Two-Factor Authentication Security Failing
According to Gartner, it's important that organizations adopt new approaches for combating attacks against the system of two-factor authentication, as per the news published by itbusinessedge.com on December 14, 2009.
Comments Avivah Litan, vice-president and noted security analyst at Gartner, in a newly published study named "Where Strong Authentication Fails and What You Can Do About It", that man-in-the-browser assaults based on trojans are beating the strong authentication mechanism. This, therefore, demonstrates the possibility of defeating any authentication technique depending on communications through web browsers, Litan contends. EWeek.com published this on December 14, 2009.
As for examples of the two-factor authentication's failure, an instance is cited where malicious software rewrites the transactions that a user transmits to an online-banking site. Evidently, all this takes place in secret so that the user and the bank don't get to know about the altered data.
Significantly, as per Litan, these assaults have been using Trojan Zeus as well as other customized malicious codes.
Moreover, these assaults have repeatedly and successfully targeted several banks along with their clients across the world during 2009. While the chief targets are bank account details, the methods of these attacks are also employed in other sectors as well as applications which hold sensitive and precious data, Litan explains.
Litan further suggests that companies need to employ a three-pronged approach towards fraud prevention so that their consumers as well as accounts could be safeguarded. Mybroadband.co.za published this on December 14, 2009.
In the meantime, Litan recommends the use of fraud detection, which tracks the activity of users' access. The method works by seizing and examining the web-traffic of a user -assuming that the user works on a web-based application -including navigation, login and transactions. Further, it detects anomalies in access patterns such as application access by automated software instead of a human.
One more method recommended is tracking of suspicious transaction values. In this, a particular transaction is compared with the "normal" behavior profile of the concerned user(s). Litan also suggested verification of out-of-band user dealings.
Finally, security should be regularly updated to ward off cyber-crimes, experts said.
Related article: THE SPAM MAFIA
» SPAMfighter News - 23-12-2009