitted to the criminal and the legitimate user receives an error message stating that the system cannot be accessed. Meanwhile the fraudster is using the information, complete with a valid OTP, to drain the individual’s bank account.
Other malware will overwrite transactions sent by a user to the banking Web site with the criminal’s own transactions. “This overwrite happens behind the scenes so that the user does not see the revised transaction values,” the report states. “Similarly, many online banks will then communicate back to the user’s browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.”
The criminals have also figured out a way to defeat out-of-band authentication methods such as phone calls. The fraudster simply asks the carrier to forward calls to another number citing issues with the line. Phone carriers do not always properly verify an identity before forwarding calls, the report states.
In order to prevent fraudsters from gaining access to the account information there are a number of steps financial institutions and individuals can take.
Banks should use fraud detection systems that monitor a user’s behavior. These systems can review a user’s Web history and navigation to determine if the user is a person or a piece of malware. One European bank had success with this method. “The bank found that once inside the account, the Trojans generate transactions much faster than a legitimate human user does. For example, it takes a normal human user 10 to 20 seconds to enter a money transfer amount and press ‘okay’ to confirm it, but the Trojan entered the same type of data and confirmation in under one second.”
Banks should also use fraud systems that monitor for odd transaction behavior, the report states. The issue here is that some transfer activity, such as ACH withdrawal, is structured, while other activity, like wire transfer is unstructured. “A fraud prevention application can determine the payment and payment beneficiary data in an ACH money transfer request so that it can spot that the amount or beneficiary is ‘unusual’ and suspect. In contrast, wire transfer instructions are unstructured in part, and transfer instructions can be documented in textual comments. In order for a fraud prevention application to work in this case, it must be able to parse textual comments and isolate the important data.”
Litan notes that out-of-band authentication requests can also be used to protect transactions, but they need to be used properly. This channel should only be used for verification of high-risk transactions.
“Enterprises also need to use out-of-band communication providers that can prevent the enterprise’s calls from being forwarded to phone numbers that the enterprise has not registered and vetted for a legitimate user account,” the report states. “Alternatively, the enterprise can simply terminate any calls that are being forwarded to another number (as a cautionary measure), and ask the user to call the bank instead.”