Defeating Online Bank Fraud Once and For All
Is it possible to really defeat online banking fraud once and for all? Roel Schouwenberg thinks so in an interesting guest editorial on Kaspersky's Threat Post. Schouwenberg says the solution is already out there, and it's pretty simple: multi-factor authentication.
In an outstanding and detailed analysis he did back in 2008 of bank attacks, he noted that what he calls Man-in-the-Endpoint Banker Trojans, or Browser Trojans, have not improved much since 2007. The reason: they haven't had to.
Basically, what many banks are using for two-factor authentication -- secret questions next to passwords -- is neither true two-factor authentication nor secure. The Trojans of the past three years are just as adept at breaking such systems yesterday as they are today.
Many banks, particularly in the US, believe asking customers to use tokens, for example, would be a nuisance that would drive away business.
While I think multi-factor authentication would go a long way in preventing attacks against banks, it's still just another technology, and the issue isn't its use, but its implementation. Even the strongest authentication system is still vulnerable to human abuse, misuse, and social engineering.
Such authentication systems should also be combined with other systems, in a multi-layered defense, like fraud monitoring programs. Such programs, like FraudAction from RSA, allow or block transactions based on patterns of usage and behavior. Multi-factor authentication might not stop a suspicious transaction, such a lone transaction in Eastern Europe against a bank account in the US owned by someone who has never left the country.
But fraud monitoring operating behind the scenes and transparent to the user would be a good tool to augment multi-factor authentication. It might not stop bank attacks once and for all, but it would definitely help.
In an outstanding and detailed analysis he did back in 2008 of bank attacks, he noted that what he calls Man-in-the-Endpoint Banker Trojans, or Browser Trojans, have not improved much since 2007. The reason: they haven't had to.
Basically, what many banks are using for two-factor authentication -- secret questions next to passwords -- is neither true two-factor authentication nor secure. The Trojans of the past three years are just as adept at breaking such systems yesterday as they are today.
Many banks, particularly in the US, believe asking customers to use tokens, for example, would be a nuisance that would drive away business.
While I think multi-factor authentication would go a long way in preventing attacks against banks, it's still just another technology, and the issue isn't its use, but its implementation. Even the strongest authentication system is still vulnerable to human abuse, misuse, and social engineering.
Such authentication systems should also be combined with other systems, in a multi-layered defense, like fraud monitoring programs. Such programs, like FraudAction from RSA, allow or block transactions based on patterns of usage and behavior. Multi-factor authentication might not stop a suspicious transaction, such a lone transaction in Eastern Europe against a bank account in the US owned by someone who has never left the country.
But fraud monitoring operating behind the scenes and transparent to the user would be a good tool to augment multi-factor authentication. It might not stop bank attacks once and for all, but it would definitely help.
posted by The IT Security Guy at 4:13 PM
0 Comments:
Post a Comment
<< Home